第六周作业

1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

[root@centos7 .gnupg]#gpg --gen-key
[root@centos7 .gnupg]#gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   1024R/F43101B8 2020-09-06
uid                  centos7
sub   1024R/9187C94B 2020-09-06

2、将 CentOS7 导出的公钥，拷贝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公钥加密一个文件

[root@centos7 .gnupg]#gpg -a --export -o centos7.pubkey
[root@centos7 .gnupg]#scp centos7.pubkey 10.0.0.135:/data
[root@CentOS8-1 data]#gpg --import centos7.pubkey 
gpg: key 8674AE99F43101B8: public key "centos7" imported
gpg: Total number processed: 1
gpg:               imported: 1
[root@CentOS8-1 data]#gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa1024 2020-09-06 [SC]
      C75AE3C533D760307B1CCC178674AE99F43101B8
uid           [ unknown] centos7
sub   rsa1024 2020-09-06 [E]
[root@CentOS8-1 data]#gpg -e -r centos7 blog.txt

3、回到 CentOS7 服务器，远程拷贝 file.txt.gpg 文件到本地，使用 CentOS7的私钥解密文件

[root@CentOS8-1 data]#scp blog.txt.gpg 10.0.0.132:/data 
[root@centos7 data]#gpg -d blog.txt.gpg 

You need a passphrase to unlock the secret key for
user: "centos7"
1024-bit RSA key, ID 9187C94B, created 2020-09-06 (main key ID F43101B8)

gpg: encrypted with 1024-bit RSA key, ID 9187C94B, created 2020-09-06
      "centos7"
123456

4、在 CentOS7 中使用 openssl 软件创建 CA

[root@centos7 ~]#cd /etc/pki/CA
[root@centos7 CA]#ls
certs  crl  newcerts  private
[root@centos7 CA]#cat /etc/pki/tls/openssl.cnf
[root@centos7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 1024)
[root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
[root@centos7 CA]#openssl x509 -in cacerts.pem -noout -text

5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件，并使用上面的跟证书对其进行签署

[root@centos7 ~]#mkdir /data/certs
[root@centos7 ~]#cd /data/certs
[root@centos7 certs]#(umask 066; openssl genrsa -out app.key 1024)
[root@centos7 certs]#openssl req -new -key app.key -out app.csr
[root@centos7 certs]#cd /etc/pki/CA
[root@centos7 CA]#touch index.txt
[root@centos7 CA]#echo 0F > serial
[root@centos7 CA]#openssl ca -in /data/certs/app.csr -out /etc/pki/CA/certs/app.crt -days 200
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
[root@centos7 CA]#sz certs/app.crt 

6、吊销已经签署成功的证书

[root@centos7 CA]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@centos7 CA]#openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Revoked (R)
[root@centos7 CA]#echo 01 > /etc/pki/CA/crlnumber
[root@centos7 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 13 files
[root@centos7 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text