openssl命令生成公私钥、证书方法,apache/tomcat支持https的证书配置

生成keystore文件:
keytool -genkey -alias tomcat -keyalg RSA  -keystore  H:/tomcat.keystore -validity 36500


从keystore的privatekeyEntry导出csr:
keytool -certreq -alias tomcat -sigalg MD5withRSA -file tomcat.csr -keystore server_keystore


转换crt为pem:
openssl x509 -inform DER -in yourdownloaded.crt  -out outcert.pem -text


添加证书到信任证书文件:
openssl x509 -in <yourCA>.crt -text >> /usr/share/ssl/certs/ca-bundle.crt


生成CA私钥和自签名证书:
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.conf


签名证书请求:
openssl x509 -req -in dev.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dev.crt -days 365


导入证书到keystore:
keytool -import -alias caomiao_ca -keystore h:/tomcat.keystore -trustcacerts -file ca.crt


显示keystore里面的证书:
keytool -list -v -keystore h:\tomcat.keystore


从keystore删除证书:
keytool -delete -alias caomiao_ca -keystore h:\tomcat.keystore  -storepass 密码


生成私钥key文件:
openssl genrsa -des3 -out tomcat_client.key 1024


根据私钥key文件生成公钥:
openssl rsa -pubout < ca.key > capub.pem


根据key生成csr:
openssl req -new -key server.key -out server.csr //-config openssl.cnf


查看CSR:
openssl req -text -noout -in san_domain_com.csr


生成自签名证书:
openssl req -new -x509 -nodes -sha1 -days 3650 -key host.key > host.cert //-out host.crt


合并证书文件和私钥文件:
cat client.key client.crt > client.pem


合并证书文件和私钥文件成pfx证书:
openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12


文本显示pfx证书:
openssl pkcs12 -in client.p12 -out client.txt


9.屏幕模式显式:(证书、私钥、公钥)
1).openssl x509 -in client.crt -noout -text -modulus
2).openssl rsa -in server.key -noout -text -modulus
3).openssl rsa -in server.pub -noout -text -modulus


导入私钥和证书到keystore:(ImportKey, using 'importkey' as alias and also as password)
java ImportKey key.der cert.der


转换der格式证书为pem:
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER


转换pem格式为pkcs12:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12


导入私钥到keystore(首先需要将私钥和公钥转换为pkcs12格式,linux没有importkeystore选项):
keytool -importkeystore -srckeystore ./ca.p12 -srcstoretype PKCS12 -alias 1 -destkeystore ./tomcat.keystore -deststoretype JKS


从jks导出私钥为pkcs12格式:
keytool -importkeystore -srckeystore keystore.jks -destkeystore intermediate.p12 -deststoretype PKCS12


转换pkcs12(pfx)为pem格式:
openssl pkcs12 -in intermediate.p12 -out extracted.pem -nodes


多域名证书的制作:
方法一:
openssl x509 -req -in dev.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dev.crt -days 365 -extfile sign.cnf
其中*.cnf文件用于指定出csr里面指定的域名之外的扩展域名,内容如下:
subjectAltName=DNS:www.domain.tld,DNS:www2.domain.tld
方法二:
To get your openssl to prompt you for a SubjectAltName field, you have to add your openssl.conf, usually located in /etc/ssl. Search for the section labeled [req] and add this line:
req_extensions = v3_req
Then search for the section labeled [ v3_req ] and add a line like this:
subjectAltName = DNS:www.example.com,DNS:www2.example.com
#Refer to:http://apetec.com/support/GenerateSAN-CSR.htm
方法三:
How can I generate a certificate for that? 
Add the following into your openssl.cnf: 


[ req_distinguished_name ] 
0.commonName = Common Name (eg, YOUR name) 
0.commonName_default = www.domain1.com 
0.commonName_max = 64 
1.commonName = Common Name (eg, YOUR name) 
1.commonName_default = www.domain2.org 
1.commonName_max =64 
2.commonName = Common Name (eg, YOUR name) 
2.commonName_default = shop.domain1.com (only an example of subdomain added to ssl cert) 
2.commonName_max = 64 
3.commonName = Common Name (eg, YOUR name) 
3.commonName_default = My Secure Internet Services (example) 
3.commonName_max = 64 


2. The last example: My Secure Internet Services is a generic name is also the last entry purposely. This is because I do not want any other domains to appear on the cert other than my business. The other domains will be included internally in the certificate. 
So when a visitor goes to https://www.mydomain.com he/she will see a cert that needs to be installed with the name My Secure Internet Services instead of a cert with MyOtherDomainName.Com. 


in addition to the above, 
www.server.com 
mail.server.com 
anyvhost.server.com 
can be replaced by using this: *.server.com 


keystore type:
JKS: Java Keystore (Oracle's Keystore format)
PKCS #12: Public-Key Cryptography Standards #12 Keystore (RSA's Personal Information Exchange Syntax Standard)
JCEKS: Java Cryptography Extension Keystore (More secure version of JKS)
JKS (case sensitive): Case sensitive JKS
BKS: Bouncy Castle Keystore (Bouncy Castle's version of JKS)
UBER: Bouncy Castle UBER Keystore (More secure version of BKS)

GKR: GNU Keyring keystore (requires GNU Classpath version 0.90 or later installed)




你可能感兴趣的:(openssl命令生成公私钥、证书方法,apache/tomcat支持https的证书配置)