KeyTool与OpenSSL生成证书
原文地址:http://www.eussi.top/view/27
KeyTool
public class _01_Keytool {
/**
* passwd:123456
*
1. 构建自签名证书
#构建证书前,生成密钥对,即基于一种非对称加密的公私钥
C:\Users\wangxueming>keytool -genkeypair -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -validity 36000 -alias www.eussi.top -keystore eussi.keystore -storepass 123456 -dname "CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN"
输入 的密钥口令
(如果和密钥库口令相同, 按回车):
#上述操作创建了数字证书,虽然还未经过CA认证,但是并不影响使用,我们仍可以导出,发给合作伙伴进行加密交互
C:\Users\wangxueming>keytool -exportcert -alias www.eussi.top -keystore eussi.keystore -file eussi.cer -rfc -storepass 123456
存储在文件 中的证书
#查看证书内容
C:\Users\wangxueming>keytool -printcert -file eussi.cer
所有者: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
发布者: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
序列号: 16126345
有效期开始日期: Sun Jun 23 11:30:40 CST 2019, 截止日期: Sat Jan 15 11:30:40 CST 2118
证书指纹:
MD5: 86:B7:1B:72:8F:1F:14:34:70:AD:B7:AE:4F:93:A0:F2
SHA1: C2:17:F8:02:73:95:CE:87:5F:B8:0B:15:22:FE:83:DB:62:5E:79:10
SHA256: F6:D7:DD:A9:83:2B:8C:E6:AE:F2:43:5B:93:67:6F:28:94:2F:28:75:B1:DE:FF:35:C5:44:C3:33:34:6A:06:D8
签名算法名称: SHA1withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1F EB 76 14 B1 1B 95 AD 94 C7 80 45 15 7F BF 91 ..v........E....
0010: 7A 16 02 7E z...
]
]
2. 构建CA签发证书
#获取CA机构认证的数字证书,需要生成数字签发申请(CSR),经由CA机构认证并颁发,同时将认证后的证书导入本地密钥库和信任库
C:\Users\wangxueming>keytool -certreq -alias www.eussi.top -keystore eussi.keystore -file eussi.csr -V -storepass 123456
存储在文件 中的认证请求
将此提交给您的 CA
#此处我并未提交给CA,只是重新导入一下自己生成的证书,这里会报错,正常情况下,是导入CA下发的证书
C:\Users\wangxueming>keytool -importcert -trustcacerts -alias www.eussi.top -file eussi.cer -keystore eussi.keystore -storepass 123456
keytool 错误: java.lang.Exception: 证书回复与密钥库中的证书是相同的
#导入后便可以查看证书了
C:\Users\wangxueming>keytool -list -alias www.eussi.top -keystore eussi.keystore
输入密钥库口令:
www.eussi.top, 2019-6-23, PrivateKeyEntry,
证书指纹 (SHA1): C2:17:F8:02:73:95:CE:87:5F:B8:0B:15:22:FE:83:DB:62:5E:79:10
#加-V或者-rfc显示更加详细的信息
C:\Users\wangxueming>keytool -list -alias www.eussi.top -keystore eussi.keystore -V -storepass 123456
别名: www.eussi.top
创建日期: 2019-6-23
条目类型: PrivateKeyEntry
证书链长度: 1
证书[1]:
所有者: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
发布者: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
序列号: 16126345
有效期开始日期: Sun Jun 23 11:30:40 CST 2019, 截止日期: Sat Jan 15 11:30:40 CST 2118
证书指纹:
MD5: 86:B7:1B:72:8F:1F:14:34:70:AD:B7:AE:4F:93:A0:F2
SHA1: C2:17:F8:02:73:95:CE:87:5F:B8:0B:15:22:FE:83:DB:62:5E:79:10
SHA256: F6:D7:DD:A9:83:2B:8C:E6:AE:F2:43:5B:93:67:6F:28:94:2F:28:75:B1:DE:FF:35:C5:44:C3:33:34:6A:06:D8
签名算法名称: SHA1withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1F EB 76 14 B1 1B 95 AD 94 C7 80 45 15 7F BF 91 ..v........E....
0010: 7A 16 02 7E z...
]
]
C:\Users\wangxueming>keytool -list -alias www.eussi.top -keystore eussi.keystore -rfc -storepass 123456
别名: www.eussi.top
创建日期: 2019-6-23
条目类型: PrivateKeyEntry
证书链长度: 1
证书[1]:
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIEFhJjRTANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCU0gxCzAJBgNVBAcTAlNIMQ4wDAYDVQQKEwVldXNzaTEOMAwGA1UECxMFZXVzc2kxFjAUBgNV
BAMTDXd3dy5ldXNzaS50b3AwIBcNMTkwNjIzMDMzMDQwWhgPMjExODAxMTUwMzMwNDBaMF8xCzAJ
BgNVBAYTAkNOMQswCQYDVQQIEwJTSDELMAkGA1UEBxMCU0gxDjAMBgNVBAoTBWV1c3NpMQ4wDAYD
VQQLEwVldXNzaTEWMBQGA1UEAxMNd3d3LmV1c3NpLnRvcDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAOTK7kQEXiKFUaLeX6b7e3Brk1oOOb4TCH8q/MYbsnO3Bqo4/lbVTok1drHk4OUJ
kg/+IzkZNptNFCM5prk/PBVyqGnq4JHgoRr8vTLendGxP+198RdudJf7rZfSQM2IrV1ZEbBqD6Kd
3oiQJQYRCgX9KZmc/zqFLv7ZzoHA7hd0+itlAjby3a+Tl9GPOQz1AA2O/0J8G7KqqJNscCyoEsxL
oIlKeYFOr89e7qDElzaVnmaC62i9ZsOTr/sCXz+AZvb6sWjJiRx4T+iYAa+AM824ojdvVr2ka04M
HH0S1RiaMz8/25cJNBwyCusWaOEmu55Kd66GfhcAr1WKzJaVg78CAwEAAaMhMB8wHQYDVR0OBBYE
FB/rdhSxG5WtlMeARRV/v5F6FgJ+MA0GCSqGSIb3DQEBBQUAA4IBAQAt0+iPcNzs25UWC67kqwGD
nMdRDGfoJqpzVoaFRe7xsWlZ/2RZ9FCMTXAFPEvChY1cPrOUzpqQ6ZoAQqvGPL1jhObGsBqjL51o
1LjSKLAtYHjBMFCldgKSZJLEm8GMqaDFDNlEMaRhQrkrcTXJ22qgv/9SQOObJT0r+Q18H147BsHG
kQnLlRKwGoW++zIWsLaxbTw0kDvwFS1jr+BghqTNdocf0XDBalDsJJ9WsP5GlcfRKT94FRht4+Sr
DdJy33OTpIjv+EoCD7qSC2caPBWwsvGhM5SkRETeNq+Pmju2sDzWKVsaYf7bEjtT/KoXjNN5jVMZ
3jDPs6jx0QGHc6X3
-----END CERTIFICATE-----
#完成以上操作后,我们需要再次导出证书,将上面【-exportcert】证书导出命令,接着便可以将证书发给合作伙伴使用了
#注意,此处的CA认证可以省略,直接使用步骤1里导出的未认证的证书,同样可以实现证书的功能
*/
}
OpenSSL
public class _02_Openssl {
/**
* passwd:123456
*
OpenSSL是一个开源的代码软件包,实现了SSL及相关加密技术,时最常用的证书管理工具。
其功能远胜于KeyTool,可用于根证书,服务器证书和客户证书的管理
1. 准备工作
# 配置openssl配置文件
[root@app2 ~]# pwd
/root
[root@app2 ~]# cp /etc/pki/tls/openssl.cnf ./
[root@app2 ~]# grep dir openssl.cnf
dir = /root/TestCa # Where everything is kept
......
[root@app2 ~]# export OPENSSL_CONF=/root/openssl.cnf
#建立CA工作目录,以及一些子目录,用于存放证书,密钥等,最终证书在certs目录中
[root@app2 ~]# mkdir TestCa
[root@app2 ~]# cd TestCa/
[root@app2 TestCa]# mkdir certs #构建已发行证书存放目录
[root@app2 TestCa]# mkdir newcerts #构建新证书存放目录
[root@app2 TestCa]# mkdir private #构建私钥存放目录
[root@app2 TestCa]# mkdir crl #构建证书吊销列表存放目录
#创建一些需要的文件
[root@app2 TestCa]# echo 0>index.txt #构建索引文件
#注意,应该是>index.txt,此文件有值,
#签发客户端证书时:wrong number of fields on line 1 (looking for field 6, got 1, '' left)
[root@app2 TestCa]# echo 01>serial #构建序列号文件
2. 构建根证书
#构建随机数文件
[root@app2 TestCa]# openssl rand -out private/.rand 1000
#构建根证书密钥
[root@app2 TestCa]# openssl genrsa -aes256 -out private/ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus
........................................+++
....................................+++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
#生成根证书签发申请文件
[root@app2 TestCa]# openssl req -new -key private/ca.key.pem -out private/ca.csr -subj "/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=*.eussi.top"
Enter pass phrase for private/ca.key.pem:
#申请文件可以将其发送给CA机构,也可以自行签发根证书
[root@app2 TestCa]# openssl x509 -req -days 10000 -sha1 -extensions v3_ca -signkey private/ca.key.pem -in private/ca.csr -out certs/ca.cer
Signature ok
subject=/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=*.eussi.top
Getting Private key
Enter pass phrase for private/ca.key.pem:
#Openssl产生的证书不能在Java环境直接使用,需要将其转化为PKCS#12编码格式
[root@app2 TestCa]# openssl pkcs12 -export -cacerts -inkey private/ca.key.pem -in certs/ca.cer -out certs/ca.p12
Enter pass phrase for private/ca.key.pem:
Enter Export Password:
Verifying - Enter Export Password:
#keytool工具查看
[root@app2 TestCa]# keytool -list -keystore certs/ca.p12 -storetype pkcs12 -v -storepass 123456
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: 1
Creation date: Jun 23, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=*.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
Issuer: CN=*.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
Serial number: 895882440522d5af
Valid from: Sun Jun 23 13:18:05 CST 2019 until: Thu Nov 08 13:18:05 CST 2046
Certificate fingerprints:
MD5: 91:4F:72:33:F2:E0:A8:58:98:E6:C6:1A:D0:1D:93:4B
SHA1: 54:71:67:D8:2C:35:98:07:C7:90:87:0C:DB:9B:A5:B9:7E:BB:69:E1
SHA256: 7E:0A:DA:6D:D6:A5:35:03:C9:85:F0:4B:C3:DF:A4:C5:3A:D7:5C:52:D6:0F:AD:1F:64:99:85:18:CF:AB:B3:60
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
3. 构建服务器证书
#构建私钥
[root@app2 TestCa]# openssl genrsa -aes256 -out private/server.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...........................+++
.......................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/server.key.pem:
Verifying - Enter pass phrase for private/server.key.pem:
#生成服务器签发申请
[root@app2 TestCa]# openssl req -new -key private/server.key.pem -out private/server.csr -subj "/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=www.eussi.top"
Enter pass phrase for private/server.key.pem:
#使用根证书签发服务器证书
[root@app2 TestCa]# openssl x509 -req -days 3650 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/ca.key.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
Signature ok
subject=/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=www.eussi.top
Getting CA Private Key
Enter pass phrase for private/ca.key.pem:
#以下同理,转格式,然后查看
[root@app2 TestCa]# openssl pkcs12 -export -clcerts -inkey private/server.key.pem -in certs/server.cer -out certs/server.p12
Enter pass phrase for private/server.key.pem:
Enter Export Password:
Verifying - Enter Export Password:
[root@app2 TestCa]# keytool -list -keystore certs/server.p12 -storetype pkcs12 -v -storepass 123456
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: 1
Creation date: Jun 23, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
Issuer: CN=*.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
Serial number: 8b4ad5defd96b19c
Valid from: Sun Jun 23 13:32:23 CST 2019 until: Wed Jun 20 13:32:23 CST 2029
Certificate fingerprints:
MD5: A7:8F:7B:3E:89:1F:A0:71:7F:66:96:B8:91:51:B3:37
SHA1: 04:D1:35:54:27:40:D5:65:66:23:AD:32:18:AF:C3:31:F0:A5:4E:68
SHA256: 8C:64:14:28:AC:5A:37:3D:E6:1B:4B:E6:37:CF:CB:8A:12:34:41:CA:DB:2F:BD:A2:0E:9B:5E:38:3D:AD:7C:1C
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
*******************************************
*******************************************
4. 构建客户端证书
#构建私钥
[root@app2 TestCa]# openssl genrsa -aes256 -out private/client.key.pem 2048
Generating RSA private key, 2048 bit long modulus
......+++
.................................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/client.key.pem:
Verifying - Enter pass phrase for private/client.key.pem:
#生成客户端签发申请
[root@app2 TestCa]# openssl req -new -key private/client.key.pem -out private/client.csr -subj "/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=eussi"
Enter pass phrase for private/client.key.pem:
#使用根证书签发客户端证书
[root@app2 TestCa]# openssl ca -days 3650 -in private/client.csr -out certs/client.cer -cert certs/ca.cer -keyfile private/ca.key.pem
Using configuration from /root/openssl.cnf
Enter pass phrase for private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 23 05:46:39 2019 GMT
Not After : Jun 20 05:46:39 2029 GMT
Subject:
countryName = CN
stateOrProvinceName = SH
organizationName = eussi
organizationalUnitName = eussi
commonName = eussi
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E2:DA:CC:8C:DA:08:15:11:BB:96:48:7F:5D:90:E5:30:D2:F4:C1:E6
X509v3 Authority Key Identifier:
DirName:/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=*.eussi.top
serial:89:58:82:44:05:22:D5:AF
Certificate is to be certified until Jun 20 05:46:39 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#以下同理,转格式,然后查看
[root@app2 TestCa]# openssl pkcs12 -export -inkey private/client.key.pem -in certs/client.cer -out certs/client.p12
Enter pass phrase for private/client.key.pem:
Enter Export Password:
Verifying - Enter Export Password:
*/
}
参考:《JAVA加密与解密的艺术》