1.CA子签名证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=chain.test.com/OU=department/O=CorpName/L=beijing/ST=Haidian/C=CN" -days 36500 -out ca.cert
openssl pkcs12 -export -clcerts -name ca -inkey ca.key -in ca.cert -out ca.p12
如果要作为服务器验证根证书,则不能直接用这个 ca.p12,因为这个是带私钥的privateKeyEntry,需要:
keytool -delete -alias ca -keystore ca.p12 -storetype PKCS12 -storepass changeit
keytool -import -alias ca -file ca.cert -keystore ca.p12 -storetype PKCS12 -storepass changeit
这样生成的是 trustedKeyEntry,只有证书
2.生成中间证书
openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -config croot.conf
openssl x509 -req -in root.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out root.cert -days 365 -extensions v3_req -extfile croot.conf
openssl pkcs12 -export -clcerts -name root -inkey root.key -in root.cert -out root.p12
keytool -delete -alias root -keystore root.p12 -storetype PKCS12 -storepass changeit
keytool -import -alias root -file root.cert -keystore root.p12 -storetype PKCS12 -storepass changeit
troot.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = BJ
L = BJ
O = BAIDU
OU = fsg
CN = www.root.test.com
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1=10.***
3.生成 Client 证书
openssl genrsa -out platform.key 2048
openssl req -new -key platform.key -out platform.csr -config cplatform.conf
openssl x509 -req -in platform.csr -CA root.cert -CAkey root.key -CAcreateserial -out platform.cert -days 365 -extensions v3_req -extfile cplatform.conf
openssl pkcs12 -export -clcerts -name secretkey -inkey platform.key -in platform.cert -out platform.p12
# 构建证书链,将上级证书加入platform.p12,platform 自己的证书是 privateKeyEntry
keytool -import -alias root -keystore platform.p12 -storetype PKCS12 -storepass changeit -trustcacerts -file root.cert
tplatform.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = BJ
L = BJ
O = BAIDU
OU = fsg
CN = www.platform.test.com
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1=10.115.***.95
查看一下最后生成的
$ keytool -list -keystore platform.p12 -storetype pkcs12 -storepass changeit
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 3 entries
secretkey, Dec 11, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 95:B9:97:52:46:25:83:C7:EE:6B:42:17:55:0B:6D:0D:D6:9F:9D:60
root, Dec 11, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): D5:D5:E9:2D:76:0B:C3:1D:79:1E:D8:08:FD:DE:A8:03:7E:8D:8F:0A
ca, Dec 11, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): AA:31:9E:AA:E8:79:EC:E8:E1:EF:89:C3:CD:86:75:79:6C:95:AF:B4
4.TOMCAT配置
<Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
sslProtocol="TLS" keystoreFile="${catalina.base}/webapps/ROOT/WEB-INF/classes/META-INF/caFiles/platform.p12"
keystorePass="changeit" keystoreType="PKCS12"
keyAlias="secretkey"
truststoreFile="${catalina.base}/webapps/ROOT/WEB-INF/classes/META-INF/caFiles/root.p12"
truststorePass="changeit" truststoreType="PKCS12"
clientAuth="true"/>