1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

[root@centos7 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:(1) RSA and RSA (default)(2) DSA and Elgamal(3) DSA (sign only)(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.0 = key does not expire<n>  = key expires in n days<n>w = key expires in n weeks<n>m = key expires in n months<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) yGnuPG needs to construct a user ID to identify your key.Real name: dawn@magedu.com
Email address: dawn@magedu.com
Comment: rsa test
You selected this USER-ID:"dawn@magedu.com (rsa test) <dawn@magedu.com>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

执行到该处时,提示需要随机数用于密钥的创建,建议再打开一个shell 窗口,执行大量的磁盘读写任务,直到创建完成密码。可使用dd 命令

# 切换到新的shell 窗口
[root@centos7 ~]#dd if=/dev/zero of=/root/test bs=1024 count=10240000
10240000+0 records in
10240000+0 records out
10485760000 bytes (10 GB) copied, 41.7266 s, 251 MB/s
[root@centos7 ~]#rm -rf test

如果依然没有出现密钥创建成功信息,可多执行几次上述的 dd 命令,直到出现下方密钥创建成功的信息

# 回到原shell 窗口查看是否出现以下信息
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 2F970791 marked as ultimately trusted
public and secret key created and signed.gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/2F970791 2020-09-06Key fingerprint = AFE1 3895 35D8 CEA7 D74D  7498 CB47 8780 2F97 0791
uid                  dawn@magedu.com (rsa test) <dawn@magedu.com>
sub   2048R/1EBAA141 2020-09-06# 可查看下新创将的公钥信息
[root@centos7 ~]#gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/2F970791 2020-09-06
uid                  dawn@magedu.com (rsa test) <dawn@magedu.com>
sub   2048R/1EBAA141 2020-09-06# 将新创建好的公钥保存到 dawn.pubkey 文件中
[root@centos7 ~]#gpg -a --export -o dawn.pubkey
[root@centos7 ~]#ll
total 16
-rw-r--r--  1 root root 1735 Sep  6 10:59 dawn.pubkey

2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件

[root@centos7 ~]#scp dawn.pubkey 10.0.0.8:/root/
root@10.0.0.8's password:
dawn.pubkey                                         100% 1735   562.4KB/s   00:00# 切换到CentOS8
[root@centos7 ~]#ssh 10.0.0.8
root@10.0.0.8's password:
Last login: Sun Sep  6 10:25:03 2020 from 10.0.0.1# 查看dawn.pubkey 公钥信息
[root@CentOS8 ~]#ll
total 12
-rw-r--r--  1 root root 1735 Sep  6 11:03 dawn.pubkey
[root@CentOS8 ~]#cat dawn.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)mQENBF9UTKABCAD2cOgGipGYILxNjMIVmdPf3IgwvRHPqESWk8AAnD8w7sS3UEaL
mhNH3tRyLm5e0f0AmT7MmcfIZIOAiyIcZv0KlLyND/EsXZ3fubK/rZ3QMKqkkOFQ
FeVJDYNWULD8mzgrO2+Iy524IOfaj280JXQBm6RTYKvxZdas8/uFrHFY6WucdiDk
0gAlXLb+Z6vNkEeFAxQM9hEoB6HsDCoFe59I6+bUunNwjuV7OuwII2F2MlYYCynf
aOH/ldiy84l752zuj1meOlRZjgaAbgxbkRbSr9PBKV2F2TWjVK5vZh7Td0TOSUlz
8akYxvas3RBt1zXIaGTACszBbPPypIiNXqZdABEBAAG0LGRhd25AbWFnZWR1LmNv
bSAocnNhIHRlc3QpIDxkYXduQG1hZ2VkdS5jb20+iQE5BBMBAgAjBQJfVEygAhsD
BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQy0eHgC+XB5HLOAgA1FF08FCf
ZQJgGx8boZ9G5AmN4YLf/PyDE1y2wSTYKd8Rzy/Z95imXmzxgE9xKg1aieAhTlJi
YOtHga5TQZq7I/L/iBFRvGvPQKTSMMvTBgH7/VLOy/H5NUYh2seDTVRjxWe977sK
r0gUzPN24B9BZoscn3HTCRtEAy88R6b2GFQEu+7T/0XlvkTGB1Blv+8ZuSEaNosZ
zp//ek2BewXrCCxn6Hm+2nG5xbqJLZXCVR62Cuyz9CMDWkKJOxNSVURWcXXHRw1u
YBGp/E8+MUe6vTVKegulMQi7go8LTMNCRFJk+MvtnFHaPktQZG7iycSdyz4EB2aN
HGU1Hs4sXNnKyLkBDQRfVEygAQgAsCbihtNcmT4fO1QEX/IEUNRimZuQaHoTtfj2
m34yke7ra6BRelEzOnNZiopru4/+rI5QppTY/LI6rxL9ds0SJv6RdcDgVJs0KE94
4ruuXoxE+wh95/7nLgv8lshc4lvSKYMRKcEZ2DlZoLbLT6ey24sVDn1wsWb0Lj72
4TzN4jGSRCfbGPXyYTXD5R4Ixn/0PwCy5m6f0nREyC6qnbbYBOq42uJsQkUDdzlj
so9RY1Su5SsRNIajTSumhCH+Txsg2g0SXW94+EozdMXcJD+pc0Ui6BlgmAtPO4uh
wCrxQnU+UbMCOX/+nOLAPDjKLOI0naQ/TaPO+b4Cj1incGLyYQARAQABiQEfBBgB
AgAJBQJfVEygAhsMAAoJEMtHh4AvlweRL+wIAJjlIWK+fJGReJ4675t6N3s5Aayc
4ywrWzG1RT8ajpvkVDE5GLIeAi0itK5LMi8UN6NpkE6Vpb+eM1DN0v2eSs+c5kAY
UAMOwJ97aIW5ryKTfP24Gk+5BoDbXR6AC191WSumR6AcXX9l0tb1FmFAzk3+V0IK
c5KknGg5JZ6HXMrCcMi60xjkhTg13N0BfrkkEua3sHOcRV5C7PJ17+nkL0Y7pw8l
u3bbj89z93jo1IS9vRY1aa9/H2QhAtsqGOMkLDl8JG6TnkNmBAjvM9FMQomlE9Ka
CufdK/Qwm88FRVqaqOJphVfsjoMN6XsqBcnxp7iKyPs9bOQgiR+a5RytU8c=
=1gv+
-----END PGP PUBLIC KEY BLOCK-----# 导入公钥dawn.pubkey
[root@CentOS8 ~]#gpg --import dawn.pubkey
gpg: key CB4787802F970791: public key "dawn@magedu.com (rsa test) <dawn@magedu.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1# 创建文件file.txt
[root@CentOS8 ~]#echo -e "IP:`hostname -I`\nVersion:`cat /etc/redhat-release`" > file.txt
[root@CentOS8 ~]#cat file.txt
IP:10.0.0.8
Version:CentOS Linux release 8.1.1911 (Core) # 使用dawn.pubkey 对file.txt 文件加密,
# 命令:gpg -e -r file (-e 加密,-r 指定加密的公钥ID,file需加密的文件)
[root@CentOS8 ~]#gpg -e -r CB4787802F970791 file.txt
gpg: 1138E1A61EBAA141: There is no assurance this key belongs to the named user
sub  rsa2048/1138E1A61EBAA141 2020-09-06 dawn@magedu.com (rsa test) <dawn@magedu.com>Primary key fingerprint: AFE1 3895 35D8 CEA7 D74D  7498 CB47 8780 2F97 0791Subkey fingerprint: 9940 DF8E 57B4 1224 25ED  1B3E 1138 E1A6 1EBA A141It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.Use this key anyway? (y/N) y# 加密后的文件file.txt.gpg
[root@CentOS8 ~]#ll
total 20
-rw-r--r--  1 root root 1735 Sep  6 11:03 dawn.pubkey
-rw-r--r--  1 root root   59 Sep  6 11:20 file.txt
-rw-r--r--  1 root root  396 Sep  6 11:26 file.txt.gpg

3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件

# 将centos8 中的file.txt.gpg 拷贝到centos7中
[root@CentOS8 ~]#scp file.txt.gpg 10.0.0.7:/root/file.txt.gpg
root@10.0.0.7's password:
file.txt.gpg                                 100%  396    83.4KB/s   00:00# 切换到CentOS7
[root@CentOS8 ~]#exit
logout
Connection to 10.0.0.8 closed.
[root@centos7 ~]#ll
total 20
-rw-r--r--  1 root root 1735 Sep  6 10:59 dawn.pubkey
-rw-r--r--  1 root root  396 Sep  6 11:32 file.txt.gpg# 为file.txt.gpg 解密
# 解密命令:gpg  -o file -d file.gpg
[root@centos7 ~]#gpg -o file.txt -d file.txt.gpgYou need a passphrase to unlock the secret key for
user: "dawn@magedu.com (rsa test) <dawn@magedu.com>"
2048-bit RSA key, ID 1EBAA141, created 2020-09-06 (main key ID 2F970791)gpg: encrypted with 2048-bit RSA key, ID 1EBAA141, created 2020-09-06"dawn@magedu.com (rsa test) <dawn@magedu.com>"# 查看解密后的文件
[root@centos7 ~]#ll
total 24
-rw-r--r--  1 root root 1735 Sep  6 10:59 dawn.pubkey
-rw-r--r--  1 root root   59 Sep  6 11:36 file.txt
-rw-r--r--  1 root root  396 Sep  6 11:32 file.txt.gpg
[root@centos7 ~]#cat file.txt
IP:10.0.0.8
Version:CentOS Linux release 8.1.1911 (Core) # 删除CentOS7 中的公钥和私钥(有私钥的情况下,需先删除公钥)
# 无法先删除公钥
[root@centos7 ~]#gpg --delete-keys dawn
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.gpg: there is a secret key for public key "dawn"!
gpg: use option "--delete-secret-keys" to delete it first.# 删除私钥
[root@centos7 ~]#gpg --delete-secret-keys dawn
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.sec  2048R/2F970791 2020-09-06 dawn@magedu.com (rsa test) <dawn@magedu.com>Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y# 删除公钥
[root@centos7 ~]#gpg --delete-keys dawn
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.pub  2048R/2F970791 2020-09-06 dawn@magedu.com (rsa test) <dawn@magedu.com>Delete this key from the keyring? (y/N) y# 删除CentOS8 中的公钥
[root@CentOS8 ~]#gpg --delete-keys dawn
gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.pub  rsa2048/CB4787802F970791 2020-09-06 dawn@magedu.com (rsa test) <dawn@magedu.com>Delete this key from the keyring? (y/N) y
[root@CentOS8 ~]#rm -f dawn.pubkey file.txt file.txt.gpg

4、在 CentOS7 中使用 openssl 软件创建 CA

#1 CentOS7 已自动创建好/etc/pki/CA。只需创建所需的配置文件index.txt 和serial 即可
[root@centos7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private4 directories, 0 files[root@centos7 ~]#cd /etc/pki/CA/
[root@centos7 CA]#touch index.txt
[root@centos7 CA]#echo 0F > serial
[root@centos7 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial4 directories, 2 files#2 创建CA所需的私钥,存放路径:private 目录下,文件名:cakey.pem(注意权限控制,在CentOS8 中可省略)
[root@centos7 CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................................................+++
...........................................................+++
e is 65537 (0x10001)#3 创建自签名证书,设置有效期为3650 天
[root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:dawn
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.dawn.org
Email Address []:#4 查看创建好的CA 证书完整信息
[root@centos7 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number:98:d6:b8:0e:ad:c0:84:9dSignature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=hubei, L=wuhan, O=dawn, OU=devops, CN=ca.dawn.orgValidityNot Before: Sep  6 03:57:41 2020 GMTNot After : Sep  4 03:57:41 2030 GMTSubject: C=CN, ST=hubei, L=wuhan, O=dawn, OU=devops, CN=ca.dawn.orgSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:b1:c3:24:c7:c4:df:75:3d:c0:1e:77:ea:a1:73:73:dd:d5:a7:08:fa:49:c7:f9:ca:cc:d9:9a:36:e8:5d:77:47:c1:f7:d4:d0:8a:4b:b9:26:19:8a:9f:31:80:0d:e4:85:1a:c5:3c:0f:39:8f:2f:97:93:61:2b:46:c4:73:ad:ad:4d:da:8e:c5:14:20:cd:d5:47:ea:b0:63:01:5d:1b:f5:d6:8b:fb:6e:9e:e5:9d:cf:47:b7:2f:7c:8d:08:96:ef:18:c8:46:d5:c9:13:fc:44:c7:0f:af:67:2d:43:e7:51:fe:ba:17:f8:0b:e7:c1:b0:1f:fa:68:00:14:47:df:9e:68:d9:7c:f8:dd:09:95:9e:6f:8f:e6:a5:4b:f5:e4:d4:3c:11:bc:0d:1f:ca:15:47:bd:d4:83:b6:9c:0b:26:c7:3c:a4:b2:b9:2d:ae:f2:46:b7:b0:41:53:2e:5e:5c:de:03:c4:47:a1:90:48:3b:66:53:10:c7:4d:3b:9e:7e:37:ae:5d:6f:b9:39:b0:d1:e6:c3:fb:be:b7:a5:c4:05:c6:97:b8:29:8b:f7:2d:67:de:7e:e1:a6:94:c7:08:7b:ef:4b:16:4e:c4:37:84:54:16:dc:34:b6:52:fe:f1:e3:66:bc:24:ec:56:ef:e9:18:81:4c:c2:03:b3:e6:72:dc:adExponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier: 38:0D:0C:31:D6:04:AA:8B:78:36:41:01:A3:E8:7F:CD:E3:2A:12:00X509v3 Authority Key Identifier: keyid:38:0D:0C:31:D6:04:AA:8B:78:36:41:01:A3:E8:7F:CD:E3:2A:12:00X509v3 Basic Constraints: CA:TRUESignature Algorithm: sha256WithRSAEncryption35:75:7c:08:2c:96:8e:15:f5:5a:69:2e:0d:82:a9:ea:0b:7f:91:3f:1b:83:aa:5c:8c:72:9d:07:a3:84:d2:dd:6c:61:f9:6a:b7:22:32:f8:ff:b5:c2:34:d0:35:13:61:75:b9:45:99:82:08:d7:58:bb:41:69:d1:9e:07:5e:f2:01:1c:72:c7:56:d6:da:ce:f8:74:c7:c0:f2:21:39:7d:1f:a3:e3:9a:9c:4e:2b:46:93:c2:47:b5:6b:9c:df:e0:fa:1f:e3:00:8f:39:8a:44:92:de:5c:2d:bf:bf:70:20:3b:b9:dc:e2:1e:bc:de:10:34:00:c6:11:5b:f4:2a:3c:c3:df:15:d6:b5:01:13:98:cc:1d:d3:6b:8c:a3:91:6c:a9:ef:fb:cc:b6:43:b3:79:6d:59:89:e1:32:c0:18:9b:bd:71:db:4f:37:ec:3d:f2:55:73:22:c2:12:f8:03:a5:b6:e1:8b:c6:28:64:95:7e:f0:23:6c:ac:10:f5:98:5c:8d:d4:15:34:41:f0:e1:52:85:40:ec:7b:67:89:e8:c7:65:2b:d6:87:5b:93:9b:3b:6a:8b:3f:11:9f:99:d1:86:87:bb:75:67:6c:32:f5:9f:40:2e:f2:da:ce:89:d5:2f:89:36:4f:4c:85:60:a8:e2:39:7d:42:d0:71:fa:87:e5

5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的根证书对其进行签署

#1 创建证书申请的rsa 私钥
[root@centos7 ~]#(umask 077;openssl genrsa -out app.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................+++
........+++
e is 65537 (0x10001)#2 使用上述私钥创建证书申请(需保证Country Name,State or Province Name,Organization Name 与CA的一致性,否则无法创建成功)
[root@centos7 ~]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:dawn
Organizational Unit Name (eg, section) []:music
Common Name (eg, your name or your server's hostname) []:www.lurenye.org
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:#3 使用CA 的证书对证书申请进行签署
[root@centos7 ~]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 200
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 15 (0xf)ValidityNot Before: Sep  6 04:06:23 2020 GMTNot After : Mar 25 04:06:23 2021 GMTSubject:countryName               = CNstateOrProvinceName       = hubeiorganizationName          = dawnorganizationalUnitName    = musiccommonName                = www.lurenye.orgX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: A3:6A:39:25:73:7D:E6:48:A3:4D:66:7E:DA:51:EB:BD:C0:B1:37:ADX509v3 Authority Key Identifier: keyid:38:0D:0C:31:D6:04:AA:8B:78:36:41:01:A3:E8:7F:CD:E3:2A:12:00Certificate is to be certified until Mar 25 04:06:23 2021 GMT (200 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated#4 签署成功,查看CA 中的文件,其中app.crt 和newcerts/0F.pem 是签署成功后的证书
[root@centos7 ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old4 directories, 9 files# 比较app.crt 和newcerts/01.pem 无差别
[root@centos7 ~]#diff /etc/pki/CA/certs/app.crt /etc/pki/CA/newcerts/0F.pem
[root@centos7 ~]#
#5 查看证书完整信息
[root@centos7 ~]#openssl x509 -in /etc/pki/CA/certs/app.crt -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number: 15 (0xf)Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=hubei, L=wuhan, O=dawn, OU=devops, CN=ca.dawn.orgValidityNot Before: Sep  6 04:06:23 2020 GMTNot After : Mar 25 04:06:23 2021 GMTSubject: C=CN, ST=hubei, O=dawn, OU=music, CN=www.lurenye.orgSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:98:dd:19:91:e9:5f:c5:58:b4:c7:ea:7f:d2:20:37:c5:b3:47:73:ee:06:dd:db:78:e1:50:ca:8a:22:7e:3e:dc:15:ad:2d:15:8d:c3:f9:73:e2:b0:b3:23:30:38:6a:cf:71:88:5d:7f:5e:b9:cd:2b:c3:69:e0:ff:54:97:0b:c0:28:a0:cb:ae:71:1c:65:24:58:ae:01:40:81:30:a1:25:ec:0a:5b:c0:2c:f5:ce:b8:f1:af:5b:40:27:25:1b:1a:4b:52:c6:13:e1:da:f3:34:92:15:b7:5b:29:8b:61:e2:de:dc:20:98:12:52:e2:bf:cb:ec:4b:83:26:e5:51:de:d1:8c:e1:d2:24:1f:81:8d:97:1c:43:6d:e8:12:10:54:26:7e:74:1d:5c:d2:d8:c2:2c:84:20:80:77:5d:28:e4:ef:e0:c7:64:a1:43:fb:8d:28:c0:b5:ce:fe:c6:12:8b:b7:83:55:ee:18:d0:28:06:2a:01:96:ff:95:0e:cb:f8:9d:01:de:28:a3:ec:ae:2a:ef:fe:fd:37:94:32:b8:cf:61:80:54:6f:43:7a:36:d2:5c:05:03:fd:6a:25:a5:5f:87:0c:b1:5a:4b:e7:25:a8:b6:e1:f0:3f:d8:bb:70:5e:7e:82:f4:3a:8b:e2:71:96:a2:a8:20:ff:ee:c7:db:73Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: A3:6A:39:25:73:7D:E6:48:A3:4D:66:7E:DA:51:EB:BD:C0:B1:37:ADX509v3 Authority Key Identifier: keyid:38:0D:0C:31:D6:04:AA:8B:78:36:41:01:A3:E8:7F:CD:E3:2A:12:00Signature Algorithm: sha256WithRSAEncryption56:92:96:3d:38:ce:30:7d:b7:43:76:7c:4e:a2:23:d3:5c:79:34:8b:44:70:8b:7b:3a:a8:7b:83:3b:a7:0c:99:db:b5:f9:d2:a3:45:b2:db:b0:50:37:44:6c:1c:45:28:9c:80:d0:2e:8a:4e:a9:a0:06:17:4a:d9:8d:04:a8:54:26:54:23:88:ea:f0:c0:3e:32:9f:c0:ca:fb:22:6c:23:ab:9e:80:f2:78:31:5f:29:53:4d:2b:31:c8:b0:3f:07:2c:db:d5:00:2b:a0:12:33:2f:1e:a9:79:4d:8b:41:ac:a6:a0:a2:e6:3e:1a:a3:cf:c4:fb:e8:7c:d0:50:16:af:4e:45:a2:15:08:72:7d:19:f8:dc:34:30:03:d8:7b:08:df:af:6a:08:bb:8d:22:7f:39:63:d7:95:3a:ff:3a:36:06:41:36:32:8b:0b:d1:c7:e8:d0:8f:82:1a:14:36:87:17:e1:85:90:df:02:38:84:6c:da:97:15:34:51:c8:0f:12:bb:26:9e:af:d1:bf:06:36:6b:78:26:af:23:73:0a:1b:c2:56:b2:3e:99:0d:63:e7:b7:8c:49:ee:41:77:28:d0:c3:44:db:06:a4:62:7f:d5:50:dc:04:1c:72:f4:aa:90:70:1c:35:fc:6c:f2:5f:c9:40:b2:4f:35:9f:8a:04

6、吊销已经签署成功的证书

# 指定第一个吊销证书的编号(第一次更新证书吊销列表前,才需要执行)
[root@centos7 ~]#echo 0F > /etc/pki/CA/crlnumber
[root@centos7 ~]#cat /etc/pki/CA/crlnumber
0F# 吊销5 中创建的证书
# 获取要吊销的证书的serial
[root@centos7 ~]#openssl x509 -in /etc/pki/CA/certs/app.crt -noout -serial -subject
serial=0F
subject= /C=CN/ST=hubei/O=dawn/OU=music/CN=www.lurenye.org# 吊销证书
[root@centos7 ~]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@centos7 ~]#cat /etc/pki/CA/index.txt
R   210325040623Z   200906052429Z   0F  unknown /C=CN/ST=hubei/O=dawn/OU=music/CN=www.lurenye.org# 更新证书吊销列表
[root@centos7 ~]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf# 查看crl 文件
[root@centos7 ~]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):Version 2 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: /C=CN/ST=hubei/L=wuhan/O=dawn/OU=devops/CN=ca.dawn.orgLast Update: Sep  6 05:28:08 2020 GMTNext Update: Oct  6 05:28:08 2020 GMTCRL extensions:X509v3 CRL Number: 15
Revoked Certificates:Serial Number: 0FRevocation Date: Sep  6 05:24:29 2020 GMTSignature Algorithm: sha256WithRSAEncryptiona9:d4:92:99:a6:72:0d:ea:72:45:61:68:27:05:b2:e1:28:42:d0:d3:9f:f7:99:62:f1:7b:76:3d:d0:a9:fc:a6:04:8f:3e:81:07:25:ac:d3:6c:76:34:5f:77:22:15:4c:d9:f6:62:39:f0:27:b4:c3:76:ac:98:b8:26:57:4e:20:02:26:80:6e:cb:69:4c:97:8e:3b:e8:c7:fa:fa:ee:02:43:bb:b2:76:40:99:27:c9:56:8d:f6:14:8d:6b:20:4f:16:df:f2:84:51:d1:43:24:b1:47:01:49:75:6e:36:7e:7d:30:27:24:71:bc:c6:8a:4d:84:46:f5:1d:eb:7e:2a:11:fe:71:f4:fd:f2:29:06:4c:ec:aa:fa:7b:fb:71:80:e0:d8:1f:66:73:0a:24:ff:31:08:b3:f2:82:a4:8f:c6:5f:22:f4:d3:ed:1e:01:90:6b:03:85:0e:2b:86:9b:36:8c:53:f6:8b:ad:7d:b9:fe:6d:f3:6b:30:3a:6b:38:65:f3:a7:3e:27:a7:cf:e4:40:89:1b:f7:c4:a9:a6:1a:bf:1b:8d:c7:2e:36:ce:97:5a:bd:5a:12:2a:c8:85:9e:69:d9:41:40:ae:98:50:43:b5:4a:62:a2:7f:6d:f0:90:a3:dd:2e:e2:7a:98:50:89:b9:75:6d:bb:59:b3:af:1a:73

作业 - 加密解密和CA相关推荐

  1. 加密解密_作业-加密解密程序

    # 加密解密程序'''作业:自己写一个加密程序,能够加密的内容是英文和汉字.同时加密并且解密就是说,一段话中既有中文又有英文,标点符号不用处理.加密规则,获取ascii码数字,中间用|分割# 思路提示 ...

  2. 加密解密和CA证书杂记

    最近两三个月,断断续续的一直在处理CA证书相关的事情.CA证书本质上也是一种加解密,因此就自然而然的涉及到一些加密和解密的技术,这就让我在了解CA的同时,也对加密和解密有了更进一步的认识和理解. 以下 ...

  3. linux加密解密基础、PKI及SSL、创建私有CA

    linux加密解密基础.PKI及SSL.创建私有CA 1.加密解密基础:            数据在网络中传输过程中要保证三个要点: (1)数据的完整性:防止数据在传输过程中遭到未授权用户的破坏或篡 ...

  4. 加密解密、Openssl、自建CA

    一.三种加密方式    1.对称加密 工作机制:需要对加密和解密使用相同密钥的加密算法.密钥是控制加密及解密过程的指令.算法是一组规则,规定如何进行加密和解密.将原文分割成固定大小的数据块,对这些进行 ...

  5. md5可以解密吗_Python训练营作业1:加密解密

    Python训练营作业1:加密解密 import random#定义加密方式 def encrypt(keyword):"""对称加密:keyword: 明文:retur ...

  6. **加密解密基础、PKI及SSL、创建私有CA**

    进程间通信 socket通信 客户端-->请求--> 路由转发 --> 服务端,取出资源 --> 封装为可响应给客户端的请求报文从接收请求端口发出 SSL/TLS协议的实现 O ...

  7. linux密文解密工具,Linux之加密解密工具openssl的用法以及自建CA

    在Linux下的安全工具openssl [安全特性] 1.保密性:数据保密性.隐私性 2.完整性:数据完整性.系统完整性 3.可用性 4.真实性:确保数据发送方不是被替换的 5.可追溯性 [安全*** ...

  8. 加密解密概述及openssl应用及其创建CA和签发证书的实现

    数据非常重要,这是大家的共识,为了保证数据的安全,就会涉及到加密及其解密,本文主要介绍加密 解密相关概念及其在Linux平台下加密解密的具体实现openssl基础,及openssl创建CA和签发证书: ...

  9. [作业]RSA应用加密解密程序[2009-03-25]

    这个作业花费了我挺久的时间,不是因为它难,而是自己的java api已经很生疏了,边查边做,虽然做的还是Application的DOS界面,没有使用swt的界面,因而在一些人性化的功能上还有较大欠缺 ...

  10. 学习笔记之加密解密,PKI,CA

    1.加密解密 背景:在网络通信中为了达到安全需要,比如通信保密性,保证信息完整性和可用性,这就需要一些技术,下面就来介绍相关的技术 技术包括:加密和解密 服务(用于抵御***的服务,也即是为了上述安全 ...

最新文章

  1. codevs 爱改名的小融
  2. IDEA 运行键是灰色
  3. 开发工具:Git超全实用技巧,值得收藏!
  4. 元宵节电商促销首页设计PSD分层模板
  5. ZenHub Epics创造了GitHub中敏捷Epics
  6. 黑马博客——详细步骤(十)项目功能的实现之开发环境与生产环境
  7. linux中文件颜色,蓝色,白色等各自代表的含义
  8. android dropbox切换账户,在Android上自动同步Dropbox | MOS86
  9. 全基因组基因家族成员相关数据获取
  10. ajax 服务路由,Angular自定义服务路由
  11. 金蝶KIS财务接口使用说明
  12. linux cmwq介绍
  13. 【实战】AI 怎么打麻将?
  14. fullCalendar日历,点击添加日程,点击删除日程
  15. 微信群里好玩的互动游戏有哪些?微信营销互动游戏盘点
  16. syzkaller 源码阅读笔记1(syz-extract syz-sysgen)
  17. 【EI检索】第十二届光学与光电子国际学术会议(SOPO 2019)
  18. jav.moo_Moo 1.2即将发布…
  19. 5g是多大一勺_菜谱里的一汤匙、一茶匙、适量,分别是多少用量?
  20. LeetCode每日一题——953. 验证外星语词典

热门文章

  1. 读李智慧的《大型网站技术架构—核心原理与案例分析》有感
  2. Datawhale组队学习周报(第026周)
  3. 华滋先生:互联网创业,加入社群是有用的吗?
  4. ubuntu清理vscode缓存
  5. 趋势追踪交易课堂:复盘的意义和方法
  6. 疫情之下,企业如何突围?
  7. 转载-从信息论角度论证为什么汉语是世界上最先进的语言--引用多项实验数据...
  8. Photoshop 套索工具抠图
  9. wireshark中筛选中文内容
  10. 35岁的程序员:第18章,私欲