set SERVER_DN="CN=Server, OU=ec, O=ec, L=BEIJINGC, S=BEIJING, C=CN"
set CLIENT_DN="CN=Client, OU=ec, O=ec, L=BEIJING, S=BEIJING, C=CN"
set KS_PASS=-storepass changeit
set KEYINFO=-keyalg RSA
keytool -genkey -alias Server -dname %SERVER_DN% %KS_PASS% -keystore server.keystore %KEYINFO% -keypass changeit
keytool -export -alias Server -file test_axis.cer %KS_PASS% -keystore server.keystore
keytool -import -file test_axis.cer %KS_PASS% -keystore client.truststore -alias serverkey -noprompt
keytool -genkey -alias Client -dname %CLIENT_DN% %KS_PASS% -keystore client.keystore %KEYINFO% -keypass changeit
keytool -export -alias Client -file test_axis.cer %KS_PASS% -keystore client.keystore
keytool -import -file test_axis.cer %KS_PASS% -keystore server.truststore -alias clientkey -noprompt
另外的创建key的方啊
generateKeyPair.bat
set SERVER_DN="CN=Server, OU=ec, O=ec, L=BEIJINGC, S=BEIJING, C=CN"
set CLIENT_DN="CN=Client, OU=ec, O=ec, L=BEIJING, S=BEIJING, C=CN"
set KS_PASS=-storepass changeit
set KEYINFO=-keyalg RSA
keytool -genkey -alias Server -dname %SERVER_DN% %KS_PASS% -keystore server.keystore %KEYINFO% -keypass changeit
keytool -export -alias Server -file test_axis.cer %KS_PASS% -keystore server.keystore
keytool -import -file test_axis.cer %KS_PASS% -keystore client.truststore -alias serverkey -noprompt
keytool -genkey -alias Client -dname %CLIENT_DN% %KS_PASS% -keystore client.keystore %KEYINFO% -keypass changeit
keytool -export -alias Client -file test_axis.cer %KS_PASS% -keystore client.keystore
keytool -import -file test_axis.cer %KS_PASS% -keystore server.truststore -alias clientkey -noprompt
generateKey Store.bat
call generateKeyPair.bat server serverpass serverStore.jks storepass serverKey.rsa
call generateKeyPair.bat client clientpass clientStore.jks storepass clientKey.rsa
keytool -import -alias server -file serverKey.rsa -keystore clientStore.jks -storepass storepass
-noprompt
keytool -import -alias client -file clientKey.rsa -keystore serverStore.jks -storepass
storepass
-noprompt
其理论基础:
Keystores and the Java Keytool Utility
%JAVA_HOME%/bin/keytool -genkey -alias privkey -keystore privkeystore -dname "cn=privkey" -keypass foobar -storepass foobar To generate a key-pair to use as a certificate/public-key, use this code (again, enter the entire command on a single line). %JAVA_HOME%/bin/keytool -genkey -alias pubcert -keystore pubcertkeystore -dname "cn=pubcert" -keypass foobar -storepass foobar The preceding commands
To examine the contents of a keystore, execute the keytool utility with the -list option. For example, to examine the first (privkeystore) contents created earlier use: %JAVA_HOME%/bin/keytool -list -keystore privkeystore Enter keystore password: foobar Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry privkey, Jul 25, 2005, keyEntry, Certificate fingerprint (MD5): A1:FA:99:E2:A7:E8:1A:FB:D8:B7:87:91:D1:0E:9C:F8 Now, look at the pubcert certificate keystore: %JAVA_HOME%/bin/keytool -list -keystore pubcertkeystore Enter keystore password: foobar Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry pubcert, Jul 25, 2005, keyEntry, Certificate fingerprint (MD5): 99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62 To examine a key in detail, you can use the keytool utility to display it to the console in RFC 1421 format using the -rfc option, as follows: %JAVA_HOME%/bin/keytool -export -keystore privkeystore -alias privkey -storepass foobar --rfc You'll see output on the console similar to the following: -----BEGIN CERTIFICATE----- MIIBlTCB/wIEQuWjhTANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwd0ZXN 0a2V5MB4XDTA1MDcyNjAyNDQyMVoXDTA1MTAyNDAyNDQyMVowEjEQMA4GA1 UEAxMHdGVzdGtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz/HFY xicr+vonubY3rgnJFdl6OsvbinR2L54U7WKHNz2w7w3cOvTMGqop/xQtePx k3hXIJFs27OBC28Y8jRKYdgGDYMVU5/V0ddlGQUgfU7Xy9jdIPm61ayu3QH 9LcXYSzVfHNeL3HHRcJV3jSwRs1K/vIVZKLNnBRufe2kORK0CAwEAATANBg kqhkiG9w0BAQQFAAOBgQBWAoAzG5B54dNUt7t3iU98Dre0EI9JkEn8HYiix oJxs1SmI/vESDbuAJY9EbjlPnvhHrgZL3rtb8twwzHwbLhnxVeV/LRk2C2e ghkPPEklp3w+UVv5U3dsvoR6LO4z3fTjnc+YbMG0Iss5gkwxJqYy/6qeyYY 3EGoxl8Ehyu/hOw== -----END CERTIFICATE-----
|
|
Self-Signing Certificates %JAVA_HOME%/bin/keytool -selfcert -alias privkey -keystore privkeystore -keypass foobar -storepass foobar Now, the certificate can be self-signed, as follows: %JAVA_HOME%/bin/keytool -selfcert -alias pubcert -keystore pubcertkeystore -keypass foobar -storepass foobar Exporting Certificates with the Keytool Utility %JAVA_HOME%/bin/keytool -export -keystore pubcertkeystore -alias pubcert -storepass foobar -file pubcert You should see a response that says: Certificate stored in file <pubcert> You can also use the keytool utility to display the contents of the certificate file using the -printcert option, as follows: %JAVA_HOME%/bin/keytool -printcert -file pubcert The output will look like: Owner: CN=pubcert Issuer: CN=pubcert Serial number: 42e5b3c4 Valid from: Mon Jul 25 21:53:40 MDT 2005 until: Sun Oct 23 21:53:40 MDT 2005 Certificate fingerprints: MD5: 99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62 SHA1: EC:59:92:E9:1F:8A:A6:0A:85:54:EC:76:47:DB:5F:3F:D2:15:78:77 The exported certificate contains the public key and distinguished name given to the certificate (in this case, pubcert). %JAVA_HOME%/bin/keytool -import -alias pubcert -file pubcert -keystore privkeystore -storepass foobar The output looks like: Owner: CN=pubcert Issuer: CN=pubcert Serial number: 42e5b3c4 Valid from: Mon Jul 25 21:53:40 MDT 2005 until: Sun Oct 23 21:53:40 MDT 2005 Certificate fingerprints: MD5: 99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62 SHA1: EC:59:92:E9:1F:8A:A6:0A:85:54:EC:76:47:DB:5F:3F:D2:15:78:77 Answer the following question: Trust this certificate? [no]: yes Certificate was added to keystore Now that the certificate has been imported into the private key's keystore, you can reexamine the contents of the keystore using the keytool utility with the -list option, as follows: %JAVA_HOME%/bin/keytool -list -keystore privkeystore Enter keystore password: foobar After entering your password you'll see the following output: Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries privkey, Jul 25, 2005, keyEntry, Certificate fingerprint (MD5): E7:4A:D9:D7:67:A6:6D:E7:A5:C4:28:22:3D:C5:C4:30 pubcert, Jul 25, 2005, trustedCertEntry, Certificate fingerprint (MD5): 99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62 As the preceding examples illustrated, there are now two entries in the private-key's keystore. The first, with the alias testkey, is identified as a key entry. The second entry is the certificate from the certificate file. |