最近项目上有关于同时生产openssl和keystore证书的需求。于是简单的了解了一下。以下是生成证书步骤:
- 生成ca证书认证中心的公钥证书和私钥
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
[root@localcert]# opensslreq-newkeyrsa:2048-x509-keyoutca.key-outca.crt Generatinga2048bitRSAprivatekey ....................................................+++ ........................+++ writingnewprivatekeyto'ca.key' EnterPEMpassphrase:输入CA密码 Verifying-EnterPEMpassphrase:再次输入CA密码 ----- Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:BeiJing LocalityName(eg,city)[DefaultCity]:BeiJing OrganizationName(eg,company)[DefaultCompanyLtd]:BankOfMobile OrganizationalUnitName(eg,section)[]:Inc CommonName(eg,yournameoryourserver\'shostname)[]:BankOfCA EmailAddress[]:394806487@qq.com
-
生成keystore文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[root@localcert]# keytool-genkey-aliasbank_server-validity3650-keyalgRSA -keysize2048-keypass123456-storepass123456-keystoreserver_keystore 您的名字与姓氏是什么? [Unknown]:liu.weihua 您的组织单位名称是什么? [Unknown]:BankOfMobile 您的组织名称是什么? [Unknown]:Inc 您所在的城市或区域名称是什么? [Unknown]:BeiJing 您所在的省/市/自治区名称是什么? [Unknown]:BeiJing 该单位的双字母国家/地区代码是什么? [Unknown]:CN CN=liu.weihua,OU=BankOfMobile,O=Inc,L=BeiJing,ST=BeiJing,C=CN是否正确? [否]:是
-
生成用户证书请求文件,并写入keystore
1
[root@localcert]# keytool-certreq-aliasbank_server-sigalgMD5withRSA -filebank_server.csr-keypass123456-storepass123456 -keystoreserver_keystore
-
根据用户请求文件、ca证书和ca私钥生成用户证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
[root@localcert]# Usingconfigurationfrom/etc/pki/tls/openssl.cnf Enterpassphraseforca.key: Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber:1099511627780(0x10000000004) Validity NotBefore:Jun1802:20:182015GMT NotAfter:Jun1702:20:182016GMT Subject: countryName=CN stateOrProvinceName=BeiJing organizationName=Inc organizationalUnitName=BankOfMobile commonName=liu.weihua X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: 63:16:6B:28:FA:A8:88:40:86:CF:7C:4D:CD:4C:AB:09:55:19:49:B4 X509v3AuthorityKeyIdentifier: keyid:4A:7F:36:58:9C:37:C0:0B:65:81:FE:F5:78:F9:A3:CE:9A:99:AD:12 CertificateistobecertifieduntilJun1702:20:182016GMT(365days) Signthecertificate?[y/n]:y 1outof1certificaterequestscertified,commit?[y/n]y Writeoutdatabasewith1newentries DataBaseUpdated
-
把ca证书写入keystore文件,别名设置为my_ca_root
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
[root@localcert]# keytool-import-v-trustcacerts-aliasmy_ca_root-fileca.crt -storepass123456-keystoreserver_keystore 所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L =BeiJing,ST=BeiJing,C=CN 发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L =BeiJing,ST=BeiJing,C=CN 序列号:b06c467d0d1ff815 有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17 :01CST2015 证书指纹: MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46 SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1 :37:1B:B3:D4:8B:AD:3F:2D:7E 签名算法名称:SHA1withRSA 版本:3 扩展: #1:ObjectId:2.5.29.35Criticality=false AuthorityKeyIdentifier[ KeyIdentifier[ 0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x... 0010:9A99AD12.... ] ] #2:ObjectId:2.5.29.19Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3:ObjectId:2.5.29.14Criticality=false SubjectKeyIdentifier[ KeyIdentifier[ 0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x... 0010:9A99AD12.... ] ] 是否信任此证书?[否]:是 证书已添加到密钥库中 [正在存储server_keystore]
-
把用户证书写入keystore,别名设置为bank_server
1 2 3 4
[root@localcert]#keytool-import-v-aliasbank_server-filebank_server.crt -storepass123456-keystoreserver_keystore 证书回复已安装在密钥库中 [正在存储server_keystore]
-
查看所有存储在keystore上的证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
[root@localcert]#keytool-list-v-keystoreserver_keystore 输入密钥库口令: 密钥库类型:JKS 密钥库提供方:SUN 您的密钥库包含2个条目 别名:my_ca_root 创建日期:2015-6-18 条目类型:trustedCertEntry 所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L =BeiJing,ST=BeiJing,C=CN 发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L =BeiJing,ST=BeiJing,C=CN 序列号:b06c467d0d1ff815 有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17 :01CST2015 证书指纹: MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46 SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1 :37:1B:B3:D4:8B:AD:3F:2D:7E 签名算法名称:SHA1withRSA 版本:3 扩展: #1:ObjectId:2.5.29.35Criticality=false AuthorityKeyIdentifier[ KeyIdentifier[ 0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x... 0010:9A99AD12.... ] ] #2:ObjectId:2.5.29.19Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3:ObjectId:2.5.29.14Criticality=false SubjectKeyIdentifier[ KeyIdentifier[ 0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x... 0010:9A99AD12.... ] ] ******************************************* ******************************************* 别名:bank_server 创建日期:2015-6-18 条目类型:PrivateKeyEntry 证书链长度:2 证书[1]: 所有者:CN=liu.weihua,OU=BankOfMobile,O=Inc,ST=BeiJing,C=CN 发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L =BeiJing,ST=BeiJing,C=CN 序列号:10000000004 有效期开始日期:ThuJun1810:20:18CST2015,截止日期:FriJun1710:20 :18CST2016 证书指纹: MD5:A9:D9:89:03:35:DC:B7:D6:8D:16:2F:2E:0D:B2:2C:34 SHA1:F2:40:B5:5F:3D:22:2F:3C:75:89:E7:62:97:A8:03:94:78:DF:47:DD SHA256:BD:AD:DE:D6:EA:2C:6E:49:82:AC:71:9F:59:D6:07:D0:A9:A9:3D:B4:CB:00:34 :AA:03:7C:1A:7F:80:8B:F1:F6 签名算法名称:SHA1withRSA 版本:3 扩展: #1:ObjectId:2.16.840.1.113730.1.13Criticality=false 0000:161D4F70656E53534C2047656E657261..OpenSSLGenera 0010:746564204365727469666963617465tedCertificate #2:ObjectId:2.5.29.35Criticality=false AuthorityKeyIdentifier[ KeyIdentifier[ 0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x... 0010:9A99AD12.... ] ] #3:ObjectId:2.5.29.19Criticality=false BasicConstraints:[ CA:false PathLen:undefined ] #4:ObjectId:2.5.29.14Criticality=false SubjectKeyIdentifier[ KeyIdentifier[ 0000:63166B28FAA8884086CF7C4DCD4CAB09c.k(...@...M.L.. 0010:551949B4U.I. ] ] 证书[2]: 所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L =BeiJing,ST=BeiJing,C=CN 发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L =BeiJing,ST=BeiJing,C=CN 序列号:b06c467d0d1ff815 有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17 :01CST2015 证书指纹: MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46 SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1 :37:1B:B3:D4:8B:AD:3F:2D:7E 签名算法名称:SHA1withRSA 版本:3 扩展: #1:ObjectId:2.5.29.35Criticality=false AuthorityKeyIdentifier[ KeyIdentifier[ 0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x... 0010:9A99AD12.... ] ] #2:ObjectId:2.5.29.19Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3:ObjectId:2.5.29.14Criticality=false SubjectKeyIdentifier[ KeyIdentifier[ 0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x... 0010:9A99AD12.... ] ] ******************************************* *******************************************
-
生成安卓和IOS客户端所需的CA证书的二进制格式文件