Linux第一周作业

1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对 [root@Centos7 ~]$gpg --gen-key [root@Centos7 ~]$gpg --list-key /root/.gnupg/pubring.gpg

pub 2048R/2601DB32 2020-09-05 uid artuoliya sub 2048R/CF0F5E9E 2020-09-05 2、将 CentOS7 导出的公钥，拷贝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公钥加密一个文件 [root@Centos7 ~]$gpg -a --export -o centos7.pukey [root@Centos7 ~]$ll total 4 -rw-r--r--. 1 root root 1687 Sep 5 19:43 centos7.pukey [root@Centos7 ~]$scp centos7.pukey 192.168.80.120:/root [root@Centos8 ~]$gpg --gen-key [root@Centos8 ~]$gpg --import centos7.pukey [root@Centos8 ~]$gpg --list-key gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2022-09-05 /root/.gnupg/pubring.kbx

pub rsa2048 2020-09-05 [SC] [expires: 2022-09-05] 57CD97F965FCCEC5DAE285664AAFBA8D17458BF8 uid [ultimate] centos8 sub rsa2048 2020-09-05 [E] [expires: 2022-09-05]

pub rsa2048 2020-09-05 [SC] 7D8D88BCB5D0A1505766149D77F52E9B2601DB32 uid [ unknown] artuoliya sub rsa2048 2020-09-05 [E] [root@Centos8 ~]$ echo 123456789 > 1.txt [root@Centos8 ~]$ll total 8 -rw-r--r-- 1 root root 10 Sep 5 19:48 1.txt -rw-r--r-- 1 root root 1687 Sep 5 19:44 centos7.pukey [root@Centos8 ~]$cat 1.txt 123456789 [root@Centos8 ~]$gpg -e -r artuoliya 1.txt gpg: 55A84DC6CF0F5E9E: There is no assurance this key belongs to the named user sub rsa2048/55A84DC6CF0F5E9E 2020-09-05 artuoliya Primary key fingerprint: 7D8D 88BC B5D0 A150 5766 149D 77F5 2E9B 2601 DB32 Subkey fingerprint: 18C2 6357 1A6D A33B C2C7 2115 55A8 4DC6 CF0F 5E9E

It is NOT certain that the key belongs to the person named in the user ID. If you really know what you are doing, you may answer the next question with yes.

Use this key anyway? (y/N) y [root@Centos8 ~]$ll total 12 -rw-r--r-- 1 root root 10 Sep 5 19:48 1.txt -rw-r--r-- 1 root root 347 Sep 5 19:49 1.txt.gpg -rw-r--r-- 1 root root 1687 Sep 5 19:44 centos7.pukey 3、回到 CentOS7 服务器，远程拷贝 file.txt.gpg 文件到本地，使用 CentOS7的私钥解密文件 [root@Centos7 ~]$scp root@192.168.80.120:/root/1.txt.gpg /root/ [root@Centos7 ~]$gpg -o 1.txt -d 1.txt.gpg gpg: encrypted with 2048-bit RSA key, ID CF0F5E9E, created 2020-09-05 "artuoliya" [root@Centos7 ~]$cat 1.txt 123456789 4、在 CentOS7 中使用 openssl 软件创建 CA [root@Centos7 ~]$touch /etc/pki/CA/index.txt [root@Centos7 ~]$echo 01 > /etc/pki/CA/serial [root@Centos7 ~]$openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 [root@Centos7 ~]$openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:linux Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:www.centos.com Email Address []:

5、在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件，并使用上面的跟证书对其进行签署 [root@Centos7 ~]$mkdir /data/test [root@Centos7 ~]$(umask 066;openssl genrsa -out /data/test/test.key 2048) Generating RSA private key, 2048 bit long modulus .........................................+++ ...+++ e is 65537 (0x10001) [root@Centos7 ~]$openssl req -new -key /data/test/test.key -out /data/test/test.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:linux Organizational Unit Name (eg, section) []:OPS Common Name (eg, your name or your server's hostname) []:www.centos7.com Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

[root@Centos7 ~]$openssl ca -in /data/test/test.csr -out /etc/pki/CA/certs/test.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 5 13:27:59 2020 GMT Not After : Sep 5 13:27:59 2021 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = linux organizationalUnitName = OPS commonName = www.centos7.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 74:0C:D2:61:A0:9B:EC:BF:AD:AF:8F:B0:66:02:EE:8B:22:6B:55:71 X509v3 Authority Key Identifier: keyid:95:D6:62:87:5D:35:40:94:57:E8:5C:38:42:5E:15:71:EE:B3:A7:71

Certificate is to be certified until Sep 5 13:27:59 2021 GMT (365 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@Centos7 ~]$tree /etc/pki/CA /etc/pki/CA ├── cacert.pem ├── certs │   └── test.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │   └── 01.pem ├── private │   └── cakey.pem ├── serial └── serial.old 6、吊销已经签署成功的证书 [root@Centos7 ~]$openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated [root@Centos7 ~]$cat /etc/pki/CA/index.txt R 210905132759Z 200905133532Z 01 unknown /C=CN/ST=beijing/O=linux/OU=OPS/CN=www.centos7.com [root@Centos7 ~]$echo 01 > /etc/pki/CA/crlnumber [root@Centos7 ~]$openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf