目标:建立自己的CA中心,用自己的CA去给Tomcat签发证书,签发客户端。 查看openssl的版本: # openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 //版本有点老。下篇在说升级的事。 第一步,建立自己的CA中心。 # cd /usr/ # mkdir ./vanessl/ # cd ./vanessl/ # openssl genrsa -out ca-key.pem 1024 # openssl req -new -out ca-req.csr -key ca-key.pem //You are about to be asked to enter information that will be incorporated //into your certificate request. //What you are about to enter is what is called a Distinguished Name or a DN. //There are quite a few fields but you can leave some blank //For some fields there will be a default value, //If you enter '.', the field will be left blank. //----- //Country Name (2 letter code) [GB]:CN //State or Province Name (full name) [Berkshire]:Yun Nan //Locality Name (eg, city) [Newbury]:Kun Ming //Organization Name (eg, company) [My Company Ltd]:Delochi //Organizational Unit Name (eg, section) []:Software //Common Name (eg, your name or your server's hostname) []:Delochi CA Root //Email Address []: //Please enter the following 'extra' attributes //to be sent with your certificate request //A challenge password []: //An optional company name []: # openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 365 //Signature ok //subject=/C=CN/ST=Yun Nan/L=Kun Ming/O=Delochi/OU=Software/CN=Delochi CA Root //Getting Private key # echo 01>ca-cert.srl # cp ca-cert.pem ca-cert.cer # keytool -import -v -trustcacerts -alias delochi_ca_root -file ca-cert.pem -keystore $JAVA_HOME/jre/lib/security/cacerts //Enter keystore password: changeit //Owner: CN=Delochi CA Root, OU=Software, O=Delochi, L=Kun Ming, ST=Yun Nan, C=CN //Issuer: CN=Delochi CA Root, OU=Software, O=Delochi, L=Kun Ming, ST=Yun Nan, C=CN //Serial number: 88072b9504be8f71 //Valid from: Thu Jan 13 07:51:29 CST 2011 until: Fri Jan 13 07:51:29 CST 2012 //Certificate fingerprints: // MD5: DF:7F:54:4F:B3:A7:63:B3:74:31:5E:B6:29:F5:1E:E6 // SHA1: 02:24:E2:1B:57:C1:38:F5:D3:31:76:D9:6C:71:15:44:56:BE:06:11 // Signature algorithm name: SHA1withRSA // Version: 1 //Trust this certificate? [no]: y //Certificate was added to keystore //[Storing /usr/java/jdk1.6.0_23/jre/lib/security/cacerts] # keytool -alias delochi_ca_root -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit //Alias name: delochi_ca_root //Creation date: Jan 13, 2011 //Entry type: trustedCertEntry //Owner: CN=Delochi CA Root, OU=Software, O=Delochi, L=Kun Ming, ST=Yun Nan, C=CN //Issuer: CN=Delochi CA Root, OU=Software, O=Delochi, L=Kun Ming, ST=Yun Nan, C=CN //Serial number: 88072b9504be8f71 //Valid from: Thu Jan 13 07:51:29 CST 2011 until: Fri Jan 13 07:51:29 CST 2012 //Certificate fingerprints: // MD5: DF:7F:54:4F:B3:A7:63:B3:74:31:5E:B6:29:F5:1E:E6 // SHA1: 02:24:E2:1B:57:C1:38:F5:D3:31:76:D9:6C:71:15:44:56:BE:06:11 // Signature algorithm name: SHA1withRSA // Version: 1 第二步,用CA去签发tomcat # keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keystore server_keystore //Enter keystore password:123456 //Re-enter new password:123456 //What is your first and last name? // [Unknown]: 192.168.1.211 //What is the name of your organizational unit? // [Unknown]: SoftWare //What is the name of your organization? // [Unknown]: Delochi //What is the name of your City or Locality? // [Unknown]: Kun Ming //What is the name of your State or Province? // [Unknown]: Yun Nan //What is the two-letter country code for this unit? // [Unknown]: CN //Is CN=192.168.1.211, OU=SoftWare, O=Delochi, L=Kun Ming, ST=Yun Nan, C=CN correct? // [no]: y //Enter key password for <tomcat_server> // (RETURN if same as keystore password):123456 //Re-enter new password:123456 # keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server.csr -keystore server_keystore //Enter keystore password:123456 # openssl x509 -req -in server.csr -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 365 //Signature ok //subject=/C=CN/ST=Yun Nan/L=Kun Ming/O=Delochi/OU=SoftWare/CN=192.168.1.211 //Getting CA Private Key # keytool -import -v -trustcacerts -alias tomcat_server -file server-cert.pem -keystore server_keystore //Enter keystore password: 123456 //Certificate reply was installed in keystore //[Storing server_keystore]