自制CA证书篇

参考：liang.iteye.com/blog/2003057

在tomcat实施后发现提示弱签名算法，晕，百度竟然没有找到解决的方法，则google之Weak signature，

在这里找到解决的思路：http://michaelwyres.com/2012/05/chrome-weak-signature-algorithm-solved/

The solution?Change the hashing from MD5 to SHA512.If you create your certificates directly from the command line, use the -sha512 switch instead of the -md5 switch – for example:    “openssl req -new -x509 -sha512 -nodes -out server.crt -keyout server.key”If using an “openssl.cnf” configuration file, make sure all “default_md” directives have “sha512″ as their values.    “default_md = sha512″Your new keys should now be signed with SHA512 instead of MD5, and no more complaints from Google Chrome about the weak algorithm.

p.s. CMD命令（手动敲）

set OPENSSL_CONF=openssl.cnfopenssl.exe制作CA根证书:req -new -x509 -sha512 -nodes -days 3650 -out ca.crt -keyout ca.keypkcs12 -export -inkey ca.key -in ca.crt -out ca.p12 生成请求证书并用CA根证书签名:req -new  -key server_21.key -out server_21.csr -days 3650 -extensions v3_req -config openssl-21.cnf  ca -in server_21.csr -out server_21.crt -cert ca.crt -keyfile ca.key  -config openssl-21.cnfpkcs12 -export -inkey server_21.key -in server_21.crt -out server_21.p12注：-extensions v3_req加入SubjectAltName列表；If you have not set copy_extensions=copy under the       [CA_default] section in the openssl.cnf file, the      signed certificate will not include any of the certificate extensions that were in the      original CSR.参考帖子：http://apetec.com/support/GenerateSAN-CSR.htmhttp://documentation.progress.com/output/Iona/artix/5.5/security_guide_java/i382674.html REVOKE:ca  -cert ca.crt -keyfile ca.key -revoke server_29.crt 查看：req -text -noout -in server_21.csr

问题：1

java.security.cert.CertificateException: No subject alternative names present

解决：

-extensions v3_req加入SubjectAltName列表

问题：2

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetat sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)at sun.security.validator.Validator.validate(Validator.java:260)at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)... 31 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

解决：

把根证书加入jre的信任证书库：管理员运行cmdkeytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" |find "myca"keytool -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -delete -alias myca keytool -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -import -alias gcidesignca -file ca.crt 

问题：3

IP address as subjectaltname does not work with IE8 but works with firefox

解决：Apparently, to make IE work, you need to use subjectAltName=DNS:10.0.0.1 instead of subjectAltName=IP:10.0.0.1.

Actually, to make all web browsers work, you'll want to use subjectAltName=DNS:10.0.0.1,IP:10.0.0.1.

(待补充)