1、在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

[root@c7-02 ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) N
Key is valid for? (0) 5
Key expires at Fri 11 Sep 2020 07:11:51 PM CST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: 09-06
Name may not start with a digit
Real name: 20/09/06
Name may not start with a digit
Real name: C7-0906
Email address:
Comment: 0906
You selected this USER-ID:
"C7-0906 (0906)"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 5752A980 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-09-11
pub 2048R/5752A980 2020-09-06 [expires: 2020-09-11]
Key fingerprint = FA4F 7D40 B852 770B 8111 A5A8 ECF1 1265 5752 A980
uid C7-0906 (0906)
sub 2048R/1C9FBD2C 2020-09-06 [expires: 2020-09-11]

2、将 CentOS7 导出的公钥，拷贝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公钥加密一个文件

[root@c7-02 ~]#scp ./Centos7.pubkey 10.0.0.115:/data/test/
The authenticity of host '10.0.0.115 (10.0.0.115)' can't be established.
ECDSA key fingerprint is SHA256:Q17XJfAavoLv0scrFBZWpZX3pE/tRgOTlse4BcAnw4k.
ECDSA key fingerprint is MD5:6f:42:fd:6c:c7:9c:11:1f:1f:13:88:0f:35:60:20:b5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.115' (ECDSA) to the list of known hosts.
root@10.0.0.115's password:
Centos7.pubkey 100% 1711 823.8KB/s 00:00
[root@C8-1905 test]#gpg --import ./Centos7.pubkey
gpg: key ECF112655752A980: public key "C7-0906 (0906)" imported
gpg: Total number processed: 1
gpg: imported: 1

[root@C8-1905 test]#cat f1
SHA512(test/testfile)= 508d87530eab466789bc7224cd1d5db1b3fe7dd43b47d723bd54b424710dd59ff2215cddaf1d37c3c6ce5ce613ac1a9bd971293b87733f13520fe178dbb0b937

[root@C8-1905 test]#gpg -e -r C7-0906 f1
gpg: 8E53AC0A1C9FBD2C: There is no assurance this key belongs to the named user
sub rsa2048/8E53AC0A1C9FBD2C 2020-09-06 C7-0906 (0906)
Primary key fingerprint: FA4F 7D40 B852 770B 8111 A5A8 ECF1 1265 5752 A980
Subkey fingerprint: 59B6 4A45 544B FE54 56ED E0B2 8E53 AC0A 1C9F BD2C

It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
File 'f1.gpg' exists. Overwrite? (y/N) y

3、回到 CentOS7 服务器，远程拷贝 file.txt.gpg 文件到本地，使用 CentOS7的私钥解密文件

[root@c7-02 /data]#scp 10.0.0.115:/data/test/f1.gpg /data/test/
root@10.0.0.115's password:
f1.gpg 100% 453 431.1KB/s 00:00
[root@c7-02 /data/test]#gpg -o f1 -d f1.gpg

You need a passphrase to unlock the secret key for
user: "C7-0906 (0906)"
2048-bit RSA key, ID 1C9FBD2C, created 2020-09-06 (main key ID 5752A980)

[root@c7-02 /data/test]#cat f1
SHA512(test/testfile)= 508d87530eab466789bc7224cd1d5db1b3fe7dd43b47d723bd54b424710dd59ff2215cddaf1d37c3c6ce5ce613ac1a9bd971293b87733f13520fe178dbb0b937

4、在 CentOS7 中使用 openssl 软件创建 CA 

创建证书需要的目录和相关文件
mkdir /etc/pki/CA/certs crl newcerts private
touch /etc/pki/CA/index.txt
echo 0F > /etc/pki/CA/serial
生成私钥
openssl genrsa -out private/cakey.pem 1024
#使用私钥生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 888 -out /etc/pki/CA/cacert.pem
A=CN
B=bj
C=hd
D=dongwuyuanxiehui
E=anbao
F=www.anbao.org
echo -e "\n$A\n$B\n$C\n$D\n$E\n$F\n"
完成证书信息配置

5、 在 CentOS7 中使用 openssl 软件创建一个证书申请请求文件，并使用上面的跟证书对其进行签署
openssl genrsa -out /data/certs/pangzo.key 1024
给颁发证书生成私钥
echo -e "\n$A\n$B\n$C\n$D\n$E\n$F\n\n\n" |openssl req -new -key /data/certs/pangzo.key -out pangzo.csr
颁发证书通过密钥申请证书
openssl ca -in /data/certs/pangzo.csr -out /etc/pki/CA/certs/pangzo.crt -days 100
生成证书

6、吊销已经签署成功的证书
openssl ca -revoke /etc/pki/CA/ newcerts/0F.pem