2020-09-05

1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

[19:29:54 root@centos7 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: centos7
Email address: 
Comment: 
You selected this USER-ID:
    "centos7"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.


gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 178E1A9F marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/178E1A9F 2020-09-05
      Key fingerprint = CADE 0828 7209 D35B 1CD5  75C9 45F0 5196 178E 1A9F
uid                  centos7
sub   2048R/99D69EA6 2020-09-05

#在另一个终端对磁盘进行操作
[19:34:23 root@centos7 ~]#dd if=/dev/sda of=/dev/zero


[19:34:19 root@centos7 ~]#gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/178E1A9F 2020-09-05
uid                  centos7
sub   2048R/99D69EA6 2020-09-05

2、将 CentOS7 导出的公钥，拷贝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公钥加密一个文件

#在centos7上导出公钥
[19:43:10 root@centos7 ~]#gpg -a  --export -o ding.pubkey
[19:44:13 root@centos7 ~]#ls
anaconda-ks.cfg  ding.pubkey

#把公钥复制centos8上
[19:44:20 root@centos7 ~]#scp ding.pubkey 10.0.0.8:/data
root@10.0.0.8's password: 
ding.pubkey 

#在centos8上导入centos7的公钥
[19:55:02 root@centos8 data]#gpg --import ding.pubkey 
gpg: key 45F05196178E1A9F: public key "centos7" imported
gpg: Total number processed: 1
gpg:               imported: 1
[19:56:17 root@centos8 data]#gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2020-09-05 [SC] [expires: 2022-09-05]
      6A3BCED5DA17E3E93B15A24F54E2334046E5E5FC
uid           [ultimate] centos8
sub   rsa2048 2020-09-05 [E] [expires: 2022-09-05]

pub   rsa2048 2020-09-05 [SC]
      CADE08287209D35B1CD575C945F05196178E1A9F
uid           [ unknown] centos7
sub   rsa2048 2020-09-05 [E]

#用centos7的公钥加密一个文件
[20:04:29 root@centos8 data]#cat f2.txt 
123
[19:57:51 root@centos8 data]#gpg -e -r centos7  f2.txt 
gpg: 1B69085D99D69EA6: There is no assurance this key belongs to the named user
sub  rsa2048/1B69085D99D69EA6 2020-09-05 centos7
 Primary key fingerprint: CADE 0828 7209 D35B 1CD5  75C9 45F0 5196 178E 1A9F
      Subkey fingerprint: 7606 9331 FD03 343F 5C5E  C0E0 1B69 085D 99D6 9EA6

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
[20:03:14 root@centos8 data]#ls
ding.pubkey  f2.txt  f2.txt.gpg  f3.txt

3、回到 CentOS7 服务器，远程拷贝 file.txt.gpg 文件到本地，使用 CentOS7的私钥解密文件

#拷贝centos8的加密文件到本地
[20:12:59 root@centos7 data]#scp 10.0.0.8:/data/f2.txt.gpg ./
root@10.0.0.8's password: 
f2.txt.gpg                                                                               
[20:13:38 root@centos7 data]#ls
f1.txt  f2.txt  f2.txt.gpg  f3.txt

#用centos7的私钥进行解密
[20:13:41 root@centos7 data]#gpg -d f2.txt.gpg 

You need a passphrase to unlock the secret key for
user: "centos7"
2048-bit RSA key, ID 99D69EA6, created 2020-09-05 (main key ID 178E1A9F)

gpg: encrypted with 2048-bit RSA key, ID 99D69EA6, created 2020-09-05
      "centos7"
123

#解密内容到一个新文件中
[20:14:18 root@centos7 data]#gpg -o f1.txt -d f2.txt.gpg 

You need a passphrase to unlock the secret key for
user: "centos7"
2048-bit RSA key, ID 99D69EA6, created 2020-09-05 (main key ID 178E1A9F)

gpg: encrypted with 2048-bit RSA key, ID 99D69EA6, created 2020-09-05
      "centos7"
File `f1.txt' exists. Overwrite? (y/N) y
[20:15:27 root@centos7 data]#cat f1.txt 
123

4、在 CentOS7 中使用 openssl 软件创建 CA

#创建私钥
[21:43:59 root@centos7 CA]#(umask 066; openssl genrsa -out  private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.+++
.............................................................+++
e is 65537 (0x10001)

#给CA颁发自签名证书
[22:05:14 root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:

5、在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件，并使用上面的根证书对其进行签署

# 生成私钥文件
[22:09:11 root@centos7 data]# (umask 066; openssl genrsa -out   /data/app1.key 2048)
Generating RSA private key, 2048 bit long modulus
..................................................................................................................+++
................................................................................................+++
e is 65537 (0x10001)

#生成证书申请文件
[22:09:51 root@centos7 data]#openssl req -new -key /data/app1.key -out /data/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:app.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#CA签署证书
[22:10:54 root@centos7 data]#openssl ca -in /data/app1.csr  -out   /etc/pki/CA/certs/app1.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  5 14:11:23 2020 GMT
            Not After : Dec 14 14:11:23 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = henan
            organizationName          = magedu
            organizationalUnitName    = dev
            commonName                = app.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                90:55:89:A2:DF:D0:FF:A5:EC:20:A8:FB:C0:98:9C:EA:07:5D:D4:08
            X509v3 Authority Key Identifier: 
                keyid:3E:D7:DF:70:D0:D1:DB:5B:BB:4E:97:3D:B1:11:00:9F:76:B2:0E:3D

Certificate is to be certified until Dec 14 14:11:23 2020 GMT (100 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6、吊销已经签署成功的证书

#查看已生成证书的信息
[22:16:54 root@centos7 CA]#ls newcerts/
01.pem
[22:17:00 root@centos7 CA]#cat index.txt
V   201214141123Z       01  unknown /C=CN/ST=henan/O=magedu/OU=dev/CN=app.org

#吊销证书
[22:17:29 root@centos7 CA]#openssl ca -revoke newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[22:17:43 root@centos7 CA]#cat index.txt
R   201214141123Z   200905141743Z   01  unknown /C=CN/ST=henan/O=magedu/OU=dev/CN=app.org

# 指定第一个吊销证书的编号
[22:17:53 root@centos7 CA]#echo 01 > /etc/pki/CA/crlnumber

#更新证书吊销列表 
[22:18:07 root@centos7 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf