openssl与java混合证书生成

Posted on 2021-06-21 Edited on 2021-08-17 Views:

Symbols count in article: 7.3k Reading time ≈ 7 mins.

最近项目上有关于同时生产openssl和keystore证书的需求。于是简单的了解了一下。以下是生成证书步骤：

生成ca证书认证中心的公钥证书和私钥

[root@localcert]# opensslreq-newkeyrsa:2048-x509-keyoutca.key-outca.crt
Generatinga2048bitRSAprivatekey
....................................................+++
........................+++
writingnewprivatekeyto'ca.key'
EnterPEMpassphrase:输入CA密码
Verifying-EnterPEMpassphrase:再次输入CA密码
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[XX]:CN
StateorProvinceName(fullname)[]:BeiJing
LocalityName(eg,city)[DefaultCity]:BeiJing
OrganizationName(eg,company)[DefaultCompanyLtd]:BankOfMobile
OrganizationalUnitName(eg,section)[]:Inc
CommonName(eg,yournameoryourserver\'shostname)[]:BankOfCA
EmailAddress[]:394806487@qq.com

生成keystore文件

[root@localcert]# keytool-genkey-aliasbank_server-validity3650-keyalgRSA
    -keysize2048-keypass123456-storepass123456-keystoreserver_keystore
您的名字与姓氏是什么?
[Unknown]:liu.weihua
您的组织单位名称是什么?
[Unknown]:BankOfMobile
您的组织名称是什么?
[Unknown]:Inc
您所在的城市或区域名称是什么?
[Unknown]:BeiJing
您所在的省/市/自治区名称是什么?
[Unknown]:BeiJing
该单位的双字母国家/地区代码是什么?
[Unknown]:CN
CN=liu.weihua,OU=BankOfMobile,O=Inc,L=BeiJing,ST=BeiJing,C=CN是否正确?
[否]:是

生成用户证书请求文件，并写入keystore

1	[root@localcert]# keytool-certreq-aliasbank_server-sigalgMD5withRSA -filebank_server.csr-keypass123456-storepass123456 -keystoreserver_keystore

根据用户请求文件、ca证书和ca私钥生成用户证书

[root@localcert]# Usingconfigurationfrom/etc/pki/tls/openssl.cnf
Enterpassphraseforca.key:
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:1099511627780(0x10000000004)
Validity
NotBefore:Jun1802:20:182015GMT
NotAfter:Jun1702:20:182016GMT
Subject:
countryName=CN
stateOrProvinceName=BeiJing
organizationName=Inc
organizationalUnitName=BankOfMobile
commonName=liu.weihua
X509v3extensions:
X509v3BasicConstraints:
CA:FALSE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
63:16:6B:28:FA:A8:88:40:86:CF:7C:4D:CD:4C:AB:09:55:19:49:B4
X509v3AuthorityKeyIdentifier:
keyid:4A:7F:36:58:9C:37:C0:0B:65:81:FE:F5:78:F9:A3:CE:9A:99:AD:12
CertificateistobecertifieduntilJun1702:20:182016GMT(365days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated

把ca证书写入keystore文件，别名设置为my_ca_root

[root@localcert]# keytool-import-v-trustcacerts-aliasmy_ca_root-fileca.crt
    -storepass123456-keystoreserver_keystore
所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
序列号:b06c467d0d1ff815
有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
    :01CST2015
证书指纹:
MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
    :37:1B:B3:D4:8B:AD:3F:2D:7E
签名算法名称:SHA1withRSA
版本:3
扩展:
#1:ObjectId:2.5.29.35Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
#2:ObjectId:2.5.29.19Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3:ObjectId:2.5.29.14Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
是否信任此证书?[否]:是
证书已添加到密钥库中
[正在存储server_keystore]

把用户证书写入keystore，别名设置为bank_server

[root@localcert]#keytool-import-v-aliasbank_server-filebank_server.crt
    -storepass123456-keystoreserver_keystore
证书回复已安装在密钥库中
[正在存储server_keystore]

查看所有存储在keystore上的证书

[root@localcert]#keytool-list-v-keystoreserver_keystore
输入密钥库口令:
密钥库类型:JKS
密钥库提供方:SUN
您的密钥库包含2个条目
别名:my_ca_root
创建日期:2015-6-18
条目类型:trustedCertEntry
所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
序列号:b06c467d0d1ff815
有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
    :01CST2015
证书指纹:
MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
    :37:1B:B3:D4:8B:AD:3F:2D:7E
签名算法名称:SHA1withRSA
版本:3
扩展:
#1:ObjectId:2.5.29.35Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
#2:ObjectId:2.5.29.19Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3:ObjectId:2.5.29.14Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
*******************************************
*******************************************
别名:bank_server
创建日期:2015-6-18
条目类型:PrivateKeyEntry
证书链长度:2
证书[1]:
所有者:CN=liu.weihua,OU=BankOfMobile,O=Inc,ST=BeiJing,C=CN
发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
序列号:10000000004
有效期开始日期:ThuJun1810:20:18CST2015,截止日期:FriJun1710:20
    :18CST2016
证书指纹:
MD5:A9:D9:89:03:35:DC:B7:D6:8D:16:2F:2E:0D:B2:2C:34
SHA1:F2:40:B5:5F:3D:22:2F:3C:75:89:E7:62:97:A8:03:94:78:DF:47:DD
SHA256:BD:AD:DE:D6:EA:2C:6E:49:82:AC:71:9F:59:D6:07:D0:A9:A9:3D:B4:CB:00:34
    :AA:03:7C:1A:7F:80:8B:F1:F6
签名算法名称:SHA1withRSA
版本:3
扩展:
#1:ObjectId:2.16.840.1.113730.1.13Criticality=false
0000:161D4F70656E53534C2047656E657261..OpenSSLGenera
0010:746564204365727469666963617465tedCertificate
#2:ObjectId:2.5.29.35Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
#3:ObjectId:2.5.29.19Criticality=false
BasicConstraints:[
CA:false
PathLen:undefined
]
#4:ObjectId:2.5.29.14Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:63166B28FAA8884086CF7C4DCD4CAB09c.k(...@...M.L..
0010:551949B4U.I.
]
]
证书[2]:
所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
序列号:b06c467d0d1ff815
有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
    :01CST2015
证书指纹:
MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
    :37:1B:B3:D4:8B:AD:3F:2D:7E
签名算法名称:SHA1withRSA
版本:3
扩展:
#1:ObjectId:2.5.29.35Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
#2:ObjectId:2.5.29.19Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3:ObjectId:2.5.29.14Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
*******************************************
*******************************************

生成安卓和IOS客户端所需的CA证书的二进制格式文件