2020-09-06

1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

[root@centos7 ~]#gpg --gen-key

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:

  (1) RSA and RSA (default)

  (2) DSA and Elgamal

  (3) DSA (sign only)

  (4) RSA (sign only)

Your selection? 1

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048)

Requested keysize is 2048 bits

Please specify how long the key should be valid.

        0 = key does not expire

        = key expires in n days

      w = key expires in n weeks

      m = key expires in n months

      y = key expires in n years

Key is valid for? (0)

Key does not expire at all

Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: centos

Email address:

Comment:

You selected this USER-ID:

    "centos"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

gpg: /root/.gnupg/trustdb.gpg: trustdb created

gpg: key C8EA44DE marked as ultimately trusted

public and secret key created and signed.

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0  valid:  1  signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 1u

pub  2048R/C8EA44DE 2020-09-05

      Key fingerprint = 3DE2 C6AF B0B5 0D82 79F8  770C EF64 9FA5 C8EA 44DE

uid                  centos

sub  2048R/13943D46 2020-09-05

[root@centos7 ~]#ll .gnupg/

total 28

-rw------- 1 root root 7680 Sep  5 18:55 gpg.conf

drwx------ 2 root root    6 Sep  5 19:11 private-keys-v1.d

-rw------- 1 root root 1166 Sep  5 19:14 pubring.gpg

-rw------- 1 root root 1166 Sep  5 19:14 pubring.gpg~

-rw------- 1 root root  600 Sep  5 19:14 random_seed

-rw------- 1 root root 2543 Sep  5 19:14 secring.gpg

srwxr-xr-x 1 root root    0 Sep  5 19:14 S.gpg-agent

-rw------- 1 root root 1280 Sep  5 19:14 trustdb.gpg

[root@centos7 ~]#gpg --list-key

/root/.gnupg/pubring.gpg

------------------------

pub  2048R/C8EA44DE 2020-09-05

uid                  centos

sub  2048R/13943D46 2020-09-05

2、将 CentOS7 导出的公钥，拷贝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公钥加密一个文件

[root@centos7 ~]#gpg -a --export -o centos.pubkey

[root@centos7 ~]#scp centos.pubkey 10.0.0.8:/data/

[email protected]'s password:

centos.pubkey                                            100% 1683    1.4MB/s  00:00   

[root@centos8 data]#ls

centos.pubkey

[root@centos8 data]#echo linux > file.txt

[root@centos8 data]#gpg --import centos.pubkey

gpg: key EF649FA5C8EA44DE: public key "centos" imported

gpg: Total number processed: 1

gpg:              imported: 1

[root@centos8 data]#gpg --list-key

/root/.gnupg/pubring.kbx

------------------------

pub  rsa2048 2020-09-05 [SC]

      3DE2C6AFB0B50D8279F8770CEF649FA5C8EA44DE

uid          [ unknown] centos

sub  rsa2048 2020-09-05 [E]

[root@centos8 data]#gpg -e -r centos file.txt

gpg: 8314610013943D46: There is no assurance this key belongs to the named user

sub  rsa2048/8314610013943D46 2020-09-05 centos

Primary key fingerprint: 3DE2 C6AF B0B5 0D82 79F8  770C EF64 9FA5 C8EA 44DE

      Subkey fingerprint: E190 BD7D CFF2 4D26 8206  CF0E 8314 6100 1394 3D46

It is NOT certain that the key belongs to the person named

in the user ID.  If you *really* know what you are doing,

you may answer the next question with yes.

Use this key anyway? (y/N) y

[root@centos8 data]#ls

centos.pubkey  file.txt  file.txt.gpg

3、回到 CentOS7 服务器，远程拷贝 file.txt.gpg 文件到本地，使用 CentOS7的私钥解密文件

[root@centos7 ~]#scp 10.0.0.8:/data/file.txt.gpg /data/

[email protected]'s password:

file.txt.gpg                                            100%  346  225.7KB/s  00:00   

[root@centos7 data]#ls

file.txt.gpg

[root@centos7 data]#gpg -o file.txt -d file.txt.gpg

You need a passphrase to unlock the secret key for

user: "centos"

2048-bit RSA key, ID 13943D46, created 2020-09-05 (main key ID C8EA44DE)

gpg: encrypted with 2048-bit RSA key, ID 13943D46, created 2020-09-05

      "centos"

[root@centos7 data]#cat file.txt

linux

4、在 CentOS7 中使用 openssl 软件创建 CA

创建证书需要的目录和相关文件

mkdir /etc/pki/CA/certs  crl  newcerts  private

touch /etc/pki/CA/index.txt

echo 0F > /etc/pki/CA/serial

生成私钥

openssl genrsa -out private/cakey.pem 1024

#使用私钥生成自签名证书

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 888 -out /etc/pki/CA/cacert.pem

A=CN

B=bj

C=hd

D=dongwuyuanxiehui

E=anbao

F=www.anbao.org

echo -e "\n$A\n$B\n$C\n$D\n$E\n$F\n"

完成证书信息配置

5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件，并使用上面的跟证书对其进行签署

openssl genrsa -out /data/certs/pangzo.key 1024

给颁发证书生成私钥

echo -e "\n$A\n$B\n$C\n$D\n$E\n$F\n\n\n" |openssl req -new -key /data/certs/pangzo.key -out pangzo.csr

颁发证书通过密钥申请证书

openssl ca -in /data/certs/pangzo.csr -out /etc/pki/CA/certs/pangzo.crt -days 100

生成证书

6、吊销已经签署成功的证书

openssl ca -revoke /etc/pki/CA/ newcerts/0F.pem