習題總結練習
一、在 CentOS7 中使用 gpg 建立 RSA 非對稱密鑰對
[root@centos7 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Cenots7
Email address: 123@mail.com
Comment:
You selected this USER-ID:
"Cenots7 <123@mail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key D1D51883 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/D1D51883 2020-09-06
Key fingerprint = F46E 8D47 61D1 DCC4 D79A 8C51 2A75 2E9F D1D5 1883
uid Cenots7 <123@mail.com>
sub 1024R/E46F709F 2020-09-06
[root@centos7 ~]#
二、將 CentOS7 導出的公鑰,拷貝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公鑰加密一個文件
[root@centos7 ~]#gpg -a --export -o centos.pubkey
[root@centos7 ~]#scp centos.pubkey 10.0.0.8:/data/
root@10.0.0.8's password:
centos.pubkey 100% 1683 1.4MB/s 00:00
[root@centos8 data]#ls
centos.pubkey
[root@centos8 data]#echo linux > file.txt
[root@centos8 data]#gpg --import centos.pubkey
gpg: key EF649FA5C8EA44DE: public key "centos" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@centos8 data]#gpg --list-key
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-05 [SC]
3DE2C6AFB0B50D8279F8770CEF649FA5C8EA44DE
uid [ unknown] centos
sub rsa2048 2020-09-05 [E]
[root@centos8 data]#gpg -e -r centos file.txt
gpg: 8314610013943D46: There is no assurance this key belongs to the named user
sub rsa2048/8314610013943D46 2020-09-05 centos
Primary key fingerprint: 3DE2 C6AF B0B5 0D82 79F8 770C EF64 9FA5 C8EA 44DE
Subkey fingerprint: E190 BD7D CFF2 4D26 8206 CF0E 8314 6100 1394 3D46
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@centos8 data]#ls
centos.pubkey file.txt file.txt.gpg
三、回到 CentOS7 服務器,遠程拷貝 file.txt.gpg 文件到本地,使用 CentOS7的私鑰解密文件
[root@centos7 ~]#scp 10.0.0.8:/data/file.txt.gpg /data/
root@10.0.0.8's password:
file.txt.gpg 100% 346 225.7KB/s 00:00
[root@centos7 data]#ls
file.txt.gpg
[root@centos7 data]#gpg -o file.txt -d file.txt.gpg
You need a passphrase to unlock the secret key for
user: "centos"
2048-bit RSA key, ID 13943D46, created 2020-09-05 (main key ID C8EA44DE)
gpg: encrypted with 2048-bit RSA key, ID 13943D46, created 2020-09-05
"centos"
[root@centos7 data]#cat file.txt
linux
四、在 CentOS7 中使用 openssl 軟件建立 CA
[root@centos7 pki]#cd /etc/pki/CA/
[root@centos7 CA]#ls
certs crl newcerts private
[root@centos7 CA]#touch index.txt
[root@centos7 CA]#echo 01 > serial
[root@centos7 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files
[root@centos7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................................................................++
.++
e is 65537 (0x10001)
[root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:M42
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@centos7 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
93:cc:7f:8a:ad:90:9a:61
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=bj, L=bj, O=magedu, OU=M42, CN=ca.magedu.com
Validity
Not Before: Sep 5 11:49:19 2020 GMT
Not After : Sep 3 11:49:19 2030 GMT
Subject: C=CN, ST=bj, L=bj, O=magedu, OU=M42, CN=ca.magedu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9c:e8:9a:c9:2d:4d:52:78:68:0d:3f:b2:d9:21:
d6:eb:9e:1d:25:02:4e:f2:3d:dc:a5:a7:dc:6f:70:
e2:aa:37:1e:44:41:28:60:d5:7c:ae:2c:8d:55:95:
86:05:4d:db:a5:ad:a2:fb:66:b0:ff:e4:20:72:ab:
b6:b4:2b:ae:1d:d9:ff:97:6a:3b:58:48:a8:31:51:
b5:46:67:c3:7d:f9:4e:41:ea:a8:b0:08:91:4c:4b:
88:9c:8d:38:9c:c0:ce:c1:51:7b:5e:5d:a2:f7:ba:
61:7d:85:51:a4:e9:b2:cf:84:8b:36:b0:10:10:b9:
37:ee:51:1e:1e:b7:b0:31:68:4b:c7:dc:93:37:8a:
76:e3:66:86:d8:f7:f1:55:b6:d6:63:5b:c2:44:71:
f5:c6:6e:b5:c3:ea:5a:f9:19:04:8a:44:2a:0a:ea:
0f:ff:3b:2d:a0:61:fe:7c:c3:45:18:16:05:44:8c:
90:fc:6f:fc:9a:ae:b3:16:3a:01:44:4b:4b:95:83:
56:89:72:02:17:1a:be:31:9c:75:ce:42:f3:c3:d9:
b1:ab:e4:26:4f:ff:30:ce:5c:0b:de:f8:12:63:5d:
5f:29:47:61:3c:db:a3:c4:37:4f:64:0f:8d:94:9b:
bb:17:56:2f:b4:8d:b2:a0:5f:ca:cc:81:90:58:d4:
08:c7:82:36:f0:f4:60:bc:e3:5d:c7:48:a0:0c:b5:
23:a3:90:f1:44:c8:80:99:20:26:9e:4c:d7:0b:bf:
85:e5:e5:93:fd:da:ae:39:b2:ff:f2:2f:e6:fd:87:
07:27:31:79:63:ac:a1:4c:9d:b0:30:7a:1f:70:b9:
a1:ca:b6:3f:e3:4b:01:6d:71:c2:b4:3a:71:0b:94:
33:78:20:85:ec:9b:2d:18:25:73:0e:b0:2f:57:a9:
96:9f:5e:45:e7:36:4b:8f:76:82:89:8f:72:13:12:
1b:c4:80:06:92:52:f5:cd:2c:4a:cb:bc:e4:d5:04:
39:a6:8a:2c:90:ae:a3:a3:8b:5b:2b:79:69:bc:5a:
55:67:7f:40:ed:65:46:b9:be:ad:32:08:24:14:ea:
a9:0f:4b:78:71:2f:48:ba:d3:d0:fd:1b:56:16:da:
1e:8d:48:bb:9b:8d:29:ea:b9:81:86:c5:26:46:c8:
f3:d3:d3:21:19:2c:08:dd:3c:f5:49:c2:cd:34:7a:
7c:58:57:8e:04:74:48:4f:17:9f:1b:c1:6c:c4:7f:
b8:ec:fa:00:8c:6e:e6:6d:9d:54:69:16:aa:53:6d:
f9:4e:2a:31:60:07:bd:98:f9:42:ad:f0:d9:21:0a:
d9:a6:d3:e8:0e:6e:97:7f:ab:67:13:f1:e2:7c:aa:
3f:4f:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
80:AA:D3:C7:05:37:57:44:2E:7E:26:19:7A:76:02:47:F6:47:FD:6C
X509v3 Authority Key Identifier:
keyid:80:AA:D3:C7:05:37:57:44:2E:7E:26:19:7A:76:02:47:F6:47:FD:6C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
60:67:2f:a8:6d:15:3d:d2:5b:21:0e:e0:80:02:35:6e:40:4a:
85:a2:31:26:6c:e0:8b:0d:10:53:b8:4c:25:46:78:dd:e6:41:
03:dd:b1:91:1a:96:56:3a:bf:0b:8c:16:98:b8:21:44:71:a2:
5c:5d:49:55:34:cb:74:58:84:21:ba:ea:75:d7:4c:f5:f1:d7:
76:a2:53:56:26:1b:88:dc:b7:4b:28:18:34:9b:4c:56:dc:ed:
a9:e4:2a:33:dd:93:09:c6:43:bf:67:22:7a:7b:fe:a5:21:1c:
71:67:75:83:64:62:7f:b3:d0:2d:4f:ab:42:f8:95:91:01:fe:
71:77:36:9d:37:12:ef:39:93:f9:56:68:da:69:09:9a:50:f1:
87:af:ab:5b:37:39:7a:27:69:98:a6:c5:c2:61:17:1c:b7:fe:
fe:b6:5e:e9:10:fb:34:fa:55:72:88:ff:20:6e:40:fd:ba:d7:
7f:56:f9:8b:4d:cd:96:85:2a:6c:88:51:d5:f6:a3:70:b9:a2:
9f:fd:a1:6d:57:48:00:dc:cd:fe:e0:31:d7:67:2b:ce:88:b1:
4c:dd:49:ef:03:f3:9e:1e:b9:be:73:82:7c:aa:a2:06:d6:48:
66:7a:da:84:df:bb:03:9b:41:b3:1b:f2:12:7d:75:a6:12:7f:
b8:f6:58:06:e0:f1:94:6c:ab:42:c6:d5:98:f1:03:3e:5e:14:
a8:f3:ad:c5:37:df:fe:21:24:62:d4:21:86:d9:0a:ea:d4:07:
49:b6:82:a6:67:70:7e:f4:7f:ed:f9:1d:07:86:41:48:3f:e1:
a9:e0:07:fe:63:5a:eb:fd:92:c7:16:d2:d0:3f:15:98:57:03:
f2:cc:0b:58:5f:00:19:c3:4e:df:40:d7:07:10:de:f5:5c:a9:
73:c2:83:03:78:31:92:68:5a:8d:7b:d8:00:8f:99:39:ec:0f:
19:5f:7a:ae:c6:85:e5:2c:12:f7:ed:4a:f4:20:b9:15:48:b9:
cc:c0:f2:1c:1c:31:3d:82:38:f2:b7:e0:02:94:c2:de:ba:70:
bb:6e:94:d9:58:5a:24:2d:17:44:2b:cf:ac:f4:e5:b2:ca:e4:
7a:2b:af:c2:6a:70:53:34:91:ae:12:66:12:8b:fa:21:03:4d:
18:5f:71:67:f0:04:cc:27:1a:b6:3d:61:cc:e0:b8:fb:14:05:
a6:26:f9:44:95:7a:d4:0e:32:fb:5e:38:ea:52:6f:f5:dc:8e:
25:22:c7:e7:94:22:5f:d2:1c:ac:05:d6:30:68:6f:ee:a3:96:
72:c3:09:52:88:c1:4a:d8:30:3b:05:80:cd:ad:89:7e:89:a8:
80:d3:bf:76:59:21:40:4e
五、 在 CentOS7 中使用 openssl 軟件建立一個證書申請請求文件,並使用上面的跟證書對其進行簽署
[root@centos7 CA]#mkdir /data/app
[root@centos7 CA]#(umask 066; openssl genrsa -out /data/app/app.key 1024)
Generating RSA private key, 1024 bit long modulus
....++++++
.................................++++++
e is 65537 (0x10001)
[root@centos7 CA]#openssl req -new -key /data/app/app.key -out /data/app/app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:app
Common Name (eg, your name or your server's hostname) []:app.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 CA]#openssl ca -in /data/app/app.csr -out /etc/pki/CA/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 5 11:59:03 2020 GMT
Not After : Sep 5 11:59:03 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = bj
localityName = bj
organizationName = magedu
organizationalUnitName = app
commonName = app.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:DD:AE:3A:59:B7:8E:1D:70:65:17:86:18:5C:46:D7:B0:2E:E1:81
X509v3 Authority Key Identifier:
keyid:80:AA:D3:C7:05:37:57:44:2E:7E:26:19:7A:76:02:47:F6:47:FD:6C
Certificate is to be certified until Sep 5 11:59:03 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]#tree
.
├── app.crt
├── app.csr
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@centos7 CA]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=bj, L=bj, O=magedu, OU=M42, CN=ca.magedu.com
Validity
Not Before: Sep 5 11:59:03 2020 GMT
Not After : Sep 5 11:59:03 2021 GMT
Subject: C=CN, ST=bj, L=bj, O=magedu, OU=app, CN=app.magedu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ad:0c:b4:cc:e1:e2:63:cb:ff:c4:25:47:26:1c:
d3:e6:ce:03:94:ae:61:38:d1:d8:ac:cf:f4:16:60:
cd:e9:8c:b3:43:25:a3:2e:de:26:92:33:a6:eb:53:
ea:13:61:df:0a:62:76:2c:46:35:37:04:de:a4:f9:
cc:58:20:fe:86:fd:97:b7:54:61:1f:32:86:e4:c6:
47:0d:1f:fa:0a:55:47:b1:2d:ea:52:15:40:e7:c7:
5d:a5:ab:93:97:4c:98:9d:b6:e9:f2:af:1e:95:4c:
67:69:58:4c:e5:a9:01:22:78:5c:14:9c:5f:aa:93:
ff:27:f8:79:b5:69:e9:6e:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:DD:AE:3A:59:B7:8E:1D:70:65:17:86:18:5C:46:D7:B0:2E:E1:81
X509v3 Authority Key Identifier:
keyid:80:AA:D3:C7:05:37:57:44:2E:7E:26:19:7A:76:02:47:F6:47:FD:6C
Signature Algorithm: sha256WithRSAEncryption
78:db:3c:9d:bc:60:f2:0b:2a:b7:ec:7c:c9:95:e0:e6:ef:5c:
b8:67:f2:62:81:b9:22:fb:33:19:12:4e:66:2c:96:4d:6e:79:
a9:d5:fd:c0:34:d9:b1:9c:82:0a:79:77:fc:d0:a6:cd:f9:88:
b7:6a:77:e2:a1:33:1d:94:3c:37:4c:d7:4c:cd:ae:79:a6:c9:
6f:4b:d3:70:c6:5c:19:8f:38:68:f2:13:7b:56:42:a0:fd:01:
85:23:64:b3:48:e1:6f:2d:ab:ea:b4:67:ab:1a:94:47:e1:ca:
47:77:55:e8:e3:fb:a7:4c:02:56:e5:8c:03:0d:a0:d1:2b:c8:
27:e7:8e:c4:26:9b:fb:43:38:df:2b:5b:c5:81:65:87:f5:4a:
5a:43:ca:e3:ee:64:83:20:37:2f:5d:6e:e3:e0:5b:c0:9c:d8:
bb:04:49:3e:95:2c:30:f5:0e:03:b1:ab:bb:70:7d:17:22:1a:
a0:1c:f1:62:4f:f5:f4:df:f4:09:90:6e:41:9d:f3:e6:6d:45:
e6:9a:14:f3:65:71:13:2a:44:84:71:71:c2:d8:3d:45:f1:37:
33:3c:d0:4f:55:9e:1e:8e:db:98:e5:58:23:90:95:d3:00:ae:
e2:de:81:e5:2f:49:d0:2b:a1:fe:51:12:31:56:12:6c:9e:9d:
68:f5:1f:e3:d1:64:08:29:bb:de:01:9e:94:67:f0:57:3e:8c:
6c:99:b0:f8:44:b9:97:c7:d6:6b:84:36:fb:16:97:fe:b2:09:
e3:ea:e8:44:cd:86:17:b5:1e:3b:7b:3d:39:b5:41:38:4a:e5:
da:22:fb:76:b3:d6:93:f7:0a:ab:2f:5a:cf:8c:72:ef:0c:04:
a6:8a:76:73:c7:41:62:83:be:6a:a8:30:42:ec:54:d5:25:48:
27:e9:90:0a:4a:43:c1:53:54:e5:c3:a0:a2:39:eb:bf:9d:06:
a5:60:ff:06:b2:d0:8d:51:38:8b:a1:ba:96:d8:9e:3c:95:55:
30:d5:df:b5:3a:66:26:a1:30:77:a8:1b:72:bb:23:93:de:30:
ba:f1:f4:56:a5:39:76:22:d0:e2:f0:9b:aa:ac:7b:63:a8:dd:
8e:9b:d1:60:77:99:fe:5e:c5:95:d4:f9:1c:a3:75:28:58:db:
16:de:fc:dc:ad:be:0a:97:6a:85:38:d1:a2:30:ab:7c:cd:3b:
41:72:02:0f:9e:a3:51:f1:2d:10:64:44:d0:df:77:f0:a5:e9:
d9:23:32:62:51:9a:ea:28:03:59:e1:81:f0:d4:3e:0a:e4:be:
f6:eb:55:65:a5:66:7f:af:6f:e0:94:30:b8:22:c9:94:1d:a3:
a1:e1:e6:97:20:7b:8d:0a
六、吊銷已經簽署成功的證書
[root@centos7 CA]#cat index.txt V 210905115903Z 01 unknown /C=CN/ST=bj/L=bj/O=magedu/OU=app/CN=app.magedu.com [root@centos7 CA]#openssl ca -status 01 Using configuration from /etc/pki/tls/openssl.cnf 01=Valid (V) [root@centos7 CA]#openssl ca -revoke newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated [root@centos7 CA]#openssl ca -status 01 Using configuration from /etc/pki/tls/openssl.cnf 01=Revoked (R)
相關文章
- 1. Java練習題總結(一)
- 2. Servlet練習題總結
- 3. mysql學習總結練習
- 4. Strus2總結練習
- 5. 牛客網android練習試題總結
- 6. SQL練習——LeetCode解題和總結(1)
- 7. 3.5 - 網絡編程 - 總結練習題
- 8. 子網劃分總結及練習題
- 9. SQL練習——LeetCode解題和總結(2)
- 10. Flexbox 練習和總結
- 更多相關文章...
- • XML 總結 下一步學習什麼呢? - XML 教程
- • 您已經學習了 XML Schema,下一步學習什麼呢? - XML Schema 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • Kotlin學習(二)基本類型
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Java練習題總結(一)
- 2. Servlet練習題總結
- 3. mysql學習總結練習
- 4. Strus2總結練習
- 5. 牛客網android練習試題總結
- 6. SQL練習——LeetCode解題和總結(1)
- 7. 3.5 - 網絡編程 - 總結練習題
- 8. 子網劃分總結及練習題
- 9. SQL練習——LeetCode解題和總結(2)
- 10. Flexbox 練習和總結