openssl与java混合证书生成
最近项目上有关于同时生产openssl和keystore证书的需求。于是简单的了解了一下。以下是生成证书步骤:
- 生成ca证书认证中心的公钥证书和私钥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22opensslreq-newkeyrsa:2048-x509-keyoutca.key-outca.crt
Generatinga2048bitRSAprivatekey
....................................................+++
........................+++
writingnewprivatekeyto'ca.key'
EnterPEMpassphrase:输入CA密码
Verifying-EnterPEMpassphrase:再次输入CA密码
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[XX]:CN
StateorProvinceName(fullname)[]:BeiJing
LocalityName(eg,city)[DefaultCity]:BeiJing
OrganizationName(eg,company)[DefaultCompanyLtd]:BankOfMobile
OrganizationalUnitName(eg,section)[]:Inc
CommonName(eg,yournameoryourserver\'shostname)[]:BankOfCA
EmailAddress[]:[email protected] - 生成keystore文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16keytool-genkey-aliasbank_server-validity3650-keyalgRSA
-keysize2048-keypass123456-storepass123456-keystoreserver_keystore
您的名字与姓氏是什么?
[Unknown]:liu.weihua
您的组织单位名称是什么?
[Unknown]:BankOfMobile
您的组织名称是什么?
[Unknown]:Inc
您所在的城市或区域名称是什么?
[Unknown]:BeiJing
您所在的省/市/自治区名称是什么?
[Unknown]:BeiJing
该单位的双字母国家/地区代码是什么?
[Unknown]:CN
CN=liu.weihua,OU=BankOfMobile,O=Inc,L=BeiJing,ST=BeiJing,C=CN是否正确?
[否]:是 - 生成用户证书请求文件,并写入keystore
1
keytool-certreq-aliasbank_server-sigalgMD5withRSA -filebank_server.csr-keypass123456-storepass123456 -keystoreserver_keystore
- 根据用户请求文件、ca证书和ca私钥生成用户证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29Usingconfigurationfrom/etc/pki/tls/openssl.cnf
Enterpassphraseforca.key:
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:1099511627780(0x10000000004)
Validity
NotBefore:Jun1802:20:182015GMT
NotAfter:Jun1702:20:182016GMT
Subject:
countryName=CN
stateOrProvinceName=BeiJing
organizationName=Inc
organizationalUnitName=BankOfMobile
commonName=liu.weihua
X509v3extensions:
X509v3BasicConstraints:
CA:FALSE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
63:16:6B:28:FA:A8:88:40:86:CF:7C:4D:CD:4C:AB:09:55:19:49:B4
X509v3AuthorityKeyIdentifier:
keyid:4A:7F:36:58:9C:37:C0:0B:65:81:FE:F5:78:F9:A3:CE:9A:99:AD:12
CertificateistobecertifieduntilJun1702:20:182016GMT(365days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated - 把ca证书写入keystore文件,别名设置为my_ca_root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39keytool-import-v-trustcacerts-aliasmy_ca_root-fileca.crt
-storepass123456-keystoreserver_keystore
所有者:[email protected],CN=BankOfCA,OU=Inc,O=BankOfMobile,L
=BeiJing,ST=BeiJing,C=CN
发布者:[email protected],CN=BankOfCA,OU=Inc,O=BankOfMobile,L
=BeiJing,ST=BeiJing,C=CN
序列号:b06c467d0d1ff815
有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
:01CST2015
证书指纹:
MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
:37:1B:B3:D4:8B:AD:3F:2D:7E
签名算法名称:SHA1withRSA
版本:3
扩展:
1:ObjectId:2.5.29.35Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
2:ObjectId:2.5.29.19Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
3:ObjectId:2.5.29.14Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
是否信任此证书?[否]:是
证书已添加到密钥库中
[正在存储server_keystore] - 把用户证书写入keystore,别名设置为bank_server
1
2
3
4keytool-import-v-aliasbank_server-filebank_server.crt
-storepass123456-keystoreserver_keystore
证书回复已安装在密钥库中
[正在存储server_keystore] - 查看所有存储在keystore上的证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122keytool-list-v-keystoreserver_keystore
输入密钥库口令:
密钥库类型:JKS
密钥库提供方:SUN
您的密钥库包含2个条目
别名:my_ca_root
创建日期:2015-6-18
条目类型:trustedCertEntry
所有者:[email protected],CN=BankOfCA,OU=Inc,O=BankOfMobile,L
=BeiJing,ST=BeiJing,C=CN
发布者:[email protected],CN=BankOfCA,OU=Inc,O=BankOfMobile,L
=BeiJing,ST=BeiJing,C=CN
序列号:b06c467d0d1ff815
有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
:01CST2015
证书指纹:
MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
:37:1B:B3:D4:8B:AD:3F:2D:7E
签名算法名称:SHA1withRSA
版本:3
扩展:
1:ObjectId:2.5.29.35Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
2:ObjectId:2.5.29.19Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
3:ObjectId:2.5.29.14Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
*******************************************
*******************************************
别名:bank_server
创建日期:2015-6-18
条目类型:PrivateKeyEntry
证书链长度:2
证书[1]:
所有者:CN=liu.weihua,OU=BankOfMobile,O=Inc,ST=BeiJing,C=CN
发布者:[email protected],CN=BankOfCA,OU=Inc,O=BankOfMobile,L
=BeiJing,ST=BeiJing,C=CN
序列号:10000000004
有效期开始日期:ThuJun1810:20:18CST2015,截止日期:FriJun1710:20
:18CST2016
证书指纹:
MD5:A9:D9:89:03:35:DC:B7:D6:8D:16:2F:2E:0D:B2:2C:34
SHA1:F2:40:B5:5F:3D:22:2F:3C:75:89:E7:62:97:A8:03:94:78:DF:47:DD
SHA256:BD:AD:DE:D6:EA:2C:6E:49:82:AC:71:9F:59:D6:07:D0:A9:A9:3D:B4:CB:00:34
:AA:03:7C:1A:7F:80:8B:F1:F6
签名算法名称:SHA1withRSA
版本:3
扩展:
1:ObjectId:2.16.840.1.113730.1.13Criticality=false
0000:161D4F70656E53534C2047656E657261..OpenSSLGenera
0010:746564204365727469666963617465tedCertificate
2:ObjectId:2.5.29.35Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
3:ObjectId:2.5.29.19Criticality=false
BasicConstraints:[
CA:false
PathLen:undefined
]
4:ObjectId:2.5.29.14Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:63166B28FAA8884086CF7C4DCD4CAB09c.k([email protected]..
0010:551949B4U.I.
]
]
证书[2]:
所有者:[email protected],CN=BankOfCA,OU=Inc,O=BankOfMobile,L
=BeiJing,ST=BeiJing,C=CN
发布者:[email protected],CN=BankOfCA,OU=Inc,O=BankOfMobile,L
=BeiJing,ST=BeiJing,C=CN
序列号:b06c467d0d1ff815
有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
:01CST2015
证书指纹:
MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
:37:1B:B3:D4:8B:AD:3F:2D:7E
签名算法名称:SHA1withRSA
版本:3
扩展:
1:ObjectId:2.5.29.35Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
2:ObjectId:2.5.29.19Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
3:ObjectId:2.5.29.14Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
0010:9A99AD12....
]
]
*******************************************
******************************************* - 生成安卓和IOS客户端所需的CA证书的二进制格式文件