第6周作业

时间：8.31 - 9.5

1. 在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

   [Centos7root@Sat Sep 05 tmp]# cat /etc/redhat-release 
   CentOS Linux release 7.7.1908 (Core)
   [Centos7root@Sat Sep 05 tmp]# gpg --list-keys
   [Centos7root@Sat Sep 05 tmp]# gpg --gen-key
   [Centos7root@Sat Sep 05 tmp]# gpg --list-keys
   /root/.gnupg/pubring.gpg
   ------------------------
   pub   2048R/94C7C969 2020-09-05
   uid                  TreeZeng
   sub   2048R/D37B59A6 2020-09-05
   [Centos7root@Sat Sep 05 tmp]# gpg -a --export -o TreeZeng.pubkey   # gpg生成私钥时不会自动生成公钥，需要手动导出公钥（公钥是可以通过私钥计算出来的）
   [Centos7root@Sat Sep 05 tmp]# ls
   TreeZeng.pubkey
   

2. 将 CentOS7 导出的公钥，拷贝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公钥加密一个文件

   [Centos7root@Sat Sep 05 tmp]# scp TreeZeng.pubkey 172.16.135.202:/tmp
   [root@CentOS8 tmp]# cat /etc/redhat-release 
   CentOS Linux release 8.2.2004 (Core) 
   [root@CentOS8 tmp]# gpg --list-keys 
   [root@CentOS8 tmp]# gpg --import TreeZeng.pubkey 
   gpg: key FA968E6B94C7C969: public key "TreeZeng" imported
   gpg: Total number processed: 1
   gpg:               imported: 1
   [root@CentOS8 tmp]# gpg --list-keys
   /root/.gnupg/pubring.kbx
   ------------------------
   pub   rsa2048 2020-09-05 [SC]
         A2790C03236DC8ED2EAB833BFA968E6B94C7C969
   uid           [ unknown] TreeZeng
   sub   rsa2048 2020-09-05 [E]
   [root@CentOS8 tmp]# echo "data from CentOS8" > content.txt 
   [root@CentOS8 tmp]# gpg -e -r TreeZeng content.txt 
   ...
   Use this key anyway? (y/N) y
   [root@CentOS8 tmp]# ls
   content.txt  content.txt.gpg  TreeZeng.pubkey
   

3. 回到 CentOS7 服务器，远程拷贝 file.txt.gpg 文件到本地，使用 CentOS7的私钥解密文件

   [Centos7root@Sat Sep 05 tmp]# scp 172.16.135.202:/tmp/content.txt.gpg .
   root@172.16.135.202's password: 
   content.txt.gpg
   [Centos7root@Sat Sep 05 tmp]# gpg -o content.txt -d content.txt.gpg 
   gpg: encrypted with 2048-bit RSA key, ID D37B59A6, created 2020-09-05
         "TreeZeng"
   [Centos7root@Sat Sep 05 tmp]# cat content.txt
   data from CentOS8
   

4. 在 CentOS7 中使用 openssl 软件创建 CA

   [Centos7root@Sat Sep 05 CA]# (umask 077; openssl genrsa -out private/cakey.pem 4096)
   Generating RSA private key, 4096 bit long modulus
   ................................................................++
   ....................................++
   e is 65537 (0x10001)
   [Centos7root@Sat Sep 05 CA]# pwd
   /etc/pki/CA
   [Centos7root@Sat Sep 05 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
   ...
   [Centos7root@Sat Sep 05 CA]# ls
   cacert.pem  index.txt  newcerts  private  serial
   

5. 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件，并使用上面的跟证书对其进行签署

   [Centos7root@Sat Sep 05 tmp]# pwd
   /tmp
   (umask 066; openssl genrsa -out test.key 2048)
   [Centos7root@Sat Sep 05 tmp]# openssl req -new -key test.key -out test.crt
   ...
   [Centos7root@Sat Sep 05 tmp]# ls
   test.csr  test.key
   [Centos7root@Sat Sep 05 tmp]# openssl ca -in test.csr -out test.crt -days 100
   

6. 吊销已经签署成功的证书

   [Centos7root@Sat Sep 05 tmp]# openssl x509 -in test.crt -noout -serial -subject
   serial=01
   subject= /C=CN/ST=HeNan/O=T/OU=R/CN=treezeng.cn
   [Centos7root@Sat Sep 05 tmp]# openssl ca -revoke test.crt
   Using configuration from /etc/pki/tls/openssl.cnf
   Revoking Certificate 01.
   [Centos7root@Sat Sep 05echo 01 > /etc/pki/CA/crlnumber
   [Centos7root@Sat Sep 05openssl ca -gencrl -out /etc/pki/CA/crl.pem
   Using configuration from /etc/pki/tls/openssl.cnf