1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
[root@centos7 ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: secret-key
Email address: [email protected]
Comment: secret-key
You selected this USER-ID:
"secret-key (secret-key) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key ECF5CCA0 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 2048R/ECF5CCA0 2020-09-05
Key fingerprint = 9124 D56C A89C 4D20 A092 0C74 811E AE46 ECF5 CCA0
uid secret-key (secret-key) <[email protected]>
sub 2048R/AB0B687B 2020-09-05
[root@centos7 ~]# gpg --list-keys
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/ECF5CCA0 2020-09-05
uid secret-key (secret-key) <[email protected]>
sub 2048R/AB0B687B 2020-09-05
2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
[root@centos7 .gnupg]# gpg -a --export -o bxlgpg.pubkey
[root@centos7 .gnupg]# ll
total 32
-rw-r--r-- 1 root root 1016 Sep 5 19:47 bxlgpg.pubkey
-rw------- 1 root root 7680 Sep 5 19:42 gpg.conf
drwx------ 2 root root 6 Sep 5 19:42 private-keys-v1.d
-rw------- 1 root root 673 Sep 5 19:45 pubring.gpg
-rw------- 1 root root 673 Sep 5 19:45 pubring.gpg~
-rw------- 1 root root 600 Sep 5 19:45 random_seed
-rw------- 1 root root 1413 Sep 5 19:45 secring.gpg
srwxr-xr-x 1 root root 0 Sep 5 19:43 S.gpg-agent
-rw------- 1 root root 1280 Sep 5 19:45 trustdb.gpg
[root@centos7 .gnupg]# scp bxlgpg.pubkey 10.0.0.8:/root
[email protected]'s password:
bxlgpg.pubkey 100% 1016 436.3KB/s 00:00
[root@localhost ~]# gpg --import bxlgpg.pubkey
gpg: key 949C2C75C2248D35: public key "bxlgpg (bxlgpg) " imported
gpg: Total number processed: 1
gpg: imported: 1
[root@localhost ~]# gpg -e -r bxlgpg anaconda-ks.cfg
gpg: 9F2C8FFC8FC41BB2: There is no assurance this key belongs to the named user
sub rsa1024/9F2C8FFC8FC41BB2 2020-09-05 bxlgpg (bxlgpg) <[email protected]>
Primary key fingerprint: F3D6 64A6 579B AA86 A83B A5D0 949C 2C75 C224 8D35
Subkey fingerprint: D4B5 C357 31F2 9232 0C14 AEB1 9F2C 8FFC 8FC4 1BB2
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@localhost ~]# ll
total 111832
-rw-------. 1 root root 1528 Aug 6 12:54 anaconda-ks.cfg
-rw-r--r-- 1 root root 1027 Sep 5 19:58 anaconda-ks.cfg.gpg
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
[root@localhost ~]# scp anaconda-ks.cfg.gpg 10.0.0.7:/root
[email protected]'s password:
anaconda-ks.cfg.gpg 100% 1027 726.7KB/s 00:00
[root@centos7 ~]# ll
total 116304
-rw-r--r-- 1 root root 1027 Sep 5 20:01 anaconda-ks.cfg.gpg
[root@centos7 ~]# gpg -o test -d anaconda-ks.cfg.gpg
You need a passphrase to unlock the secret key for
user: "bxlgpg (bxlgpg) "
1024-bit RSA key, ID 8FC41BB2, created 2020-09-05 (main key ID C2248D35)
gpg: encrypted with 1024-bit RSA key, ID 8FC41BB2, created 2020-09-05
"bxlgpg (bxlgpg) "
4、在 CentOS7 中使用 openssl 软件创建 CA
[root@centos7 ~]# touch /etc/pki/CA/index.txt #存放证书属性信息
[root@centos7 ~]# echo 0F > /etc/pki/CA/serial#指定下一个证书的编号
[root@centos7 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
#创建CA私钥
[root@centos7 ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
............................................................................+++
.....................................................+++
e is 65537 (0x10001)
#给根CA颁发自签名证书
[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhengzhou
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.com
Email Address []:
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
[root@centos7 ~]# mkdir /data/app
[root@centos7 data]# (umask 066;openssl genrsa -out /data/app/app.key 2048)
Generating RSA private key, 2048 bit long modulus
....................+++
.......................................................................................................................................................................................................+++
e is 65537 (0x10001)
#用户申请ca证书
[root@centos7 app]# openssl req -new -key /data/app/app.key -out /data/app/app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhengzhou
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#CA向用户颁发证书
[root@centos7 app]# openssl ca -in /data/app/app.csr -out /etc/pki/CA/certs/app.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Sep 5 12:59:38 2020 GMT
Not After : Jun 2 12:59:38 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = zhengzhou
organizationName = magedu
organizationalUnitName = it
commonName = app.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8D:9C:03:DE:6F:8B:88:88:D8:05:60:66:5A:A0:4F:70:F2:22:73:E5
X509v3 Authority Key Identifier:
keyid:52:10:01:45:97:FF:9F:ED:79:67:A8:37:12:D9:0F:7E:94:32:20:25
Certificate is to be certified until Jun 2 12:59:38 2023 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#查看生成的证书
[root@centos7 app]# cat /etc/pki/CA/certs/app.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=zhengzhou, L=zhengzhou, O=magedu, OU=devops, CN=ca.com
Validity
Not Before: Sep 5 12:59:38 2020 GMT
Not After : Jun 2 12:59:38 2023 GMT
Subject: C=CN, ST=zhengzhou, O=magedu, OU=it, CN=app.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ab:be:de:1e:4b:ca:05:a7:b8:1e:d4:b8:bc:d6:
5d:e4:a8:86:0a:68:b5:13:b4:0b:4c:39:41:a5:e2:
3a:77:28:c8:6a:4e:0b:87:06:5c:a3:df:05:00:05:
5b:d8:cb:f7:db:1c:13:9d:0d:bd:08:95:26:ae:00:
55:34:26:21:c9:43:86:a0:9d:45:e7:b6:b2:aa:76:
e7:90:5d:ef:4b:b7:a1:93:de:d3:f1:0d:d4:e1:48:
5b:12:9f:86:bc:a2:de:28:cf:bf:b8:39:ba:6d:7a:
cc:dd:be:44:cc:b3:b5:fb:b5:63:c9:6c:f5:a6:20:
80:ee:95:74:89:0e:f3:2b:06:a9:ec:76:0a:12:cb:
....
6、吊销已经签署成功的证书
[root@centos7 CA]# openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@centos7 CA]# cat /etc/pki/CA/index.txt
R 230602125938Z 200905132056Z 0F unknown /C=CN/ST=zhengzhou/O=magedu/OU=it/CN=app.com