Generate certificate in Java -- Self signed certificate

最新推荐文章于 2024-09-24 18:55:02 发布
转载 最新推荐文章于 2024-09-24 18:55:02 发布 · 765 阅读 · 0

本文将演示如何在Java中程序化地生成SSL证书。证书用于验证服务器的身份,确保客户端信任服务器的真实性。所有互联网上的HTTPS通信都需要服务器提供由受信CA签名的证书。通过使用openssl、Java keytool等工具或自定义代码,可以完成证书生成流程。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

This is the first post in this series which I will show you how to generate SSL certificate in Java programmatically. Certificates are frequently used in SSL communication which requires the authentication of server to client. This is to make the client to trust that the server is actually the one it claims. Certificates are really important on the Internet. All HTTPS communications on the Internet need the server side to present their certificates signed by trusted CAs.

The basic flow of a request generation is that we first use some tool to generate the certificate request, this certificate request will be sent to the trusted CAs to sign, after signing the certificate, this certificate will be sent to the requester. The requester may install the certificate on their server thereafter.

There are lots of libraries you can use to complete these steps. For example openssl, Java keytool, iKeyman. Also in Java, you can write the code yourself to generate the certificate.

If you are using keytool, then below command can help you create a private key and its associated self signed certificate.

1
keytool -genkeypair - alias rsakey -keyalg rsa -storepass passphrase -keystore mytestkeys.jks -storetype JKS -dname "CN=ROOT"

In this post, we will first show the easiest way to create a usable certificate-- self signed certificate. A self signed certificate is that the issuer of the certificate is the subject of the certificate, i.e, you sign your own certificate with your own private key.

In Java, there is a class named CertAndKeyGen which can be used to generate keys and certificates. Generate a pair of keys, and provide access to them. This class is provided primarily for ease of use. This provides some simple certificate management functionality. Specifically, it allows you to create self-signed X.509 certificates as well as PKCS 10 based certificate signing requests.

Below is the code snippet to generate a self signed certificate:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import java.security.cert.X509Certificate;
 
import sun.security.tools.keytool.CertAndKeyGen;
import sun.security.x509.X500Name;
 
public class SelfSignedCertificateGeneration {
     public static void main(String[] args){
         try {
             CertAndKeyGen keyGen= new CertAndKeyGen( "RSA" , "SHA1WithRSA" , null );
             keyGen.generate( 1024 );
             
             //Generate self signed certificate
             X509Certificate[] chain= new X509Certificate[ 1 ];
             chain[ 0 ]=keyGen.getSelfCertificate( new X500Name( "CN=ROOT" ), ( long ) 365 * 24 * 3600 );
             
             System.out.println( "Certificate : " +chain[ 0 ].toString());
         } catch (Exception ex){
             ex.printStackTrace();
         }
     }
}

Let's have a look at what the certificate data is :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Certificate : [
[
   Version: V3
   Subject: CN=ROOT
   Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
 
   Key:  Sun RSA public key, 1024 bits
   modulus: 114391309107542773913020327258312183039826043488144930936432429784366769808118582358673188617553493179715429490538390339548553158770231498533107085203543482991384318715251748594629731873902297622858400215317090155179482056595085606008433735465924998820797111761561551868239613864908732016915661242341876829949
   public exponent: 65537
   Validity: [From: Wed Jul 30 21:06:29 SGT 2014,
                To: Thu Jul 30 21:06:29 SGT 2015]
   Issuer: CN=ROOT
   SerialNumber: [    0b000b59]
 
]
   Algorithm: [SHA1withRSA]
   Signature:
0000: 94 F9 DD 3D 95 4F BC 63   A6 A3 09 9E 63 EF CA 91  ...=.O.c....c...
0010: 97 55 C1 9E B2 12 52 13   7A 7B 73 B1 B8 ED A8 EF  .U....R.z.s.....
0020: F5 1C EB 27 71 F2 60 22   BC E9 0B 01 1D 70 C1 5E  ...'q.`".....p.^
0030: D6 D1 E8 AB 4D 2C CC F6   70 2B 7A D4 37 95 7A CC  ....M,..p+z.7.z.
0040: E2 A1 FE F9 3F 11 18 FD   36 CB 22 62 FB 5A E2 5D  ....?...6."b.Z.]
0050: E6 6C BF 61 C7 1F 03 BA   FE B5 85 47 DD 7F C0 CB  .l.a.......G....
0060: F3 F1 A0 79 35 0F 2A F7   79 0E 1E 79 A1 11 2E 44  ...y5.*.y..y...D
0070: 85 10 F2 B3 9F 07 F0 24   D3 1A AC 28 0C CE 4B 04  .......$...(..K.
 
]

From the certificate data, you can see that the Subject and Issuer is the same.

In the next post, I will show you how to create a certificate chain using Java programmatically.

java数字签名(签名生成,用证书验证签名)
weixin_30821731的博客
06-01 1315
来源:赛迪网 ...
大中型企业网项目实战2021-10-07
32bin的博客
10-07 578
1/问答题 大中型企业网项目实战 实验作业: 一、安全管理 1、依据图中拓扑,为全网设备定义主机名、关闭域名解析、并在 Console 和VTY 线路下关闭线路超时并开启输出同步。 依据图中拓扑在GNS3 IOU中搭建企业网 。[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-jO2afjWC-1633579005017)(/Users/aron/Pictures/企业网站2.png)] R1#conf t Enter configuration commands, one p
Java生成CSR创建证书
热门推荐
Jinhill's Blog
12-27 2万+
Java生成CSR,签发证书package com.jinhill.cert; import java.io.ByteArrayInputStream; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.FileWriter; import java.io.IOException; im
java 生成证书_在java中生成证书链
weixin_42601608的博客
02-12 964
问题是如何在Java中以编程方式生成证书链.换句话说,我想在java中执行这里详述的操作:http://fusesource.com/docs/broker/5.3/security/i382664.html通常,我可以为新客户创建RSA密钥:private KeyPair genRSAKeyPair(){// Get RSA key factory:KeyPairGenerator kpg = ...
java 签名证书,在java中使用自签名证书
weixin_39528994的博客
02-25 283
I want to connect to a sms gateway. I found the following code.public void smsSender(String username, String password, String to,String text) throws IOException {try {String data = "username=" + usern...
java通过证书访问服务器,使用httpClient连接https时使用服务端证书(self-signed certificate)的方法...
weixin_34287049的博客
03-16 1207
外出旅行、冬季保暖得常备户外袜、速干袜、加厚袜子哦。猛戳乐途驿站http://zhoupa1188.taobao.com抢购品牌男女式加厚户外袜子,coolmax、全棉、保暖、吸汗、速干、登山、徒步袜子。满10包邮使用httpClient连接https时一般要在客户端引入证书。引入方法有三种:1、在jdk中导入证书;2、将证书路径设置到环境变量中:System.setProperty("javax...
Windows下使用netty的SelfSignedCertificate进行SSL加密通信
u013771019的专栏
06-05 700
当我们在自己的开发环境中进行测试的时候,有一个非常简单的方法来创建证书和私钥文件,netty提供了SelfSignedCertificate类。在使用netty的时候,经常需要对通信进行SSL加密,这就需要相关的证书和秘钥;只需要这样一行代码,Netty就会帮我们自动生成自签名的证书和私钥。文件名前缀为:keyutil_example.com_解决:添加boucycastle的依赖。
[es@rocky-linux opt]$ sudo -u es /opt/elasticsearch/es-node1/bin/elasticsearch-certutil cert \ --name kibana --ip 10.211.55.3 --out /opt/kibana/config/certs/kibana-cert.zip This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. The 'cert' mode generates X.509 certificate and private keys. * By default, this generates a single certificate and key for use on a single instance. * The '-multiple' option will prompt you to enter details for multiple instances and will generate a certificate and key for each one * The '-in' option allows for the certificate generation to be automated by describing the details of each instance in a YAML file * An instance is any piece of the Elastic Stack that requires an SSL certificate. Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats may all require a certificate and private key. * The minimum required value for each instance is a name. This can simply be the hostname, which will be used as the Common Name of the certificate. A full distinguished name may also be used. * A filename value may be required for each instance. This is necessary when the name would result in an invalid file or directory name. The name provided here is used as the directory name (within the zip) and the prefix for the key and certificate files. The filename is required if you are prompted and the name is not displayed in the prompt. * IP addresses and DNS names are optional. Multiple values can be specified as a comma separated string. If no IP addresses or DNS names are provided, you may disable hostname verification in your SSL configuration. * All certificates generated by this tool will be signed by a certificate authority (CA) unless the --self-signed command line option is specified. The tool can automatically generate a new CA for you, or you can provide your own with the --ca or --ca-cert command line options. By default the 'cert' mode produces a single PKCS#12 output file which holds: * The instance certificate * The private key for the instance certificate * The CA certificate If you specify any of the following options: * -pem (PEM formatted output) * -multiple (generate multiple certificates) * -in (generate certificates from an input file) then the output will be be a zip file containing individual certificate/key files Simplifies certificate creation for use with the Elastic Stack Non-option arguments: command Option Description ------ ----------- -E <KeyValuePair> Configure a setting -h, --help Show help -s, --silent Show minimal output -v, --verbose Show verbose output ERROR: Must specify either --ca or --ca-cert/--ca-key or --self-signed, with exit code 64命令的参数不对
最新发布
03-25
好的,用户遇到了一个关于elasticsearch-certutil生成证书的错误,错误信息是“ERROR: Must specify either --ca or --ca-cert/--ca-key or --self-signed, with exit code 64”。我需要仔细分析这个问题,并提供...
例说图解TCP/IP协议族--PKI与证书(7)之给思科路由器制作证书
123¥567
05-17 2701
1. 思科路由器的证书介绍 众所周知,证书一般用于设备向外部证明自己的身份,而路由器主要是用于数据包的路由转发,怎么会需要证书呢? 其实这取决于路由器上的一些feature,例如路由器可以作为SSL VPN GATEWAY、 IPSEC VPN GATEWAY、WEB SERVER(用于外部管理),还有就是路由器的语音模块中的Secure SRST。 思科路由器证书的...
记录linux环境下搭建本地MQTT服务器实现mqtt的ssl加密通讯
杨正的专栏
09-24 1735
2、使用mqtts/tls加密通信时,server地址需加"ssl://", 例如"ssl://127.0.0.1:8883";使用github中的一个脚本,可以让hostname为localhost、本机ip或127.0.0.1,脚本从。修改mosiquitto.conf,添加证书的路径,加密端口8883(配置端口监听端口默认是1883)4、需要移植openssl库,mqtt源码编译需要链接到openssl中的include和lib。该脚本创建CA文件,生成服务器证书,并使用CA来签名证书。
Generate Certificate Signing Reuqest SHA 256 2048 bit
12-06
Generate Certificate Signing Reuqest SHA 256 2048 bit,then using this csr ,generate a Enterprise CA Cert
Generate certificate in Java -- Certificate chain
stay hungry,stay foolish !
01-07 1055
In previous post, we have introduced the use of Certificate and how to generate self signed certificate using Java. In this post, we will show you how to generate a certificate chain. Sometimes we m
java generate()_java-generateCertificate()时出现CertificateExcept...
weixin_33138675的博客
02-20 589
我正在开发我的Android应用程序.我正在尝试从我的证??书文件流生成X509Certificate实例,但是获取CertificateException,这是我的简单代码:import java.security.cert.CertificateException;import java.security.cert.CertificateFactory;import java.security...
Using self-signed certificates(自签名证书创建private registry)
xuguokun1986的博客
08-22 1335
1、环境 1)Ubuntu14.04 2)docker 1.12.0 2、在Ubuntu14.04虚拟机上安装docker 1.12.0,本次实验创建两个虚拟机,ip分别是192.168.110.137和192.168.110.138,其中192.168.110.138的hostname是myregistrydomain.com,并且在192.168.110.138的hosts文件中添加如下
【https】Self-Signed SSL证书创建和使用
dualvencsdn的博客
07-15 5292
一般可用于个人测试使用和非域名https访问,通常CA机构不支持颁发IP证书,只有个别OV机构支持公网IP证书,但只能用于大型机构组织的网站。Whentheserver.keyserver.csrfiles.Theserver.crtserver.key其中server.key为服务端私钥文件,用于后续传输加解密。server.crt为签好名的证书文件,其中包含了服务描述信息和公钥,用于发往客户端进行合法验证,公钥用于后续传输加解密。以最新版本nginx启用ssl配置为例3.重载nginx配置信息。....
Java实现自签名证书,CA颁发证书
as371418912的专栏
04-07 6890
产生证书库,并创建CA    X500Name 就是你的/** * 产生证书库,并创建CA 别名末认为CA * @param store 证书库 * @param storePass 证书库密码 * @param ca ca信息 * @param caPass ca密码 */ public static void createKeyStore(File store
cer证书生成以及签名验签详细篇(keytool 命令)
生命不息,bug不止,一起探讨下写bug的技术吧
03-22 1万+
我们用cmd命令进行生成cer证书 生成管理工具 Keytool是一个Java数据证书的管理工具 ,Keytool将密钥(key)和证书(certificates)存在一个称为keystore的文件中 生成命令: keytool -genkey -alias mykey -keyalg RSA -keystore C:/mykeystore.keystore -keysize 1024 -validity 365 命令解析: -genkey:生成一对非对称密钥 -alias: 指定一个别名 -keyalg
java 文件存在自动添加数字_Java对文件添加数字签名
weixin_36217920的博客
02-13 328
一:需要包含的包import java.security.*;import java.io.*;import java.util.*;import java.security.*;import java.security.cert.*;import sun.security.x509.*import java.security.cert.Certificate;import java.securi...
java 生成证书和签发证书(纯代码,编译通过)
修也
01-17 8571
package com.xiuye.cert; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.security.In
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值