利用gpg实现非对称秘钥加密文件和opensll实现证书创建、申请和颁发

技术文章 1年前 (2020) 完美者
1,079 0

标签:sha   签署证书   unit   rate   public   pre   other   ora   evo   

1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥

[root@centos7 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg‘ created
gpg: new configuration file `/root/.gnupg/gpg.conf‘ created
gpg: WARNING: options in `/root/.gnupg/gpg.conf‘ are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg‘ created
gpg: keyring `/root/.gnupg/pubring.gpg‘ created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: centos7
Email address: 
Comment: 
You selected this USER-ID:
    "centos7"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

回车后跳出此界面,让给私钥设置密码,若不需要设置密码,可以直接回车(这里选择不设私钥密码)
利用gpg实现非对称秘钥加密文件和opensll实现证书创建、申请和颁发
利用gpg实现非对称秘钥加密文件和opensll实现证书创建、申请和颁发利用gpg实现非对称秘钥加密文件和opensll实现证书创建、申请和颁发利用gpg实现非对称秘钥加密文件和opensll实现证书创建、申请和颁发

上图回车后,会出现下图,让再次确认第一步设置的私钥密码,若第一步没设密码,可直接确定
利用gpg实现非对称秘钥加密文件和opensll实现证书创建、申请和颁发

You don‘t want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

屏幕出现此提示,需要操作键盘,鼠标或是操作硬盘,这里利用硬盘:
利用gpg实现非对称秘钥加密文件和opensll实现证书创建、申请和颁发

提示密钥对创建完成:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4E1CB929 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024R/4E1CB929 2020-09-05
      Key fingerprint = 8755 E59B D9AE 0670 FC98  736E 7586 4734 4E1C B929
uid                  centos7
sub   1024R/3E3C55A0 2020-09-05
[root@centos7 ~]#cd /root/.gnupg/
[root@centos7 .gnupg]#ll
total 28
-rw-------. 1 root root 7680 Sep  5 20:49 gpg.conf
drwx------. 2 root root    6 Sep  5 20:49 private-keys-v1.d
-rw-------. 1 root root  651 Sep  5 20:52 pubring.gpg    #此文件即为创建的公钥
-rw-------. 1 root root  651 Sep  5 20:52 pubring.gpg~
-rw-------. 1 root root  600 Sep  5 20:52 random_seed
-rw-------. 1 root root 1315 Sep  5 20:52 secring.gpg   #此文件即为创建的私钥
srwxr-xr-x. 1 root root    0 Sep  5 20:51 S.gpg-agent
-rw-------. 1 root root 1280 Sep  5 20:52 trustdb.gpg

生成的私钥和公钥文件无法用cat直接查看,可以用专门工具gpg --list-keys 查看

[root@centos7 .gnupg]#gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/4E1CB929 2020-09-05
uid                  centos7
sub   1024R/3E3C55A0 2020-09-05

2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件

在centos8中创建密钥对:

[root@centos8 ~]#gpg --gen-key
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: centos8
Email address: 
You selected this USER-ID:
    "centos8"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key EC38F466A0A48A7D marked as ultimately trusted
gpg: directory ‘/root/.gnupg/openpgp-revocs.d‘ created
gpg: revocation certificate stored as ‘/root/.gnupg/openpgp-revocs.d/C60C9FA923A67E8C99018836EC38F466A0A48A7D.rev‘
public and secret key created and signed.

pub   rsa2048 2020-09-05 [SC] [expires: 2022-09-05]
      C60C9FA923A67E8C99018836EC38F466A0A48A7D
uid                      centos8
sub   rsa2048 2020-09-05 [E] [expires: 2022-09-05]

[root@centos8 ~]#gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-09-05
/root/.gnupg/pubring.kbx

pub   rsa2048 2020-09-05 [SC] [expires: 2022-09-05]
      C60C9FA923A67E8C99018836EC38F466A0A48A7D
uid           [ultimate] centos8
sub   rsa2048 2020-09-05 [E] [expires: 2022-09-05]

导出centos7公钥到centos7.pub.key中

[root@centos7 .gnupg]#gpg -a --export -o centos7.pubkey
[root@centos7 .gnupg]#ll centos7.pubkey 
-rw-r--r--. 1 root root 988 Sep  5 21:40 centos7.pubkey

将公钥传给centos8:

[root@centos7 .gnupg]#scp centos7.pubkey  10.0.0.108:/data/
The authenticity of host ‘10.0.0.108 (10.0.0.108)‘ can‘t be established.
ECDSA key fingerprint is SHA256:/rAdCpILNJSdutMHGVB5hg6dOm/lSJwy3C9W/9Ikgqs.
ECDSA key fingerprint is MD5:24:86:22:b9:db:5b:c9:0c:d5:50:ba:44:98:b5:51:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.0.108‘ (ECDSA) to the list of known hosts.
root@10.0.0.108‘s password: 
centos7.pubkey                                                                                     100%  988    72.6KB/s   00:00    

在centos8上将centos7的公钥导入:

[root@centos8 ~]#cd /data/
[root@centos8 data]#ls
centos7.pubkey
[root@centos8 data]#gpg --import centos7.pubkey 
gpg: key 758647344E1CB929: public key "centos7" imported
gpg: Total number processed: 1
gpg:               imported: 1
[root@centos8 data]#gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2020-09-05 [SC] [expires: 2022-09-05]
      C60C9FA923A67E8C99018836EC38F466A0A48A7D
uid           [ultimate] centos8
sub   rsa2048 2020-09-05 [E] [expires: 2022-09-05]

pub   rsa1024 2020-09-05 [SC]
      8755E59BD9AE0670FC98736E758647344E1CB929
uid           [ unknown] centos7
sub   rsa1024 2020-09-05 [E]
**创建一个文件并加密:**
[root@centos8 data]#cp -a  /etc/fstab  /data/fstab.bck
[root@centos8 data]#gpg -e -r centos7 fstab.bck
gpg: DD307BF63E3C55A0: There is no assurance this key belongs to the named user
sub  rsa1024/DD307BF63E3C55A0 2020-09-05 centos7
 Primary key fingerprint: 8755 E59B D9AE 0670 FC98  736E 7586 4734 4E1C B929
      Subkey fingerprint: 12F3 8348 BDCC D91B 3C5A  29FE DD30 7BF6 3E3C 55A0

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

[root@centos8 data]#ll
total 12
-rw-r--r--. 1 root root 988 Sep  5 21:51 centos7.pubkey
-rw-r--r--. 1 root root 709 Jul 19 23:34 fstab.bck
-rw-r--r--. 1 root root 610 Sep  5 22:03 fstab.bck.gpg

3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件

[root@centos7 data]#scp 10.0.0.108:/data/fstab.bck.gpg  .
root@10.0.0.108‘s password: 
fstab.bck.gpg                        100%  610   485.3KB/s   00:00    
[root@centos7 data]#ls
1.sh  fstab.bck.gpg
[root@centos7 data]#gpg -d fstab.bck.gpg 
gpg: encrypted with 1024-bit RSA key, ID 3E3C55A0, created 2020-09-05
      "centos7"

#
# /etc/fstab
# Created by anaconda on Sun Jul 19 23:34:46 2020
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk/‘.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run ‘systemctl daemon-reload‘ to update systemd
# units generated from this file.
#
UUID=043eb715-edc8-4559-bbe7-d0fedf3e66c8 /                       xfs     defaults        0 0
UUID=8108ef3d-51fe-4a11-b2f5-f36cbd74eec1 /boot                   ext4    defaults        1 2
UUID=bd795d03-ed01-4a12-b9fa-758a82461fa5 /data                   xfs     defaults        0 0
UUID=a679de7b-df66-4601-bae6-a5873e56ed2f swap                    swap    defaults        0 0
[root@centos7 data]#

上面的解密只是在屏显示,并没有保存文件内容,将解密的文件内容保存用一下命令

[root@centos7 data]#gpg -o fstab.bck -d fstab.bck.gpg 
gpg: encrypted with 1024-bit RSA key, ID 3E3C55A0, created 2020-09-05
      "centos7"
或者
[root@centos7 data]#gpg -d fstab.bck.gpg > fstab.bck

[root@centos7 data]#cat fstab.bck

#
# /etc/fstab
# Created by anaconda on Sun Jul 19 23:34:46 2020
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk/‘.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run ‘systemctl daemon-reload‘ to update systemd
# units generated from this file.
#
UUID=043eb715-edc8-4559-bbe7-d0fedf3e66c8 /                       xfs     defaults        0 0
UUID=8108ef3d-51fe-4a11-b2f5-f36cbd74eec1 /boot                   ext4    defaults        1 2
UUID=bd795d03-ed01-4a12-b9fa-758a82461fa5 /data                   xfs     defaults        0 0
UUID=a679de7b-df66-4601-bae6-a5873e56ed2f swap                    swap    defaults        0 0

4、在 CentOS7 中使用 openssl 软件创建 CA

创建CA所需要的文件

#生成证书索引数据库文件
touch /etc/pki/CA/index.txt

#指定第一个颁发证书的序列号,十六进制数
echo 01 > /etc/pki/CA/serial

生成CA私钥

[root@centos7 ~]#cd /etc/pki/CA
[root@centos7 CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......................+++
.................................................................................................................................................................+++
e is 65537 (0x10001)
[root@centos7 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
└── private
    └── cakey.pem

4 directories, 2 files

生成自签名证书

[root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 36500 -out ./cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.org
Email Address []:
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
└── private
    └── cakey.pem

4 directories, 3 files

查看CA证书:

[root@centos7 CA]#openssl x509 -in cacert.pem -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a6:0c:04:c5:47:6f:0c:b4
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=linux, CN=ca.magedu.org
        Validity
            Not Before: Sep  5 15:01:45 2020 GMT
            Not After : Aug 12 15:01:45 2120 GMT
        Subject: C=CN, ST=henan, L=zhengzhou, O=magedu, OU=linux, CN=ca.magedu.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d5:42:45:6c:73:88:0f:69:42:93:e7:02:bd:6f:
                    5b:cc:a9:a9:c4:6a:13:2a:b6:cc:49:41:fb:94:e1:
                    57:5b:fe:b1:af:aa:7c:c8:48:2d:fb:52:e9:45:3b:
                    c8:27:3a:79:dc:3e:da:43:c0:2c:26:93:c6:a9:e2:
                    be:aa:9b:9f:13:3e:fa:12:7a:2e:90:b2:43:a5:bf:
                    a1:59:a7:b1:aa:af:44:74:36:d0:88:4b:d7:35:bf:
                    d2:2e:3c:a3:45:67:e0:64:37:59:52:bc:c1:ac:c8:
                    35:fd:35:c0:13:2f:20:d3:50:3a:92:0d:a0:c2:f8:
                    44:75:6f:4b:c5:dc:27:63:71:a2:65:6d:a4:65:59:
                    85:db:da:2e:32:87:f8:ca:28:b9:5d:dd:20:30:f2:
                    44:66:2d:71:76:59:42:e6:b8:47:38:0e:8c:b9:4a:
                    d0:2c:26:2a:68:1f:83:b0:c1:54:52:9a:f6:27:01:
                    3b:86:4c:88:71:08:73:44:3e:b1:6e:a3:ee:b8:bc:
                    29:7a:7d:d3:59:08:88:2f:a6:d7:92:75:ca:1d:c7:
                    73:f7:eb:d8:c4:8f:9d:cd:f9:9d:37:ba:5e:35:73:
                    5f:ac:cc:65:e9:d1:28:9c:df:71:9c:4c:8b:b8:1b:
                    eb:23:6a:4c:7b:b7:d4:92:80:86:2e:0a:0d:52:1a:
                    c5:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                65:1E:F7:97:6F:F5:06:13:31:E5:63:D3:16:C0:2A:39:64:18:B8:8A
            X509v3 Authority Key Identifier: 
                keyid:65:1E:F7:97:6F:F5:06:13:31:E5:63:D3:16:C0:2A:39:64:18:B8:8A

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         1f:06:28:57:7c:94:03:77:31:44:62:68:15:d3:55:43:4b:ea:
         11:80:7b:2a:71:18:04:d9:87:18:8d:00:22:c1:68:55:97:de:
         23:e8:10:94:a6:15:fe:79:3b:b7:9b:21:d5:17:3b:74:42:49:
         11:cd:e6:ae:cc:65:b1:36:cc:c7:62:fa:38:d4:73:4e:0f:d8:
         75:0b:57:5f:1e:16:a5:2e:47:3c:da:8f:64:d5:92:f6:3d:3e:
         58:ca:1c:27:f3:e3:4d:14:ad:3a:b7:f2:dd:16:eb:2c:c8:0a:
         d7:7e:3a:72:ef:76:aa:2f:1d:f1:f6:e1:93:48:6d:e0:cf:5e:
         5a:60:96:04:4a:1e:ff:67:73:f3:17:cf:3a:33:f2:ca:4c:a1:
         b6:94:63:4f:77:2b:c8:a4:77:f3:27:fc:1c:8c:3a:cc:54:87:
         38:b2:82:41:a6:af:2b:fc:55:83:ca:40:1f:3a:83:8c:b3:45:
         84:b6:30:86:08:99:04:29:43:ed:26:12:f7:d1:db:4d:f7:19:
         4b:49:06:d8:31:80:28:19:f5:24:f5:dd:de:d6:96:1c:25:ed:
         a5:fa:8f:8e:63:c3:25:85:69:12:0a:58:13:b2:18:86:4f:e8:
         e1:44:c6:79:4e:0e:59:c0:26:1d:2d:1e:5f:2f:f2:f7:1c:b7:
         ea:c6:ce:82

5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署

为需要申请证书的主机生成私钥

[root@centos7 tmp]#(umask 066; openssl genrsa -out   /tmp/homework.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................................................................................+++
......+++
e is 65537 (0x10001)
[root@centos7 tmp]#ls
homework.key

利用私钥为需要使用证书的主机生成证书申请文件

[root@centos7 tmp]#openssl req -new -key /tmp/homework.key -out /tmp/homework.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.org
Email Address []:

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 tmp]#ls
homework.csr  homework.key
[root@centos7 tmp]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
└── private
    └── cakey.pem

4 directories, 3 files

缺少/etc/pki/CA/serial文件

[root@centos7 tmp]#echo 01 > /etc/pki/CA/serial
[root@centos7 tmp]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│?? └── cakey.pem
└── serial

4 directories, 4 files

在CA签署证书并将证书颁发给请求者

[root@centos7 tmp]#openssl ca -in /tmp/homework.csr  -out   /etc/pki/CA/certs/homework.crt 
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  5 15:44:11 2020 GMT
            Not After : Sep  5 15:44:11 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = henan
            organizationName          = magedu
            organizationalUnitName    = devops
            commonName                = ca.magedu.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E8:12:A8:32:D1:FC:77:B1:9F:C3:29:7E:11:9D:77:D6:42:9D:98:A3
            X509v3 Authority Key Identifier: 
                keyid:65:1E:F7:97:6F:F5:06:13:31:E5:63:D3:16:C0:2A:39:64:18:B8:8A

Certificate is to be certified until Sep  5 15:44:11 2021 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6、吊销已经签署成功的证书

[root@centos7 tmp]#cat /etc/pki/CA/index.txt
V   210905154411Z       01  unknown /C=CN/ST=henan/O=magedu/OU=devops/CN=ca.magedu.org

[root@centos7 tmp]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7 tmp]#cat /etc/pki/CA/index.txt
R   210905154411Z   200905155431Z   01  unknown /C=CN/ST=henan/O=magedu/OU=devops/CN=ca.magedu.org

生成吊销列表文件
注意:第一次更新证书吊销列表前,才需要执行此步骤

[root@centos7 tmp]#echo 01 > /etc/pki/CA/crlnumber

更新证书吊销列表:

[root@centos7 tmp]#openssl ca -gencrl -out /etc/pki/CA/crl.pem

查看crl文件:

root@centos7 tmp]#openssl crl -in /etc/pki/CA/crl.pem -noout -text

利用gpg实现非对称秘钥加密文件和opensll实现证书创建、申请和颁发

标签:sha   签署证书   unit   rate   public   pre   other   ora   evo   

原文地址:https://blog.51cto.com/14886394/2529115

暂无评论

暂无评论...