生成CA私钥以及自签名根证书
1.安装Win32OpenSSL-0_9_8g.exe
敲openssl进入openssl目录
G:\Program Files\OpenSSL\bin>
生成CA私钥
openssl genrsa -out G:\ssl_personbook/ca-key.pem 1024
生成待签名证书
openssl req -new -out G:\ssl_personbook/ca-req.csr -key G:\ssl_personbook/ca-key.pem
用CA私钥进行自签名
openssl x509 -req -in G:\ssl_personbook/ca-req.csr -out G:\ssl_personbook/cacert.crt -signkey G:\ssl_personbook/ca-key.pem -days 365
2.生成server证书
生成keystore
keytool -genkey -alias tomcat_server -keyalg RSA -keystore g:/ssl_personbook/server_cer/server_keystore
敲入以上命令后,弹出以下问题:
You must input the following: What is your first and last name? *This is the Common Name Field - The Fully Qualified Domain Name MUST be entered here*
[Unknown]: www.globalsign.net (此处填上您的域名或ip地址)
生成待签名证书
keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file g:/ssl_personbook\server_cer/server.csr -keypass rooter -keystore g:/ssl_personbook\server_cer/server_keystore -storepass rooter
用CA私钥进行签名 OpenSSL\bin>
openssl x509 -req -in g:/ssl_personbook\server_cer/server.csr -out G:\ssl_personbook/server_cer/server-cert.crt -CA G:\ssl_personbook/cacert.crt -CAkey G:\ssl_personbook/ca-key.pem -CAserial G:\ssl_personbook/ca-ser.srl -CAcreateserial -days 365
如果不需要可信任的根证书以下两步可省略,只需要server证书作为根证书
3.导入根证书到jdk中默认的认证库keystore
keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file G:\ssl_personbook\cacert.crt -keystore F:\source_code\PersonBook\jdk\jre\lib\security\cacerts
4.把CA签名后的server端证书导入keystore
F:\source_code\PersonBook\jdk\bin>keytool -import -v -trustcacerts -storepass rooter -alias tomcat_server -file G:\ssl_personbook\server_cer\server-cert.crt -keystore G:\ssl_personbook\server_cer\server_keystore
1.安装Win32OpenSSL-0_9_8g.exe
敲openssl进入openssl目录
G:\Program Files\OpenSSL\bin>
生成CA私钥
openssl genrsa -out G:\ssl_personbook/ca-key.pem 1024
生成待签名证书
openssl req -new -out G:\ssl_personbook/ca-req.csr -key G:\ssl_personbook/ca-key.pem
用CA私钥进行自签名
openssl x509 -req -in G:\ssl_personbook/ca-req.csr -out G:\ssl_personbook/cacert.crt -signkey G:\ssl_personbook/ca-key.pem -days 365
2.生成server证书
生成keystore
keytool -genkey -alias tomcat_server -keyalg RSA -keystore g:/ssl_personbook/server_cer/server_keystore
敲入以上命令后,弹出以下问题:
You must input the following: What is your first and last name? *This is the Common Name Field - The Fully Qualified Domain Name MUST be entered here*
[Unknown]: www.globalsign.net (此处填上您的域名或ip地址)
生成待签名证书
keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file g:/ssl_personbook\server_cer/server.csr -keypass rooter -keystore g:/ssl_personbook\server_cer/server_keystore -storepass rooter
用CA私钥进行签名 OpenSSL\bin>
openssl x509 -req -in g:/ssl_personbook\server_cer/server.csr -out G:\ssl_personbook/server_cer/server-cert.crt -CA G:\ssl_personbook/cacert.crt -CAkey G:\ssl_personbook/ca-key.pem -CAserial G:\ssl_personbook/ca-ser.srl -CAcreateserial -days 365
如果不需要可信任的根证书以下两步可省略,只需要server证书作为根证书
3.导入根证书到jdk中默认的认证库keystore
keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file G:\ssl_personbook\cacert.crt -keystore F:\source_code\PersonBook\jdk\jre\lib\security\cacerts
4.把CA签名后的server端证书导入keystore
F:\source_code\PersonBook\jdk\bin>keytool -import -v -trustcacerts -storepass rooter -alias tomcat_server -file G:\ssl_personbook\server_cer\server-cert.crt -keystore G:\ssl_personbook\server_cer\server_keystore
附: 查看server端证书
keytool -list -v -keystore %JDK_HOME%\jre\lib\security\cacerts
keytool -list -v -keystore server\server_keystore
删除证书
keytool -delete -trustcacerts -alias tomcat -keystore D:/sdks/jdk1.5.0_11/jre/lib/security/cacerts -storepass changeit
扫一扫
2855
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
