加密与CA证书的创建
1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
#通过gpg --gen-key命令生成密钥对
[root@localhost ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 3650
Key expires at Wed 04 Sep 2030 05:16:47 PM CST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: magedu
Email address: root@magedu.org
Comment:
You selected this USER-ID:
"magedu <root@magedu.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key FFC9AA26 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2030-09-04
pub 2048R/FFC9AA26 2020-09-06 [expires: 2030-09-04]
Key fingerprint = 9DED B2B6 51CC B789 163A CF14 539F 3228 FFC9 AA26
uid magedu <root@magedu.org>
sub 2048R/37CA53C3 2020-09-06 [expires: 2030-09-04]
#查看生成的公钥文件
[root@localhost ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/FFC9AA26 2020-09-06 [expires: 2030-09-04]
uid magedu <root@magedu.org>
sub 2048R/37CA53C3 2020-09-06 [expires: 2030-09-04]
#导出公钥到liu.pubkey
[root@localhost ~]# gpg -a --export -o liu.pubkey
[root@localhost ~]# ls
anaconda-ks.cfg liu.pubkey
[root@localhost ~]# cat liu.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQENBF9UqScBCADpUEOg2Mt94JDSnvmci/i/zB7hflwM+jn+FlPCU4baRDqIkdte
uwkF5CqItIU+IKvd8vjI2VNuNIYlrywwp2R7fd3tnnza2bbXcM5Z8Kci8xx4TeIJ
h13dwwE48CXaFWy1PcA01ZFNIChIdRgP8pUBeMg17auhwTPcHbOzEZlVHuJ2e/GM
qZC147/7op7GSX+hVYY8hMyZyF/L5LTg6urDbgKGBcwrTxW3hNfAUO3D4EtcQw5p
7jqWZxXqNcKfD88JQ7dgXrvrxrsPMnQ3RIywN9MfQvaMABy43YywBUZqCI9EC35b
rqbDwvMEQVbjr08q+DNFwnbQPbbSjS5t8Q2zABEBAAG0GG1hZ2VkdSA8cm9vdEBt
YWdlZHUub3JnPokBPwQTAQIAKQUCX1SpJwIbAwUJEswDAAcLCQgHAwIBBhUIAgkK
CwQWAgMBAh4BAheAAAoJEFOfMij/yaomQeMH/iGm3Cod5yLEOpa4MLM3+SGzR9eY
UyF4SbG0mBGrj24MUuVPN3YHEgEwPkj43V+EjdCPXIWQbqXCIbxfUf2PXLZ/SPd8
Bu+CcB2ept/KJT0BHK6cWycAeVk8vXdj6hgLE2M3wVmopxHPTAlDfzmAuLBwQYFA
2KK4yW6ab5Y0mF7+BvFS/rvkQu10Xkyn3+LbYEwDPfr752cezs+5qNIkZ19ZjtCG
nSN9266aFLE+u8708GvFrzBGgVtIdp8K/pE5Gc8tpQOGYGBiRedAX7p4U1JkQTDM
ANr5E1zcg0339AdCZPunn9EuCkiwEU9b1IPu1zjQ3YVVhojshkmmOo+p7yy5AQ0E
X1SpJwEIAK1DITDbUT9s17ZzT0XyIzNT2rBlybH57gF3sOsfuQk4M/iskcIcvEeY
mTV9540Zk6ENZxxEXZU2nX9E4VbU39Z5qs67xjp9DLAVCaV04DZirZYI3ATQip/N
XLNc3B27/qu4PyFx/J0Oys7ZweRfFHrVD1E3M9S6ah2htdjLQ4TBPPCXTRdkPb/4
Fcyo2WZb5ojXzjarTaifN+EAdBsmGyCiGAtADPt6ElD5O8YwfHBbH+34ub9Gd771
jfQv66RE/hng1qgRIEIa8QFPusxmeDW/cCkcr9ZH9RKaYH4U6qvKXyTN5AzYZI8o
9NH8CS/t1PPK7ahyu+WkN7zxHOvd970AEQEAAYkBJQQYAQIADwUCX1SpJwIbDAUJ
EswDAAAKCRBTnzIo/8mqJhZlCACqctMTytdseWA65EgXEDXNR8yOePyzewDVwnB6
qbiHyhAjldXUN1E4Ndb0OVytumsqjNA9Te6fTU6kukPjQex/XXl3K/UqYesV4TU0
/kTENWWvX+olnxZig5B4BfjC7HmPu4DGlw78X7kuIxqUi2nwkhdrlEfG8GS5t0Fy
Fgcl6TlyymlN04rFP30/xJ39kugkwN5bkR3GP5Q9QMVEHIR0iLdkWbDtX3n2nEKT
al64Q9RE0P4FsroWbOzu7ZZLhSeE+ohloE2LHGnDtPbTsRseX7HNdVP/NfO7SOhU
ezg1HFzFYz+YoPEyyLWvOyK82j3Mvr+Xm7msjrcq551fvdyt
=Hdfc
-----END PGP PUBLIC KEY BLOCK-----
2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
#将公钥文件远程复制拷贝到centos8主机上
[root@localhost ~]# scp liu.pubkey 10.0.0.8:
root@10.0.0.8's password:
liu.pubkey 100% 1723 2.2MB/s 00:00
#在8主机上生成密钥对
[root@localhost ~]# gpg --list-keys
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
[root@localhost ~]# gpg --gen-key
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: magedu
Email address: root@magedu.org
You selected this USER-ID:
"magedu <root@magedu.org>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key A8EB5216FA6980C8 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/0CE5ACE751E9B662E435E7D8A8EB5216FA6980C8.rev'
public and secret key created and signed.
pub rsa2048 2020-09-06 [SC] [expires: 2022-09-06]
0CE5ACE751E9B662E435E7D8A8EB5216FA6980C8
uid magedu <root@magedu.org>
sub rsa2048 2020-09-06 [E] [expires: 2022-09-06]
#在8主机上导入公钥
[root@localhost ~]# gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-09-06
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-06 [SC] [expires: 2022-09-06]
0CE5ACE751E9B662E435E7D8A8EB5216FA6980C8
uid [ultimate] magedu <root@magedu.org>
sub rsa2048 2020-09-06 [E] [expires: 2022-09-06]
pub rsa2048 2020-09-06 [SC] [expires: 2030-09-04]
9DEDB2B651CCB789163ACF14539F3228FFC9AA26
uid [ unknown] magedu <root@magedu.org>
sub rsa2048 2020-09-06 [E] [expires: 2030-09-04]
#用从7主机导入的公钥,加密8主机的/etc/fstab文件,会生成一个fatab.gpg文件
[root@localhost ~]# gpg -e -r magedu /etc/fstab
[root@localhost ~]# file /etc/fstab.gpg
/etc/fstab.gpg: PGP RSA encrypted session key - keyid: B6110533 2823D626 RSA (Encrypt or Sign) 2048b .
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
#远程fstab.gpg文件拷贝到本机
[root@localhost ~]# scp 10.0.0.8:/etc/fstab.gpg .
root@10.0.0.8's password:
fstab.gpg 100% 737 200.3KB/s 00:00
#在本机上用自己的秘钥进行解密
[root@localhost ~]# gpg -d fstab.gpg
[root@localhost ~]# gpg -o fstab -d fstab.gpg
4、在 CentOS7 中使用 openssl 软件创建 CA
#进入CA目录生成CA私钥
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# touch /etc/pki/CA/index.txt
[root@localhost CA]# echo 01 > /etc/pki/CA/serial
[root@localhost CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..........................+++
......................................................................+++
e is 65537 (0x10001)
#生成CA自签名证书
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:root@magedu.org
[root@localhost CA]# cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIJAKmVhbF6f9HhMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzEPMA0G
A1UECgwGbWFnZWR1MQswCQYDVQQLDAJpdDEWMBQGA1UEAwwNY2EubWFnZWR1Lm9y
ZzEeMBwGCSqGSIb3DQEJARYPcm9vdEBtYWdlZHUub3JnMB4XDTIwMDkwNjA5NTEz
NVoXDTMwMDkwNDA5NTEzNVowgYcxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlq
aW5nMRAwDgYDVQQHDAdiZWlqaW5nMQ8wDQYDVQQKDAZtYWdlZHUxCzAJBgNVBAsM
Aml0MRYwFAYDVQQDDA1jYS5tYWdlZHUub3JnMR4wHAYJKoZIhvcNAQkBFg9yb290
QG1hZ2VkdS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7bsED
vhRsQlMYZ1yo8/W8+iGnUmFeKEn+XRXPMAPOS4CdysVOdXV/V9g1BxHObAoa8Gfs
p18IOtOftS0LNjZF0iN/IN08Tj72Ju3h65mIC0WGSeumTGrm1ToQelQcGgfw1JXW
CPTYKdOoX3fUwQKFAQC7EqpER2b/AD96L3wf6FFYBZbwAebaaKrM72MEVCrfPEci
OK+DZztu4ni5YrV8ioo24nm9g+lihVzLoV1DqXovankJ8FQmjrE80QS1hePPx2tm
6Gu+ki64sISCKs+VamgWA667w25TW84ySrLO5CSIyTfZgIvuwFwmfin/9EQGtjBt
ZdTheA0JqybG5l9VAgMBAAGjUDBOMB0GA1UdDgQWBBRgTeREskLWYFusJiS4tT3Y
isppiDAfBgNVHSMEGDAWgBRgTeREskLWYFusJiS4tT3YisppiDAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB8ES1o4IfNx2fhSW0EfbfCjYW8DT56sxDJ
RDD4arTpaDmkQFxPtG4SVYfLLKONjrbO4O99JWoT2x2foiiTqczKbZTVmkln8nI+
vlj1o3do1QKHk6Zr6ZYA2a2TWfpOgnE9I8Bm9K+CgSurszZz5gYoUxUEJde5SbGk
HS+0xYZT1a2ArDbEHAicJwkw/qKIEy5Jaip4p+6Rnbrrd1n1ln+ZF7KcJcriDz8S
+moXJ0ECuQIftoTGHl66mcNHzCwNrLJlHxswFML7qsVe5fM5QqPJQCcv5t4AAc8I
QPkjz5K8KlKwgDIiKY6/Ny2vnFqhJOA4Ltf62ibGp5MPvE/+8Y3t
-----END CERTIFICATE-----
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的根证书对其进行签署
#用户生成私钥文件
[root@localhost CA]# mkdir /data/app1 #创建用户目录
[root@localhost CA]# (umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus
.+++
..................................+++
e is 65537 (0x10001)
[root@localhost CA]# cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAw3c5Wa69bmAvSnLPqaPNxprIlI9dHLxreXLhXjvkK+eWxs3g
w6YDmOkSuH8l9S5xPe39a6E1Vy4TNjkBtNTqgn+uaIwvWTyf4s+68WIa+GZ6oCgt
2a1ak+TdNRkkrv7LDR5mooI5iyAn2VEB5EtUn+JI8VGosPzOS+/EvLIJBuDeM8Kl
SOLS5J4syt599M44QUV9UOYMAsEnPrFe1Vrv+NuKA/R+0tubGxqYQzmT8OGfmnWI
6M/li4oQgUBKHAkOvZRj5MU8Hwi29rQd81dHbEeL+tbDYVr58u0+1GD2edHZaUmk
e3y1/9DM4ah2Y1d0oRgjnqEAmv694SGGA7jGaQIDAQABAoIBAHdEp1zer73KuPBv
b+DuD2CRD7T+aW1gVx/rBjMOzmIv1KOH+g7HnMhP51lmVA3wAa8tKYXj/v0sIxLh
4/WoOVPZft1SNI353QFziXlCSHyrY0WYXqnFClDVxFhi+CxDUji2BSBB38TRoR8M
O+BGSuOoGqQNFKayC1rweZY9+B4WQ69BmhcIhwn5EgRCQ0BsTTF3B8pavNjTe0e/
9II5XI9tM4+Md+TPhBmDNRGaSMgE1QmlraEc+UguRBYNxdOX/YP2+nq1MKX5CDnV
K6T0cNgn3PHgKBipfnU8bU21iiwgmAHeLNv4sSiKgeh/QJEt3cRZT8wM8hOTYuKE
PjGe3wECgYEA9ag8L9kj8rzip21i0sGH/3XJ7c47SF2I6ZYZEd13QdAI8AE6T3ui
BuwCRG/0NjWRGtBJWgpy8awH44agcgWw7rxGHoGxehKb9IQf7inAsOko72Gu1KQ9
sWK5Meus/LyzFqU0zQHUUSvojz5KfqIStMQN2wwk6k5T/beDvIGmFGECgYEAy7IC
wm7M896SjmBx/7L6v1/IzxphBWTuXSW44+74+VSN+zDj47pNZjZ2JDq6QOCEg3E6
dQ1sy2GGVctpjTDUWblB1gLeA1A9oOc5CQyyhSWUNHtRFVEgLsQT2JsR499aFCLB
gV08oddpPWHOPCyZAoEfiVE6EJ/Kd+m07m2MbwkCgYEA4ZxhslwNPNimnLfEY+Uj
3sUx7/pQzdRBcq3MVnD8HvBN1QZ7pBXap9rG9k2Pjt3BZ0vVoiEokbW6BQdWgYGi
jo9RIqFf+snuezGBFb044AEy/C7NXzN8CVau2R8mX3N6UpjllkZQ1T+rNSszRXva
DDRmuT89BAdt8f1BurWjbuECgYAPEWwC1g9zOtO8lIXaVHMYFQ3VxC3JKF45pcC3
m8XvK8IVAtjYz79KAF1c8Ls2cWVcE9QvNH8HzH8TeailOSd8O6gTHMMvm4/zhydA
9B+AmfcMqtKksQugagDN1SrNoIgZVTjbSPpjPnwaflGzQdlPxh1/GvMgp7FijXdE
6/WngQKBgBZjLzmYqHbp7xKbcpU1DJGOru4NzEeqoHM8eGCwm6TkCvslXtvwk7v/
crKK8NLnTB5pjeTfTiwfWXIXg/im/V8UrQxJATJM8EEoIrTlMI3PEC+KLxI0u746
GeaWUfmHyxosZ6GamVpseOndeQg2Yo2qt5BoorhYmzgjwNux++TC
-----END RSA PRIVATE KEY-----
#进行证书申请
[root@localhost CA]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:app1@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#证书颁发
[root@localhost ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 6 10:01:24 2020 GMT
Not After : Jun 3 10:01:24 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = app1@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
91:A7:F3:0B:E4:C0:77:91:43:6C:AD:6D:CA:69:B6:8B:98:FA:F2:13
X509v3 Authority Key Identifier:
keyid:60:4D:E4:44:B2:42:D6:60:5B:AC:26:24:B8:B5:3D:D8:8A:CA:69:88
Certificate is to be certified until Jun 3 10:01:24 2023 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6、吊销已经签署成功的证书
#吊销证书
[root@localhost ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@localhost ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
#生成证书吊销列表
[root@localhost ~]# echo 01 > //etc/pki/CA/crlnumber
[root@localhost ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@localhost ~]# cat /etc/pki/CA/crlnumber
02
[root@localhost ~]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB9zCB4AIBATANBgkqhkiG9w0BAQsFADCBhzELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBm1hZ2VkdTEL
MAkGA1UECwwCaXQxFjAUBgNVBAMMDWNhLm1hZ2VkdS5vcmcxHjAcBgkqhkiG9w0B
CQEWD3Jvb3RAbWFnZWR1Lm9yZxcNMjAwOTA2MTAwNTU3WhcNMjAxMDA2MTAwNTU3
WjAUMBICAQEXDTIwMDkwNjEwMDI0OFqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3
DQEBCwUAA4IBAQBbU7Q5nkHYzVNZuIPe9Q2G0lhiNEjgSxcotU8sYfNRpJ/DaCLY
lPfvWQ4TGhGCpl8KMws/yhUU3Yk8x5Q5snaw4MTyE3VNoYkZfCGMLf3ovV4FS0rz
em3o3DozohUiKLXFm9ES0QEaypMXPCXeiDpVGAhaotcL5oaFzgiBCZ657S14rmQ/
CSy1VzTtFsZEcX5r8uMe+te1cwjOmRoKDFSXh0BL5f/Spv8pw9FF3WJryLiOWuxv
5DHoOOK49ya9BWtmuyn99fB+qv4MDQoQmVMYiMTKbpthxmT6v8jpuAYHpZHSW5hl
uq5mdCr8YhM5RgJordrL+EEqBndoz/+zMIb+
-----END X509 CRL-----