作业 - 加密解密和CA

1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

[root@centos7 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: [email protected]
Email address: [email protected]
Comment: rsa test
You selected this USER-ID:
    "[email protected] (rsa test) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

执行到该处时,提示需要随机数用于密钥的创建,建议再打开一个shell 窗口,执行大量的磁盘读写任务,直到创建完成密码。可使用dd 命令

# 切换到新的shell 窗口
[root@centos7 ~]#dd if=/dev/zero of=/root/test bs=1024 count=10240000
10240000+0 records in
10240000+0 records out
10485760000 bytes (10 GB) copied, 41.7266 s, 251 MB/s
[root@centos7 ~]#rm -rf test

如果依然没有出现密钥创建成功信息,可多执行几次上述的 dd 命令,直到出现下方密钥创建成功的信息

# 回到原shell 窗口查看是否出现以下信息
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 2F970791 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/2F970791 2020-09-06
      Key fingerprint = AFE1 3895 35D8 CEA7 D74D  7498 CB47 8780 2F97 0791
uid                  [email protected] (rsa test) <[email protected]>
sub   2048R/1EBAA141 2020-09-06

# 可查看下新创将的公钥信息
[root@centos7 ~]#gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/2F970791 2020-09-06
uid                  [email protected] (rsa test) <[email protected]>
sub   2048R/1EBAA141 2020-09-06

# 将新创建好的公钥保存到 dawn.pubkey 文件中
[root@centos7 ~]#gpg -a --export -o dawn.pubkey
[root@centos7 ~]#ll
total 16
-rw-r--r--  1 root root 1735 Sep  6 10:59 dawn.pubkey

2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件

[root@centos7 ~]#scp dawn.pubkey 10.0.0.8:/root/
[email protected]'s password: 
dawn.pubkey                                         100% 1735   562.4KB/s   00:00

# 切换到CentOS8
[root@centos7 ~]#ssh 10.0.0.8
[email protected]'s password: 
Last login: Sun Sep  6 10:25:03 2020 from 10.0.0.1

# 查看dawn.pubkey 公钥信息
[root@CentOS8 ~]#ll
total 12
-rw-r--r--  1 root root 1735 Sep  6 11:03 dawn.pubkey
[root@CentOS8 ~]#cat dawn.pubkey 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQENBF9UTKABCAD2cOgGipGYILxNjMIVmdPf3IgwvRHPqESWk8AAnD8w7sS3UEaL
mhNH3tRyLm5e0f0AmT7MmcfIZIOAiyIcZv0KlLyND/EsXZ3fubK/rZ3QMKqkkOFQ
FeVJDYNWULD8mzgrO2+Iy524IOfaj280JXQBm6RTYKvxZdas8/uFrHFY6WucdiDk
0gAlXLb+Z6vNkEeFAxQM9hEoB6HsDCoFe59I6+bUunNwjuV7OuwII2F2MlYYCynf
aOH/ldiy84l752zuj1meOlRZjgaAbgxbkRbSr9PBKV2F2TWjVK5vZh7Td0TOSUlz
8akYxvas3RBt1zXIaGTACszBbPPypIiNXqZdABEBAAG0LGRhd25AbWFnZWR1LmNv
bSAocnNhIHRlc3QpIDxkYXduQG1hZ2VkdS5jb20+iQE5BBMBAgAjBQJfVEygAhsD
BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQy0eHgC+XB5HLOAgA1FF08FCf
ZQJgGx8boZ9G5AmN4YLf/PyDE1y2wSTYKd8Rzy/Z95imXmzxgE9xKg1aieAhTlJi
YOtHga5TQZq7I/L/iBFRvGvPQKTSMMvTBgH7/VLOy/H5NUYh2seDTVRjxWe977sK
r0gUzPN24B9BZoscn3HTCRtEAy88R6b2GFQEu+7T/0XlvkTGB1Blv+8ZuSEaNosZ
zp//ek2BewXrCCxn6Hm+2nG5xbqJLZXCVR62Cuyz9CMDWkKJOxNSVURWcXXHRw1u
YBGp/E8+MUe6vTVKegulMQi7go8LTMNCRFJk+MvtnFHaPktQZG7iycSdyz4EB2aN
HGU1Hs4sXNnKyLkBDQRfVEygAQgAsCbihtNcmT4fO1QEX/IEUNRimZuQaHoTtfj2
m34yke7ra6BRelEzOnNZiopru4/+rI5QppTY/LI6rxL9ds0SJv6RdcDgVJs0KE94
4ruuXoxE+wh95/7nLgv8lshc4lvSKYMRKcEZ2DlZoLbLT6ey24sVDn1wsWb0Lj72
4TzN4jGSRCfbGPXyYTXD5R4Ixn/0PwCy5m6f0nREyC6qnbbYBOq42uJsQkUDdzlj
so9RY1Su5SsRNIajTSumhCH+Txsg2g0SXW94+EozdMXcJD+pc0Ui6BlgmAtPO4uh
wCrxQnU+UbMCOX/+nOLAPDjKLOI0naQ/TaPO+b4Cj1incGLyYQARAQABiQEfBBgB
AgAJBQJfVEygAhsMAAoJEMtHh4AvlweRL+wIAJjlIWK+fJGReJ4675t6N3s5Aayc
4ywrWzG1RT8ajpvkVDE5GLIeAi0itK5LMi8UN6NpkE6Vpb+eM1DN0v2eSs+c5kAY
UAMOwJ97aIW5ryKTfP24Gk+5BoDbXR6AC191WSumR6AcXX9l0tb1FmFAzk3+V0IK
c5KknGg5JZ6HXMrCcMi60xjkhTg13N0BfrkkEua3sHOcRV5C7PJ17+nkL0Y7pw8l
u3bbj89z93jo1IS9vRY1aa9/H2QhAtsqGOMkLDl8JG6TnkNmBAjvM9FMQomlE9Ka
CufdK/Qwm88FRVqaqOJphVfsjoMN6XsqBcnxp7iKyPs9bOQgiR+a5RytU8c=
=1gv+
-----END PGP PUBLIC KEY BLOCK-----

# 导入公钥dawn.pubkey
[root@CentOS8 ~]#gpg --import dawn.pubkey 
gpg: key CB4787802F970791: public key "[email protected] (rsa test) " imported
gpg: Total number processed: 1
gpg:               imported: 1

# 创建文件file.txt
[root@CentOS8 ~]#echo -e "IP:`hostname -I`\nVersion:`cat /etc/redhat-release`" > file.txt
[root@CentOS8 ~]#cat file.txt
IP:10.0.0.8 
Version:CentOS Linux release 8.1.1911 (Core) 

# 使用dawn.pubkey 对file.txt 文件加密,
# 命令:gpg -e -r file (-e 加密,-r 指定加密的公钥ID,file需加密的文件)
[root@CentOS8 ~]#gpg -e -r CB4787802F970791 file.txt 
gpg: 1138E1A61EBAA141: There is no assurance this key belongs to the named user
sub  rsa2048/1138E1A61EBAA141 2020-09-06 [email protected] (rsa test) <[email protected]>
 Primary key fingerprint: AFE1 3895 35D8 CEA7 D74D  7498 CB47 8780 2F97 0791
      Subkey fingerprint: 9940 DF8E 57B4 1224 25ED  1B3E 1138 E1A6 1EBA A141

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

# 加密后的文件file.txt.gpg
[root@CentOS8 ~]#ll
total 20
-rw-r--r--  1 root root 1735 Sep  6 11:03 dawn.pubkey
-rw-r--r--  1 root root   59 Sep  6 11:20 file.txt
-rw-r--r--  1 root root  396 Sep  6 11:26 file.txt.gpg

3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件

# 将centos8 中的file.txt.gpg 拷贝到centos7中
[root@CentOS8 ~]#scp file.txt.gpg 10.0.0.7:/root/file.txt.gpg
[email protected]'s password: 
file.txt.gpg                                 100%  396    83.4KB/s   00:00

# 切换到CentOS7 
[root@CentOS8 ~]#exit
logout
Connection to 10.0.0.8 closed.
[root@centos7 ~]#ll
total 20
-rw-r--r--  1 root root 1735 Sep  6 10:59 dawn.pubkey
-rw-r--r--  1 root root  396 Sep  6 11:32 file.txt.gpg

# 为file.txt.gpg 解密
# 解密命令:gpg  -o file -d file.gpg
[root@centos7 ~]#gpg -o file.txt -d file.txt.gpg

You need a passphrase to unlock the secret key for
user: "[email protected] (rsa test) "
2048-bit RSA key, ID 1EBAA141, created 2020-09-06 (main key ID 2F970791)

gpg: encrypted with 2048-bit RSA key, ID 1EBAA141, created 2020-09-06
      "[email protected] (rsa test) "
      
# 查看解密后的文件
[root@centos7 ~]#ll
total 24
-rw-r--r--  1 root root 1735 Sep  6 10:59 dawn.pubkey
-rw-r--r--  1 root root   59 Sep  6 11:36 file.txt
-rw-r--r--  1 root root  396 Sep  6 11:32 file.txt.gpg
[root@centos7 ~]#cat file.txt
IP:10.0.0.8 
Version:CentOS Linux release 8.1.1911 (Core) 


# 删除CentOS7 中的公钥和私钥(有私钥的情况下,需先删除公钥)
# 无法先删除公钥
[root@centos7 ~]#gpg --delete-keys dawn
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: there is a secret key for public key "dawn"!
gpg: use option "--delete-secret-keys" to delete it first.

# 删除私钥
[root@centos7 ~]#gpg --delete-secret-keys dawn
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  2048R/2F970791 2020-09-06 [email protected] (rsa test) <[email protected]>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

# 删除公钥
[root@centos7 ~]#gpg --delete-keys dawn
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  2048R/2F970791 2020-09-06 [email protected] (rsa test) <[email protected]>

Delete this key from the keyring? (y/N) y

# 删除CentOS8 中的公钥
[root@CentOS8 ~]#gpg --delete-keys dawn
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub  rsa2048/CB4787802F970791 2020-09-06 [email protected] (rsa test) <[email protected]>

Delete this key from the keyring? (y/N) y
[root@CentOS8 ~]#rm -f dawn.pubkey file.txt file.txt.gpg 

4、在 CentOS7 中使用 openssl 软件创建 CA

#1 CentOS7 已自动创建好/etc/pki/CA。只需创建所需的配置文件index.txt 和serial 即可
[root@centos7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files

[root@centos7 ~]#cd /etc/pki/CA/
[root@centos7 CA]#touch index.txt
[root@centos7 CA]#echo 0F > serial
[root@centos7 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial

4 directories, 2 files

#2 创建CA所需的私钥,存放路径:private 目录下,文件名:cakey.pem(注意权限控制,在CentOS8 中可省略)
[root@centos7 CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................................................+++
...........................................................+++
e is 65537 (0x10001)

#3 创建自签名证书,设置有效期为3650 天
[root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:dawn
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.dawn.org
Email Address []:

#4 查看创建好的CA 证书完整信息
[root@centos7 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            98:d6:b8:0e:ad:c0:84:9d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=hubei, L=wuhan, O=dawn, OU=devops, CN=ca.dawn.org
        Validity
            Not Before: Sep  6 03:57:41 2020 GMT
            Not After : Sep  4 03:57:41 2030 GMT
        Subject: C=CN, ST=hubei, L=wuhan, O=dawn, OU=devops, CN=ca.dawn.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b1:c3:24:c7:c4:df:75:3d:c0:1e:77:ea:a1:73:
                    73:dd:d5:a7:08:fa:49:c7:f9:ca:cc:d9:9a:36:e8:
                    5d:77:47:c1:f7:d4:d0:8a:4b:b9:26:19:8a:9f:31:
                    80:0d:e4:85:1a:c5:3c:0f:39:8f:2f:97:93:61:2b:
                    46:c4:73:ad:ad:4d:da:8e:c5:14:20:cd:d5:47:ea:
                    b0:63:01:5d:1b:f5:d6:8b:fb:6e:9e:e5:9d:cf:47:
                    b7:2f:7c:8d:08:96:ef:18:c8:46:d5:c9:13:fc:44:
                    c7:0f:af:67:2d:43:e7:51:fe:ba:17:f8:0b:e7:c1:
                    b0:1f:fa:68:00:14:47:df:9e:68:d9:7c:f8:dd:09:
                    95:9e:6f:8f:e6:a5:4b:f5:e4:d4:3c:11:bc:0d:1f:
                    ca:15:47:bd:d4:83:b6:9c:0b:26:c7:3c:a4:b2:b9:
                    2d:ae:f2:46:b7:b0:41:53:2e:5e:5c:de:03:c4:47:
                    a1:90:48:3b:66:53:10:c7:4d:3b:9e:7e:37:ae:5d:
                    6f:b9:39:b0:d1:e6:c3:fb:be:b7:a5:c4:05:c6:97:
                    b8:29:8b:f7:2d:67:de:7e:e1:a6:94:c7:08:7b:ef:
                    4b:16:4e:c4:37:84:54:16:dc:34:b6:52:fe:f1:e3:
                    66:bc:24:ec:56:ef:e9:18:81:4c:c2:03:b3:e6:72:
                    dc:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                38:0D:0C:31:D6:04:AA:8B:78:36:41:01:A3:E8:7F:CD:E3:2A:12:00
            X509v3 Authority Key Identifier: 
                keyid:38:0D:0C:31:D6:04:AA:8B:78:36:41:01:A3:E8:7F:CD:E3:2A:12:00

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         35:75:7c:08:2c:96:8e:15:f5:5a:69:2e:0d:82:a9:ea:0b:7f:
         91:3f:1b:83:aa:5c:8c:72:9d:07:a3:84:d2:dd:6c:61:f9:6a:
         b7:22:32:f8:ff:b5:c2:34:d0:35:13:61:75:b9:45:99:82:08:
         d7:58:bb:41:69:d1:9e:07:5e:f2:01:1c:72:c7:56:d6:da:ce:
         f8:74:c7:c0:f2:21:39:7d:1f:a3:e3:9a:9c:4e:2b:46:93:c2:
         47:b5:6b:9c:df:e0:fa:1f:e3:00:8f:39:8a:44:92:de:5c:2d:
         bf:bf:70:20:3b:b9:dc:e2:1e:bc:de:10:34:00:c6:11:5b:f4:
         2a:3c:c3:df:15:d6:b5:01:13:98:cc:1d:d3:6b:8c:a3:91:6c:
         a9:ef:fb:cc:b6:43:b3:79:6d:59:89:e1:32:c0:18:9b:bd:71:
         db:4f:37:ec:3d:f2:55:73:22:c2:12:f8:03:a5:b6:e1:8b:c6:
         28:64:95:7e:f0:23:6c:ac:10:f5:98:5c:8d:d4:15:34:41:f0:
         e1:52:85:40:ec:7b:67:89:e8:c7:65:2b:d6:87:5b:93:9b:3b:
         6a:8b:3f:11:9f:99:d1:86:87:bb:75:67:6c:32:f5:9f:40:2e:
         f2:da:ce:89:d5:2f:89:36:4f:4c:85:60:a8:e2:39:7d:42:d0:
         71:fa:87:e5

5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的根证书对其进行签署

#1 创建证书申请的rsa 私钥
[root@centos7 ~]#(umask 077;openssl genrsa -out app.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................+++
........+++
e is 65537 (0x10001)

#2 使用上述私钥创建证书申请(需保证Country Name,State or Province Name,Organization Name 与CA的一致性,否则无法创建成功)
[root@centos7 ~]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:dawn
Organizational Unit Name (eg, section) []:music
Common Name (eg, your name or your server's hostname) []:www.lurenye.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#3 使用CA 的证书对证书申请进行签署
[root@centos7 ~]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 200
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15 (0xf)
        Validity
            Not Before: Sep  6 04:06:23 2020 GMT
            Not After : Mar 25 04:06:23 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = hubei
            organizationName          = dawn
            organizationalUnitName    = music
            commonName                = www.lurenye.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A3:6A:39:25:73:7D:E6:48:A3:4D:66:7E:DA:51:EB:BD:C0:B1:37:AD
            X509v3 Authority Key Identifier: 
                keyid:38:0D:0C:31:D6:04:AA:8B:78:36:41:01:A3:E8:7F:CD:E3:2A:12:00

Certificate is to be certified until Mar 25 04:06:23 2021 GMT (200 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#4 签署成功,查看CA 中的文件,其中app.crt 和newcerts/0F.pem 是签署成功后的证书
[root@centos7 ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files

# 比较app.crt 和newcerts/01.pem 无差别
[root@centos7 ~]#diff /etc/pki/CA/certs/app.crt /etc/pki/CA/newcerts/0F.pem 
[root@centos7 ~]#
#5 查看证书完整信息
[root@centos7 ~]#openssl x509 -in /etc/pki/CA/certs/app.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=hubei, L=wuhan, O=dawn, OU=devops, CN=ca.dawn.org
        Validity
            Not Before: Sep  6 04:06:23 2020 GMT
            Not After : Mar 25 04:06:23 2021 GMT
        Subject: C=CN, ST=hubei, O=dawn, OU=music, CN=www.lurenye.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:98:dd:19:91:e9:5f:c5:58:b4:c7:ea:7f:d2:20:
                    37:c5:b3:47:73:ee:06:dd:db:78:e1:50:ca:8a:22:
                    7e:3e:dc:15:ad:2d:15:8d:c3:f9:73:e2:b0:b3:23:
                    30:38:6a:cf:71:88:5d:7f:5e:b9:cd:2b:c3:69:e0:
                    ff:54:97:0b:c0:28:a0:cb:ae:71:1c:65:24:58:ae:
                    01:40:81:30:a1:25:ec:0a:5b:c0:2c:f5:ce:b8:f1:
                    af:5b:40:27:25:1b:1a:4b:52:c6:13:e1:da:f3:34:
                    92:15:b7:5b:29:8b:61:e2:de:dc:20:98:12:52:e2:
                    bf:cb:ec:4b:83:26:e5:51:de:d1:8c:e1:d2:24:1f:
                    81:8d:97:1c:43:6d:e8:12:10:54:26:7e:74:1d:5c:
                    d2:d8:c2:2c:84:20:80:77:5d:28:e4:ef:e0:c7:64:
                    a1:43:fb:8d:28:c0:b5:ce:fe:c6:12:8b:b7:83:55:
                    ee:18:d0:28:06:2a:01:96:ff:95:0e:cb:f8:9d:01:
                    de:28:a3:ec:ae:2a:ef:fe:fd:37:94:32:b8:cf:61:
                    80:54:6f:43:7a:36:d2:5c:05:03:fd:6a:25:a5:5f:
                    87:0c:b1:5a:4b:e7:25:a8:b6:e1:f0:3f:d8:bb:70:
                    5e:7e:82:f4:3a:8b:e2:71:96:a2:a8:20:ff:ee:c7:
                    db:73
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A3:6A:39:25:73:7D:E6:48:A3:4D:66:7E:DA:51:EB:BD:C0:B1:37:AD
            X509v3 Authority Key Identifier: 
                keyid:38:0D:0C:31:D6:04:AA:8B:78:36:41:01:A3:E8:7F:CD:E3:2A:12:00

    Signature Algorithm: sha256WithRSAEncryption
         56:92:96:3d:38:ce:30:7d:b7:43:76:7c:4e:a2:23:d3:5c:79:
         34:8b:44:70:8b:7b:3a:a8:7b:83:3b:a7:0c:99:db:b5:f9:d2:
         a3:45:b2:db:b0:50:37:44:6c:1c:45:28:9c:80:d0:2e:8a:4e:
         a9:a0:06:17:4a:d9:8d:04:a8:54:26:54:23:88:ea:f0:c0:3e:
         32:9f:c0:ca:fb:22:6c:23:ab:9e:80:f2:78:31:5f:29:53:4d:
         2b:31:c8:b0:3f:07:2c:db:d5:00:2b:a0:12:33:2f:1e:a9:79:
         4d:8b:41:ac:a6:a0:a2:e6:3e:1a:a3:cf:c4:fb:e8:7c:d0:50:
         16:af:4e:45:a2:15:08:72:7d:19:f8:dc:34:30:03:d8:7b:08:
         df:af:6a:08:bb:8d:22:7f:39:63:d7:95:3a:ff:3a:36:06:41:
         36:32:8b:0b:d1:c7:e8:d0:8f:82:1a:14:36:87:17:e1:85:90:
         df:02:38:84:6c:da:97:15:34:51:c8:0f:12:bb:26:9e:af:d1:
         bf:06:36:6b:78:26:af:23:73:0a:1b:c2:56:b2:3e:99:0d:63:
         e7:b7:8c:49:ee:41:77:28:d0:c3:44:db:06:a4:62:7f:d5:50:
         dc:04:1c:72:f4:aa:90:70:1c:35:fc:6c:f2:5f:c9:40:b2:4f:
         35:9f:8a:04

6、吊销已经签署成功的证书

# 指定第一个吊销证书的编号(第一次更新证书吊销列表前,才需要执行)
[root@centos7 ~]#echo 0F > /etc/pki/CA/crlnumber
[root@centos7 ~]#cat /etc/pki/CA/crlnumber
0F

# 吊销5 中创建的证书
# 获取要吊销的证书的serial
[root@centos7 ~]#openssl x509 -in /etc/pki/CA/certs/app.crt -noout -serial -subject
serial=0F
subject= /C=CN/ST=hubei/O=dawn/OU=music/CN=www.lurenye.org

# 吊销证书
[root@centos7 ~]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@centos7 ~]#cat /etc/pki/CA/index.txt
R	210325040623Z	200906052429Z	0F	unknown	/C=CN/ST=hubei/O=dawn/OU=music/CN=www.lurenye.org


# 更新证书吊销列表
[root@centos7 ~]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

# 查看crl 文件
[root@centos7 ~]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=hubei/L=wuhan/O=dawn/OU=devops/CN=ca.dawn.org
        Last Update: Sep  6 05:28:08 2020 GMT
        Next Update: Oct  6 05:28:08 2020 GMT
        CRL extensions:
            X509v3 CRL Number: 
                15
Revoked Certificates:
    Serial Number: 0F
        Revocation Date: Sep  6 05:24:29 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         a9:d4:92:99:a6:72:0d:ea:72:45:61:68:27:05:b2:e1:28:42:
         d0:d3:9f:f7:99:62:f1:7b:76:3d:d0:a9:fc:a6:04:8f:3e:81:
         07:25:ac:d3:6c:76:34:5f:77:22:15:4c:d9:f6:62:39:f0:27:
         b4:c3:76:ac:98:b8:26:57:4e:20:02:26:80:6e:cb:69:4c:97:
         8e:3b:e8:c7:fa:fa:ee:02:43:bb:b2:76:40:99:27:c9:56:8d:
         f6:14:8d:6b:20:4f:16:df:f2:84:51:d1:43:24:b1:47:01:49:
         75:6e:36:7e:7d:30:27:24:71:bc:c6:8a:4d:84:46:f5:1d:eb:
         7e:2a:11:fe:71:f4:fd:f2:29:06:4c:ec:aa:fa:7b:fb:71:80:
         e0:d8:1f:66:73:0a:24:ff:31:08:b3:f2:82:a4:8f:c6:5f:22:
         f4:d3:ed:1e:01:90:6b:03:85:0e:2b:86:9b:36:8c:53:f6:8b:
         ad:7d:b9:fe:6d:f3:6b:30:3a:6b:38:65:f3:a7:3e:27:a7:cf:
         e4:40:89:1b:f7:c4:a9:a6:1a:bf:1b:8d:c7:2e:36:ce:97:5a:
         bd:5a:12:2a:c8:85:9e:69:d9:41:40:ae:98:50:43:b5:4a:62:
         a2:7f:6d:f0:90:a3:dd:2e:e2:7a:98:50:89:b9:75:6d:bb:59:
         b3:af:1a:73

你可能感兴趣的:(#,作业,openssl,ca证书)