利用keytool/Openssl来生成服务端和客户端证书,根证书。
来源:互联网 发布:美颜摄像头软件下载 编辑:程序博客网 时间:2024/05/16 11:48
1.首先下载openssl并安装,然后将D:\zhengshu\OpenSSL-Win32\bin这个路径放到环境变量path里面(要根据具体openssl安装的位置)
2.安装jdk(最好是1.7以上,我用的是1.7)
然后在cmd下面开始执行以下命令:
C:\Users\Administrator>d:
D:\>mkdir server
D:\>mkdir client
D:\>mkdir demoCA
并在demoCA中新建空文本文件index.txt、index.txt.attr、serial
D:\>mkdir demoCA\certs
D:\>mkdir demoCA\newcerts
一、产生ca根证书
D:\>openssl genrsa -out demoCA\ca-key.pem 1024
D:\>openssl req -new -out demoCA\ca-req.csr -key demoCA\ca-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:gd
Locality Name (eg, city) []:gz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sinobest
Organizational Unit Name (eg, section) []:sinobest
Common Name (e.g. server FQDN or YOUR name) []:songbo
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
D:\>openssl x509 -req -in demoCA\ca-req.csr -out demoCA\ca-cert.pem -signkey demoCA\ca-key.pem -days 365
Signature ok
subject=C = cn, ST = gd, L = gz, O = sinobest, OU = sinobest, CN = songbo
Getting Private key
二、生成服务端证书
D:\>keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass 123456 -storepass 123456 -keystore server\server_keystore
您的名字与姓氏是什么?
[Unknown]: songbo //这个要填写自己本机的IP
您的组织单位名称是什么?
[Unknown]: sinobest
您的组织名称是什么?
[Unknown]: sinobest
您所在的城市或区域名称是什么?
[Unknown]: gz
您所在的省/市/自治区名称是什么?
[Unknown]: gd
该单位的双字母国家/地区代码是什么?
[Unknown]: cn
CN=songbo, OU=sinobest, O=sinobest, L=gz, ST=gd, C=cn是否正确?
[否]: y
D:\>keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server\server.csr -keypass 123456 -keystore server\server_keystore -storepass 123456
D:\>openssl x509 -req -in server\server.csr -out server\server-cert.pem -CA demoCA\ca-cert.pem -CAkey demoCA\ca-key.pem -CAserial demoCA/ca-cert.srl -CAcreateserial -days 365
Signature ok
subject=C = cn, ST = gd, L = gz, O = sinobest, OU = sinobest, CN = songbo
Getting CA Private Key
D:\>keytool -importcert -v -trustcacerts -alias my_ca_root -file demoCA\ca-cert.pem -keystore server\server_keystore
输入密钥库口令:
再次输入新口令:
所有者: CN=songbo, OU=sinobest, O=sinobest, L=gz, ST=gd, C=cn
发布者: CN=songbo, OU=sinobest, O=sinobest, L=gz, ST=gd, C=cn
序列号: b2278694fb7eff37
有效期开始日期: Thu Dec 08 08:54:10 CST 2016, 截止日期: Fri Dec 08 08:54:10 CST
2017
证书指纹:
MD5: 12:E6:27:EC:57:B3:C5:44:02:E2:63:9A:67:71:6B:5C
SHA1: 1A:5C:50:DC:CD:82:80:C4:48:70:28:5C:34:87:23:AE:68:EC:73:77
SHA256: 4E:98:E6:15:42:C2:9C:CB:DC:A5:11:0E:BE:A6:11:F3:2B:C3:46:0C:91:
C5:D1:78:C0:99:CF:37:63:64:F4:8D
签名算法名称: SHA256withRSA
版本: 1
是否信任此证书? [否]: y
证书已添加到密钥库中
[正在存储D:/demoCA/tomcat.keystore]
D:\>keytool -import -v -alias my_server -file server\server-cert.pem -keystore server\server_keystore
输入密钥库口令:
所有者: CN=songbo, OU=sinobest, O=sinobest, L=gz, ST=gd, C=cn
发布者: CN=songbo, OU=sinobest, O=sinobest, L=gz, ST=gd, C=cn
序列号: 8428eb217535b2fe
有效期开始日期: Thu Dec 08 08:58:59 CST 2016, 截止日期: Fri Dec 08 08:58:59 CST
2017
证书指纹:
MD5: 96:43:F4:14:13:46:22:DA:F7:5C:25:15:98:4E:4C:19
SHA1: 6A:9F:A7:66:36:80:1A:74:F9:0B:F3:51:C5:C4:91:EB:54:3D:0E:EF
SHA256: CD:CF:11:26:B5:1C:CF:FA:EF:BC:FF:C4:84:7C:B7:9D:9B:D1:3A:44:D0:
22:F8:A8:4D:05:75:04:94:CD:45:86
签名算法名称: SHA256withRSA
版本: 1
是否信任此证书? [否]: y
证书已添加到密钥库中
[正在存储server\server_keystore]
三、生成客户端
D:\>openssl genrsa -out client\client-key.pem 1024
D:\>openssl req -new -out client\client-req.csr -key client\client-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:gd
Locality Name (eg, city) []:gz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:sinobest
Organizational Unit Name (eg, section) []:sinobest
Common Name (e.g. server FQDN or YOUR name) []:songbo
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
注:导出根证书 安装到IE受信任根证书中
D:\>openssl x509 -inform PEM -in demoCA\ca-cert.pem -out demoCA\ca.crt
注:给客户端签名
D:\>openssl ca -in client\client-req.csr -out client/client.crt -cert demoCA\ca.crt -keyfile demoCA\ca-key.pem -notext -config D:\zhengshu\OpenSSL-Win32\bin\cnf\openssl.cnf //这个地址填写自己SSL目录地址
Using configuration from C:\OpenSSL-Win32\bin\cnf\openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Dec 8 02:05:44 2016 GMT
Not After : Dec 8 02:05:44 2017 GMT
Subject:
countryName = cn
stateOrProvinceName = gd
organizationName = sinobest
organizationalUnitName = sinobest
commonName = songbo
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4C:FB:86:A7:62:5E:6A:66:7F:7B:4C:74:B7:7D:65:D1:31:7C:59:47
X509v3 Authority Key Identifier:
DirName:/C=cn/ST=gd/L=gz/O=sinobest/OU=sinobest/CN=songbo
serial:B2:27:86:94:FB:7E:FF:37
Certificate is to be certified until Dec 8 02:05:44 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
D:\>openssl pkcs12 -export -clcerts -in client\client.crt -inkey client\client-key.pem -out client\client.p12
Enter Export Password:
Verifying - Enter Export Password:
四:服务端证书认证客户端证书
D:\>keytool -export -alias client -keystore client\client.p12 -storetype PKCS12 -rfc -file client\client.key.cer
输入密钥库口令:
存储在文件 <client\client.key.cer> 中的证书
D:\>keytool -import -v -file client\client.key.cer -keystore server\server_keystore
五:客户端安装信任服务端证书
D:\>keytool -export -alias tomcat_server -keystore server\server_keystore -file server\tomcat.cer
- 利用keytool/Openssl来生成服务端和客户端证书,根证书。
- 利用keytool/Openssl来生成服务端和客户端证书,根证书。
- 利用keytool/openSSL来生成服务器和客户端证书
- openssl和keytool生成证书
- 利用keytool、openssl生成证书文件
- openssl自签名根证书服务端和客户端证书制作
- keytool和openssl生成的证书转换
- 用OpenSSL生成CA根证书来签名Keytool生成的证书请求
- OPENSSL、KEYTOOL生成服务器与客户端证二级证书签名
- keytool生成keystore、truststore、证书以及SSL单向认证在服务端tomcat和客户端的配置
- keytool生成keystore、truststore、证书以及SSL单向认证在服务端tomcat和客户端的配置
- 利用openssl生成证书
- openssl生成根证书及服务器客户端
- 证书操作(openssl、keytool)
- 利用openssl工具生成根证书及颁发子证书
- 利用OpenSSL生成证书文件
- 利用keytool生成秘钥证书
- openssl生成证书和自签证书
- [C++]运算符重载
- 一致性hash(Consistent Hashing)
- Neofetch带发行版 Logo 图像的系统信息显示工具发布啦!
- 组合24游戏程序
- Eclipse启动时,为什么需要寻找JVM(JRE)?
- 利用keytool/Openssl来生成服务端和客户端证书,根证书。
- [SSH] Turn your Session into FlushMode.COMMIT/AUTO or remove 'readOnly' marker from transaction
- shell 安装jdk
- JAXB入门
- overflow:hidden
- PL/SQL
- linux下创建用户
- leetcode 之 python篇1
- 海康相机的二次开发
