1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
[root@centos7 .gnupg]#gpg --gen-key
[root@centos7 .gnupg]#gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/F43101B8 2020-09-06
uid centos7
sub 1024R/9187C94B 2020-09-06
2、将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
[root@centos7 .gnupg]#gpg -a --export -o centos7.pubkey
[root@centos7 .gnupg]#scp centos7.pubkey 10.0.0.135:/data
[root@CentOS8-1 data]#gpg --import centos7.pubkey
gpg: key 8674AE99F43101B8: public key "centos7" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@CentOS8-1 data]#gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub rsa1024 2020-09-06 [SC]
C75AE3C533D760307B1CCC178674AE99F43101B8
uid [ unknown] centos7
sub rsa1024 2020-09-06 [E]
[root@CentOS8-1 data]#gpg -e -r centos7 blog.txt
3、回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
[root@CentOS8-1 data]#scp blog.txt.gpg 10.0.0.132:/data
[root@centos7 data]#gpg -d blog.txt.gpg
You need a passphrase to unlock the secret key for
user: "centos7"
1024-bit RSA key, ID 9187C94B, created 2020-09-06 (main key ID F43101B8)
gpg: encrypted with 1024-bit RSA key, ID 9187C94B, created 2020-09-06
"centos7"
123456
4、在 CentOS7 中使用 openssl 软件创建 CA
[root@centos7 ~]#cd /etc/pki/CA
[root@centos7 CA]#ls
certs crl newcerts private
[root@centos7 CA]#cat /etc/pki/tls/openssl.cnf
[root@centos7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 1024)
[root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
[root@centos7 CA]#openssl x509 -in cacerts.pem -noout -text
5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件,并使用上面的跟证书对其进行签署
[root@centos7 ~]#mkdir /data/certs
[root@centos7 ~]#cd /data/certs
[root@centos7 certs]#(umask 066; openssl genrsa -out app.key 1024)
[root@centos7 certs]#openssl req -new -key app.key -out app.csr
[root@centos7 certs]#cd /etc/pki/CA
[root@centos7 CA]#touch index.txt
[root@centos7 CA]#echo 0F > serial
[root@centos7 CA]#openssl ca -in /data/certs/app.csr -out /etc/pki/CA/certs/app.crt -days 200
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
[root@centos7 CA]#sz certs/app.crt
6、吊销已经签署成功的证书
[root@centos7 CA]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@centos7 CA]#openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Revoked (R)
[root@centos7 CA]#echo 01 > /etc/pki/CA/crlnumber
[root@centos7 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 13 files
[root@centos7 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text