作业1
1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
1)在centos7上生成公钥私钥对
[root@centos7sl ~]gpg --gen-key
.gnupg里面存放生成的公钥私钥
[root@centos7sl ~]# cd .gnupg
[root@centos7sl .gnupg]# ls
gpg.conf private-keys-v1.d pubring.gpg pubring.gpg~ random_seed secring.gpg S.gpg-agent trustdb.gpg
pubring.gpg是公钥,secring.gpg是私钥 使用cat直接看会乱码;
2)使用命令gpg --list-keys查看公钥私钥
[root@centos7sl .gnupg]# gpg --list-keys
/root/.gnupg/pubring.gpg
pub 2048R/C6FA08D0 2020-09-05
uid centos7
sub 2048R/423D1D84 2020-09-05
2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
1)从7上导出公钥到 gpg -a --export -o centos7.pubkey
-a导出可见字符 不然是乱码 生成新文件起个名字叫centos7.pubkey
[root@centos7sl .gnupg]# gpg -a --export -o centos7.pubkey
2)然后把文件拷贝到centos8的/data目录上去
[root@centos7sl .gnupg]# scp ./centos7.pubkey 10.0.0.80:/data
The authenticity of host '10.0.0.80 (10.0.0.80)' can't be established.
ECDSA key fingerprint is SHA256:mFaDpjKHujTLC8/ct2HLP8Xacndle6VsGicKaDpnXcA.
ECDSA key fingerprint is MD5:eb:e4:58:9a:8f:4f:b2:57:fa:87:7f:93:40:a4:31:69.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.80' (ECDSA) to the list of known hosts.
root@10.0.0.80's password:
centos7.pubkey
3)在centos8上导入centos7的公钥,并使用centos7的公钥文件加密a.txt文件
[root@centos8sl data]# gpg --import /data/centos7.pubkey
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key C006582CC6FA08D0: public key "centos7" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@centos8sl data]# gpg -e -r centos7 a.txt
gpg: 8E9E6D32423D1D84: There is no assurance this key belongs to the named user
sub rsa2048/8E9E6D32423D1D84 2020-09-05 centos7
Primary key fingerprint: D8E3 84F0 F0E2 94AC 7925 8172 C006 582C C6FA 08D0
Subkey fingerprint: 177D AC6D 0CA5 0049 4D6B 8DB3 8E9E 6D32 423D 1D84
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
查看加密后的a.txt.gpg文件
[root@centos8sl data]# cat a.txt.gpg
¥¨☸Q圂b:Pɇ®Όꦂµ_9䒂%S¥iDZ3話y&ª՚?Xa±rN¥ɳE΄n�OȊ³tZRv¨b롫àઔþp䴬Yk㘕N·U°¿ҥA¹]J¼@¹´"ݮvs
էвցӤl٪£7Ѩ°ӄ§ڛ(
s댗ȥ´µA¿
䔠co꒲Ȇ$X(@© /⑨á¼aa¶ч}±;ʳ Hͺަ°ꍰzپGaOvsa6oo褾•¯{4Ȧ2¢¢/i섮[root@centos8sl data]#
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
1)拷贝centos8上的a.txt.gpg文件到centos7上
[root@centos8sl data]# scp ./a.txt.gpg 10.0.0.70:/data
root@10.0.0.70's password:
a.txt.gpg 100% 344 58.2KB/s 00:00
2)在centos7上使用命令后拿私钥进行解密重定向到一个文件里gpg -d a.txt.gpg > test.txt
[root@centos7sl data]# gpg -d a.txt.gpg > test.txt
gpg: encrypted with 2048-bit RSA key, ID 423D1D84, created 2020-09-05
"centos7"
[root@centos7sl data]# cat test.txt
a
b
c
4、在 CentOS7 中使用 openssl 软件创建 CA
1)创建CA相关目录和文件(在centos7上默认就有,此处不再创建)
[root@centos7sl ~]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos7 ~]#touch /etc/pki/CA/index.txt
[root@centos7 ~]#echo 0F > /etc/pki/CA/serial
2)创建CA的私钥
[root@centos7sl ~]# cd /etc/pki/CA/
[root@centos7sl CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
....+++
....................................+++
e is 65537 (0x10001)
#确保权限是600
[root@centos7sl CA]# ll
total 4
drwxr-xr-x. 2 root root 6 Aug 9 2019 certs
drwxr-xr-x. 2 root root 6 Aug 9 2019 crl
-rw-r--r-- 1 root root 0 Sep 5 20:34 index.txt
drwxr-xr-x. 2 root root 6 Aug 9 2019 newcerts
drwx------. 2 root root 23 Sep 5 20:36 private
-rw-r--r-- 1 root root 3 Sep 5 20:34 serial
[root@centos7sl CA]# ll private/
total 4
-rw------- 1 root root 1679 Sep 5 20:36 cakey.pem
3)CA自己颁发自签名证书
[root@centos7sl CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HENAN
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:
4)查看证书文件
[root@centos7sl CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a7:f8:6b:f9:28:6a:f0:c9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=HENAN, L=zhengzhou, O=magedu, OU=it, CN=ca.magedu.org
Validity
Not Before: Sep 5 12:40:58 2020 GMT
Not After : Sep 3 12:40:58 2030 GMT
Subject: C=CN, ST=HENAN, L=zhengzhou, O=magedu, OU=it, CN=ca.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:32:b1:00:88:51:ef:54:e0:77:cf:54:e1:32:
af:83:63:a0:73:c7:7d:8a:4f:5f:64:a7:eb:62:e9:
06:d4:6b:27:05:03:a1:20:4b:f2:65:43:c1:52:27:
27:32:bf:f3:99:62:9e:5b:e3:9a:8b:5f:d8:f7:e2:
db:d5:79:39:da:b2:e9:0d:7c:df:c1:c9:1f:f3:22:
15:67:05:6d:04:fa:94:1d:8d:a5:5a:e1:7f:0a:d6:
64:c3:f6:ac:85:11:7c:aa:7e:38:ed:e2:8d:ec:4f:
60:95:e4:b3:22:29:fe:12:5d:0d:d6:98:2f:c2:06:
50:22:95:06:da:9d:92:0b:73:0a:b2:b5:10:13:a1:
42:71:7a:b8:9f:6a:b5:09:8f:05:cf:93:29:a0:b5:
47:2a:05:f8:79:61:5f:84:d5:29:84:00:5d:52:dc:
45:63:c3:ee:84:e8:1f:ee:6b:ce:7f:07:b7:05:b2:
c8:b2:b6:f5:b1:68:ac:15:dc:e6:01:22:0c:33:75:
34:f8:2c:56:08:19:bc:d9:e9:6a:55:53:7f:50:5b:
d5:14:dd:d5:c1:c3:8a:b0:c6:7a:b6:b5:93:d8:e4:
8e:f1:19:30:c7:ac:9c:dd:cc:4e:b9:5c:84:7e:46:
5a:7d:77:55:3a:97:88:c2:da:36:56:11:5a:17:9b:
5a:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
24:51:B3:9E:E0:23:CB:AD:79:2C:70:D8:62:8C:91:26:83:02:B1:F4
X509v3 Authority Key Identifier:
keyid:24:51:B3:9E:E0:23:CB:AD:79:2C:70:D8:62:8C:91:26:83:02:B1:F4
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
1e:47:ea:ad:96:b2:30:f7:e7:e2:d0:1e:62:5d:b5:88:c3:73:
72:56:7d:8f:98:f3:ee:65:d7:63:1c:df:a0:c1:19:e4:d9:5d:
3d:aa:71:af:9f:04:e8:e3:4d:d9:c5:21:f2:c4:90:f0:dd:1c:
fb:27:0f:1f:4b:7e:18:bf:8d:5d:d6:f7:57:2f:51:92:20:cb:
39:56:e8:08:1b:ac:85:52:c0:b3:f8:48:e8:49:dd:fe:20:b5:
b2:c3:94:c8:ff:e2:2e:2e:35:93:f7:8d:17:54:c0:c0:38:78:
e7:57:81:2a:58:6d:ae:b0:d9:37:06:51:69:a5:52:a1:60:e1:
07:59:a3:59:a1:a5:e0:9b:1d:19:97:0d:5e:56:34:25:7f:ca:
c9:41:0b:4c:05:64:9b:93:d4:29:bd:7e:bb:18:a6:bb:b0:e7:
61:83:f9:91:8a:f6:4a:74:05:e6:e1:d2:bd:5f:3e:a8:d6:ca:
bc:47:ba:bd:c4:3e:88:19:80:4e:8b:81:86:5d:7c:a9:31:80:
d4:57:a9:e1:ca:81:6b:9b:1f:3c:08:6b:09:ce:5f:ef:ff:62:
22:a9:f1:b6:94:eb:cb:5c:8c:eb:34:3f:77:e0:af:85:f1:c9:
65:f1:09:27:00:49:62:73:7b:3e:6b:d1:5f:9a:35:35:be:e7:
6a:99:1c:d5
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
1)用户生成私钥
[root@centos7sl app2]# (umask 066;openssl genrsa -out /data/app2/app2.key 2048)
Generating RSA private key, 2048 bit long modulus
..........................+++
....................................................+++
e is 65537 (0x10001)
[root@centos7sl app2]# cat /data/app2/app2.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEArBzEvF7nYIXu1z19bYeDyCFAYqdaRpNXHTDbgjMNxedP5ZOJ
DFa9p0jU3/tFq/DlL2V7KlnOsF52rY+L41Fo5LlDlCZWGmrB76ALBwddoAstcc5z
cH8uU8i43CW4WyE+jA8MGiOF7ZOi6yv3ODvxeSP1/CC4C/lgAprJfMupRTVIUNn7
OI8fNWySXVrlLgF0ZyoUv7gxt6qVOZi2tqnx3nEGGvNL2wyGOVOB9j8XKLRmzI/W
VNrYcpHIrMt4RiafmO8tAcMB+n80PTy2JXmYw7w+BmJBDrabcRiGQcQZD5hu5QhQ
8/tt+uXUN7HdBVu2KX09aPiyS/6P7sb8fRwC5QIDAQABAoIBAQCUKAOW398u8LwD
3rO8+F2RhkYlZkhI3oar4yXiM06U4KSfTFw6GeUSPpi44lU8SJcRMLtQXpSUsAxb
JWlW2fqAgZZRzppqDSI6wzsa5tVKcrTA9eXbni9kAjJXl8TV9Y0hBcb2LUQZmfAx
ntwmNTuNe05BpmyoKhfixhnR6oMgxe7Cre+MlGIjC5UbzHakRHIfXYw9zeFBJARA
099uWc98WypSpt0v2CJDCryRT7cRPo0luOtTRac+kpWVy1aOZx0/YhBmuWSMhx3v
r77Ie5WMhXhDumD10YuRE35gXbue8IktPrqtELTc+VoQXDqhnFjTHlt/K3IL6ztZ
UJmX+EehAoGBANIPHH7UWJq2GvrNV/wkJaNAk6t80N9j2iwl1aRvTSlbQimkCqom
BtlyednYXgdOkHnypRa/msFV3NPQd+a7eq1dz7VYl30H6I2rZdSOqsPlMw83hLlf
Bfk26zNT9OJzG+COMJqfqpinxbYVFqF2WICo0dEtCW8cItP2o3/0ooWpAoGBANHB
FNCY2gws9Xuqva8lf304boHuiB9wvvJ8rg5Asf/U/foXtZiDzcFPO9tB6+7KNbh+
K+NmJL9otz4pnVaD4Ux40Bou32fTCeZMqFNmj3TafhtnTie01WNcvuh7W0XIWk3d
/gsbAGkCRRwUs4OziZI/pGHCLA3rrA3rYzvgPaDdAoGBAJDfKSjzrJQvChZ1LrxP
9cFM1UuNTsTyqdKO2XSJ6q6eKNhtMYm9pjWr9QvgZKEndw8T4PX6eXHjlORkv3zb
SjVtIMaSbhAmNyYV0qoxJubqGTfic2AhgA4r6TTCL39KIizSBAVwHwkflIUKsEv1
Qf6h7+sS45HE1uRXEtY50yjZAoGBAMs8Ffr3324kscadbSUjZB/kac6jXGl6SMmT
XOKadN25dky4ZE/ehaJkL08G1J+OdfbI6aVv9vMvdz1X/QcyyT3bYWe9OuHSbakj
ZYVJvn4upjnPIr7+TDP2TVPdElbPBhCko94Gz6LvfB71P+rALu/xkkjWZvEmBJOI
G6KMZ6pRAoGAcMJPWinh00Hn5pq4qx8zx8l6CnTuNaUrDxs4r+xR0U6tQydsuXBD
WB4TkpvqD9qEwDtztTYNYDF0KkheRCGfzXd4OgkgJ51vvJBXxiU1b06OhHmhZWAJ
k3ArtP+UB/qy9hypHA3mCTHH+lHaCSBVaf1J3ZWdJrYL3RNAABl1SmQ=
-----END RSA PRIVATE KEY-----
2)证书申请
#为所需要使用证书的主机生成申请文件 csr表示证书申请文件,
交互式命令会让输入国家省份城市等等信息
[root@centos7sl app2]# openssl req -new -key /data/app2/app2.key -out /data/app2/app2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HENAN
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app2.magedu.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7sl app2]#
#查看app2的私钥和证书文件
root@centos7sl app2]# ll /data/app2
total 8
-rw-r--r-- 1 root root 1005 Sep 5 20:58 app2.csr
-rw------- 1 root root 1679 Sep 5 20:50 app2.key
3)CA对其颁发证书:
[root@centos7sl app2]# openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Sep 5 13:03:30 2020 GMT
Not After : Jun 2 13:03:30 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = magedu
organizationalUnitName = it
commonName = app2.magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
65:DA:A2:95:2F:66:5E:D6:1C:72:02:C7:50:96:F2:B0:14:C4:B7:EE
X509v3 Authority Key Identifier:
keyid:24:51:B3:9E:E0:23:CB:AD:79:2C:70:D8:62:8C:91:26:83:02:B1:F4
Certificate is to be certified until Jun 2 13:03:30 2023 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y'^H
Write out database with 1 new entries
Data Base Updated
[root@centos7sl app2]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
4)查看证书
[root@centos7sl app2]# cat /etc/pki/CA/certs/app2.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=HENAN, L=zhengzhou, O=magedu, OU=it, CN=ca.magedu.org
Validity
Not Before: Sep 5 13:03:30 2020 GMT
Not After : Jun 2 13:03:30 2023 GMT
Subject: C=CN, ST=HENAN, O=magedu, OU=it, CN=app2.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:1c:c4:bc:5e:e7:60:85:ee:d7:3d:7d:6d:87:
83:c8:21:40:62:a7:5a:46:93:57:1d:30:db:82:33:
0d:c5:e7:4f:e5:93:89:0c:56:bd:a7:48:d4:df:fb:
45:ab:f0:e5:2f:65:7b:2a:59:ce:b0:5e:76:ad:8f:
8b:e3:51:68:e4:b9:43:94:26:56:1a:6a:c1:ef:a0:
0b:07:07:5d:a0:0b:2d:71:ce:73:70:7f:2e:53:c8:
b8:dc:25:b8:5b:21:3e:8c:0f:0c:1a:23:85:ed:93:
a2:eb:2b:f7:38:3b:f1:79:23:f5:fc:20:b8:0b:f9:
60:02:9a:c9:7c:cb:a9:45:35:48:50:d9:fb:38:8f:
1f:35:6c:92:5d:5a:e5:2e:01:74:67:2a:14:bf:b8:
31:b7:aa:95:39:98:b6:b6:a9:f1:de:71:06:1a:f3:
4b:db:0c:86:39:53:81:f6:3f:17:28:b4:66:cc:8f:
d6:54:da:d8:72:91:c8:ac:cb:78:46:26:9f:98:ef:
2d:01:c3:01:fa:7f:34:3d:3c:b6:25:79:98:c3:bc:
3e:06:62:41:0e:b6:9b:71:18:86:41:c4:19:0f:98:
6e:e5:08:50:f3:fb:6d:fa:e5:d4:37:b1:dd:05:5b:
b6:29:7d:3d:68:f8:b2:4b:fe:8f:ee:c6:fc:7d:1c:
02:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
65:DA:A2:95:2F:66:5E:D6:1C:72:02:C7:50:96:F2:B0:14:C4:B7:EE
X509v3 Authority Key Identifier:
keyid:24:51:B3:9E:E0:23:CB:AD:79:2C:70:D8:62:8C:91:26:83:02:B1:F4
Signature Algorithm: sha256WithRSAEncryption
53:bb:38:6f:b2:dc:dd:c3:df:0e:44:d2:f6:a9:a2:b9:47:6a:
c9:43:8b:13:63:76:4e:59:e4:62:ca:dc:db:89:1c:5a:d4:b2:
fa:61:c9:a0:5c:88:11:ac:8e:b8:bc:e9:9e:e7:c1:56:e2:91:
a7:c7:c3:e0:a2:fd:4a:55:d3:86:3b:1d:6f:1b:27:36:b6:52:
85:e2:80:cb:66:3a:35:87:50:1d:03:99:c0:ba:f1:fd:47:0b:
d8:bb:b0:16:94:63:13:96:f1:f5:eb:a0:09:3f:37:32:c7:16:
c0:99:c8:b1:7e:27:c0:cb:fa:2f:0c:f2:a5:40:83:ec:72:32:
a6:99:e7:ab:35:a6:e6:f5:fa:89:51:96:03:5a:eb:63:88:5d:
4f:0b:df:fc:62:93:32:ee:f0:6b:08:d6:9f:bb:04:8f:42:af:
a3:2a:08:3d:01:6b:08:43:ca:4d:ab:82:f4:ee:35:0d:85:1c:
f3:cc:43:a5:3f:c6:43:22:2b:df:9f:9e:08:3a:02:a7:44:97:
e7:8c:e8:5b:0e:f0:d9:f4:c5:a5:9b:04:97:f8:57:99:4e:be:
39:bb:ab:28:d4:0a:90:bd:49:ca:57:86:ed:b0:16:73:fd:e0:
85:81:e0:e8:a5:6d:c6:a9:06:91:58:50:6c:1f:9a:43:23:ee:
40:85:b9:f8
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJDTjEO
MAwGA1UECAwFSEVOQU4xEjAQBgNVBAcMCXpoZW5nemhvdTEPMA0GA1UECgwGbWFn
ZWR1MQswCQYDVQQLDAJpdDEWMBQGA1UEAwwNY2EubWFnZWR1Lm9yZzAeFw0yMDA5
MDUxMzAzMzBaFw0yMzA2MDIxMzAzMzBaMFUxCzAJBgNVBAYTAkNOMQ4wDAYDVQQI
DAVIRU5BTjEPMA0GA1UECgwGbWFnZWR1MQswCQYDVQQLDAJpdDEYMBYGA1UEAwwP
YXBwMi5tYWdlZHUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rBzEvF7nYIXu1z19bYeDyCFAYqdaRpNXHTDbgjMNxedP5ZOJDFa9p0jU3/tFq/Dl
L2V7KlnOsF52rY+L41Fo5LlDlCZWGmrB76ALBwddoAstcc5zcH8uU8i43CW4WyE+
jA8MGiOF7ZOi6yv3ODvxeSP1/CC4C/lgAprJfMupRTVIUNn7OI8fNWySXVrlLgF0
ZyoUv7gxt6qVOZi2tqnx3nEGGvNL2wyGOVOB9j8XKLRmzI/WVNrYcpHIrMt4Riaf
mO8tAcMB+n80PTy2JXmYw7w+BmJBDrabcRiGQcQZD5hu5QhQ8/tt+uXUN7HdBVu2
KX09aPiyS/6P7sb8fRwC5QIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUZdqi
lS9mXtYccgLHUJbysBTEt+4wHwYDVR0jBBgwFoAUJFGznuAjy615LHDYYoyRJoMC
sfQwDQYJKoZIhvcNAQELBQADggEBAFO7OG+y3N3D3w5E0vaporlHaslDixNjdk5Z
5GLK3NuJHFrUsvphyaBciBGsjri86Z7nwVbikafHw+Ci/UpV04Y7HW8bJza2UoXi
gMtmOjWHUB0DmcC68f1HC9i7sBaUYxOW8fXroAk/NzLHFsCZyLF+J8DL+i8M8qVA
g+xyMqaZ56s1pub1+olRlgNa62OIXU8L3/xikzLu8GsI1p+7BI9Cr6MqCD0BawhD
yk2rgvTuNQ2FHPPMQ6U/xkMiK9+fngg6AqdEl+eM6FsO8Nn0xaWbBJf4V5lOvjm7
qyjUCpC9ScpXhu2wFnP94IWB4OilbcapBpFYUGwfmkMj7kCFufg=
-----END CERTIFICATE-----
6、吊销已经签署成功的证书
1)吊销证书
[root@centos7sl app2]# openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@centos7sl app2]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Revoked (R)
[root@centos7sl app2]# cat /etc/pki/CA/index.txt
R 230602130330Z 200905131750Z 0F unknown /C=CN/ST=HENAN/O=magedu/OU=it/CN=app2.magedu.org
2)生成吊销列表
[root@centos7sl app2]# echo 01 > /etc/pki/CA/crlnumber
[root@centos7sl app2]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7sl app2]# cat /etc/pki/CA/crlnumber
02
[root@centos7sl app2]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=HENAN/L=zhengzhou/O=magedu/OU=it/CN=ca.magedu.org
Last Update: Sep 5 13:21:45 2020 GMT
Next Update: Oct 5 13:21:45 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 0F
Revocation Date: Sep 5 13:17:50 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
57:37:eb:2e:a9:a0:ab:1c:bb:45:e0:cc:b0:37:e3:07:75:e0:
58:57:04:5f:4d:a4:da:ac:f6:3e:09:36:04:0b:61:24:c4:bd:
0f:d8:20:a8:5f:72:c1:21:d0:17:8f:3c:98:c3:57:63:61:b8:
73:7d:97:94:a1:c8:93:e8:7a:d8:a4:04:e9:d9:14:69:36:0b:
93:53:d7:45:22:b3:9e:82:01:57:19:98:96:4a:25:66:bf:ea:
3b:59:77:43:75:1e:42:65:dd:41:3d:7d:f4:6a:7f:97:17:61:
82:1a:fc:7d:b8:13:c8:38:ad:f8:a3:d3:5c:a1:e8:a2:3d:d0:
cb:3f:b1:9c:9d:8f:22:6d:d1:4a:2e:52:96:d9:7c:ec:e0:54:
02:cf:09:43:f3:d3:5d:5d:55:2e:1f:12:c3:02:da:05:55:d5:
0f:fd:85:ee:89:19:f7:2c:09:fa:b5:53:bc:ba:89:4b:d5:fb:
6e:56:81:53:71:aa:b1:f3:5e:7b:57:30:37:ba:46:da:23:a8:
6a:76:76:ff:f8:91:81:e9:b1:7d:6b:32:58:77:fb:46:27:46:
ee:a0:63:ce:32:39:0c:dc:f6:60:2b:9f:2a:94:5e:70:c0:b9:
a4:9c:52:ad:f1:52:78:1b:9a:29:41:99:c0:1f:61:73:21:89:
fd:f0:c9:f4
