key的生成以及使用
centos7 10.0.0.129 centos8 10.0.0.134
1.在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
[root@centos7 .gnupg]# pwd /root/.gnupg
[20:13:49 root@centos7 .gnupg]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: centos7
Email address:
Comment:
You selected this USER-ID:
"centos7"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
接下来一路OK 等待。。。。。。。。。。。
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
也可以再开个窗口 执行dd if=/dev/sda of=/dev/null 这样能快一点
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key ED9A35BF marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/ED9A35BF 2020-09-05
Key fingerprint = 80C7 D7BB 8523 5048 0CAD 76B2 F49D 6195 ED9A 35BF
uid centos7
sub 1024R/333C6E28 2020-09-05
完事
[20:18:23 root@centos7 .gnupg]#gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/ED9A35BF 2020-09-05
uid centos7
sub 1024R/333C6E28 2020-09-05
2.将 CentOS7 导出的公钥文件,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
导出公钥
[20:19:55 root@centos7 .gnupg]#gpg -a --export -o centos7.1.pubkey
File `centos7.1.pubkey' exists. Overwrite? (y/N) y
传到centos8上
[20:40:28 root@centos7 .gnupg]#ll centos7.1.pubkey
-rw-r--r-- 1 root root 988 Sep 5 20:38 centos7.1.pubkey
[20:40:40 root@centos7 .gnupg]#scp centos7.1.pubkey 10.0.0.134:/data/
root@10.0.0.134's password:
centos7.1.pubkey 100% 988 706.7KB/s 00:00
centos8生成密钥
[root@centos8 data]# gpg --gen-key
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: centos8
Email address:
You selected this USER-ID:
"centos8"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key F16FF024F9A2F8E4 marked as ultimately trusted
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/79D4C1B1834C68B2B515042BF16FF024F9A2F8E4.rev'
public and secret key created and signed.
pub rsa2048 2020-09-05 [SC] [expires: 2022-09-05]
79D4C1B1834C68B2B515042BF16FF024F9A2F8E4
uid centos8
sub rsa2048 2020-09-05 [E] [expires: 2022-09-05]
导入centos7传过来的密钥
[root@centos8 data]# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-05 [SC] [expires: 2022-09-05]
79D4C1B1834C68B2B515042BF16FF024F9A2F8E4
uid [ultimate] centos8
sub rsa2048 2020-09-05 [E] [expires: 2022-09-05]
[root@centos8 data]# gpg --import /data/centos7.1.pubkey
gpg: key F49D6195ED9A35BF: public key "centos7" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@centos8 data]# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-05 [SC] [expires: 2022-09-05]
79D4C1B1834C68B2B515042BF16FF024F9A2F8E4
uid [ultimate] centos8
sub rsa2048 2020-09-05 [E] [expires: 2022-09-05]
pub rsa1024 2020-09-05 [SC]
80C7D7BB852350480CAD76B2F49D6195ED9A35BF
uid [ unknown] centos7
sub rsa1024 2020-09-05 [E]
给文件加密
[root@centos8 data]# gpg -e -r centos7 issue.txt
gpg: 35914998333C6E28: There is no assurance this key belongs to the named user
sub rsa1024/35914998333C6E28 2020-09-05 centos7
Primary key fingerprint: 80C7 D7BB 8523 5048 0CAD 76B2 F49D 6195 ED9A 35BF
Subkey fingerprint: 109B 6EB5 4E69 9BA0 3FCE 0753 3591 4998 333C 6E28
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
[root@centos8 data]# scp issue.txt.gpg 10.0.0.129:/data/
root@10.0.0.129's password:
issue.txt.gpg 100% 235 198.6KB/s 00:00
[20:54:25 root@centos7 data]#ls
hello.sh issue.txt.gpg script1
[20:54:26 root@centos7 data]#cat issue.txt.gpg
5I3<n(ÿC8ٿ;Ÿǵ(\QL弐PR*!zۨº|㙊°{4ºId¹g)i!~°~恡uɘ3°¹'¨LJȘ2ꏍ¹L®r¢
ג[}L¡̙Wb»%³tþt¡0с±rӉ@Δ§±Jׇ߃�,ªٷ ¹쌒 ǶÿO¯\1þXug[20:54:32 root@centos7 data]#
直接-d解开
[20:54:34 root@centos7 data]#gpg -d issue.txt.gpg
gpg: encrypted with 1024-bit RSA key, ID 333C6E28, created 2020-09-05
"centos7"
\S
Kernel \r on an \m
4.在 CentOS7 中使用 openssl 软件创建 CA
先准备几个空文件夹和几个空文件
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
创建CA的私钥
[20:56:35 root@centos7 data]#cd /etc/pki/CA/
[21:00:08 root@centos7 CA]#ls
certs crl newcerts private
[21:00:09 root@centos7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..+++
............................+++
e is 65537 (0x10001)
[21:01:10 root@centos7 CA]#
创建自签名证书
[21:07:54 root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pemsh
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhumadian
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.zty.org
Email Address []:
5. 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
[14:35:21 root@centos7 data]#(umask 066; openssl genrsa -out test.key 1024)
Generating RSA private key, 1024 bit long modulus
....................................................................++++++
..............................++++++
e is 65537 (0x10001)
[14:36:00 root@centos7 data]#openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhumadian
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.zzttyy.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[14:39:14 root@centos7 data]#ls
hello.sh issue.txt.gpg script1 test.csr test.key
[14:39:17 root@centos7 data]#
[14:45:35 root@centos7 data]#openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 300
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 6 06:45:40 2020 GMT
Not After : Jul 3 06:45:40 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = magedu
organizationalUnitName = devops
commonName = www.zzttyy.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8A:1D:AD:4B:B1:D5:F8:B5:45:9C:77:5C:E2:6E:92:BE:89:46:19:0C
X509v3 Authority Key Identifier:
keyid:8F:21:36:52:4F:12:3A:DC:D5:47:16:30:8B:64:E1:1E:FD:D8:61:C1
Certificate is to be certified until Jul 3 06:45:40 2021 GMT (300 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[14:45:45 root@centos7 data]#
6.吊销已经签署成功的证书
[14:51:46 root@centos7 CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[14:52:12 root@centos7 CA]#cat index.txt
R 210703064540Z 200906065212Z 01 unknown /C=CN/ST=henan/O=magedu/OU=devops/CN=www.zzttyy.org
重新生成吊销列表文件
[14:57:44 root@centos7 CA]#echo 01 > /etc/pki/CA/crlnumber
[14:58:01 root@centos7 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
查看
[14:58:03 root@centos7 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=henan/L=zhumadian/O=magedu/OU=it/CN=ca.zty.org
Last Update: Sep 6 06:58:03 2020 GMT
Next Update: Oct 6 06:58:03 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Sep 6 06:52:12 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
3d:24:ad:61:8e:0c:b8:6d:e5:62:c5:00:03:2e:e8:9e:8a:39:
9a:9b:68:70:50:d2:30:da:65:24:41:e5:f2:4d:04:8a:b0:15:
1b:f9:0d:fc:01:08:6a:88:b8:af:ee:26:e0:3d:3d:53:42:61:
75:9c:44:75:64:31:cb:13:85:b9:95:e2:fe:b2:c5:80:e2:d2:
1f:03:b8:2a:c2:4e:02:70:8c:4b:a8:3d:60:bd:1b:12:a2:6e:
f4:b8:13:06:8f:19:b6:53:bc:7c:64:fc:30:8b:1f:00:fb:12:
73:50:90:8d:e0:76:0b:7d:16:64:e7:e6:dc:22:e8:64:ea:a4:
5b:5f:13:cf:7f:62:e8:e3:47:ec:7b:aa:28:7b:6c:c6:9a:e3:
ed:75:17:45:57:d9:e8:53:b3:b4:76:24:b6:62:1c:31:78:a5:
b6:64:37:a1:3a:67:36:34:94:2f:c7:7a:de:61:3c:7b:a3:84:
72:15:6d:de:e5:bc:c8:e9:e3:31:3e:bb:00:00:ad:ce:53:2f:
c8:3f:e3:2c:19:61:60:45:1f:be:39:c3:80:ec:9b:7a:dc:41:
c4:41:14:c4:f7:e7:c9:61:73:10:60:0d:90:12:2d:53:0c:2b:
dd:98:d4:f8:2c:37:5e:05:a6:f1:0e:16:4c:65:8d:be:77:e8:
5d:6d:bb:9a