`
923080512
  • 浏览: 191347 次
  • 性别: Icon_minigender_1
  • 来自: 商丘
社区版块
存档分类
最新评论

OpenSSL and Keytool

阅读更多

 

1、OpenSSL实践

工作中需要配置使用SSL来双向认证并通信的FTP服务器,以OpenSSL和Java的keytool为例,来完成证书的制作:

d:/openssl/mkcerts>openssl genrsa -out ca.key 1024

创建CA私钥
Loading 'screen' into random state - done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
...................................................................++++++
.............++++++
e is 65537 (0x10001)

d:/openssl/mkcerts>openssl req -new -days 3650 -x509 -key ca.key -out cacert.pem -config openssl.cnf

创建CA自签名证书(使用上一步创建的CA私钥来签名)
Using configuration from openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []:FTPTest
Common Name (eg, YOUR name) []:CHELSEA
Email Address []:chelsea@chelseafc.com

d:/openssl/mkcerts>openssl genrsa -des3 -out server.key 1024

创建服务器私钥
Loading 'screen' into random state - done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
..............++++++
.++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

d:/openssl/mkcerts>openssl rsa -in server.key -out serverkey.pem

加密服务器私钥(保护私钥信息)
read RSA key
Enter PEM pass phrase:
writing RSA key

d:/openssl/mkcerts>openssl req -new -days 3650 -key server.key -out server.csr-config openssl.cnf

创建申请服务器所需证书的请求
Using configuration from openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []:FTPTest
Common Name (eg, YOUR name) []:CHELSEA
Email Address []:chelsea@chelseafc.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

d:/openssl/mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in server.csr -out server.pem -config openssl.cnf

CA签署服务器证书(需要CA私钥和序列号文件demoCA/serial, demoCA/index.txt)
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'Chelseafc'
organizationalUnitName:PRINTABLE:'FTPTest'
commonName :PRINTABLE:'CHELSEA'
emailAddress :IA5STRING:'chelsea@chelseafc.com'
Certificate is to be certified until Oct 26 03:01:33 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

d:/openssl/mkcerts>openssl x509 -in server.pem -out server.crt

转换格式

d:/openssl/mkcerts>openssl x509 -in demoCA/cacert.pem -out demoCA/cacert.crt

转换格式

d:/openssl/mkcerts>keytool -genkey -keyalg RSA -alias ftpsconnector -keystore ftps.jks -storepass changeit -storetype jks

产生Java客户端私钥文件
您的名字与姓氏是什么?
[Unknown]: CHELSEA
您的组织单位名称是什么?
[Unknown]: FTPTest
您的组织名称是什么?
[Unknown]: Chelseafc
您所在的城市或区域名称是什么?
[Unknown]: BEIJING
您所在的州或省份名称是什么?
[Unknown]: BEIJING
该单位的两字母国家代码是什么
[Unknown]: CN
CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, ST=BEIJING, C=CN 正确吗?
[否]: Y

输入<ftpsconnector>的主密码
(如果和 keystore 密码相同,按回车):

d:/openssl/mkcerts>keytool -certreq -alias ftpsconnector -keyalg RSA -file ftpsconnector.csr -keystore ftps.jks

产生Java客户端证书请求
输入keystore密码: changeit

d:/openssl/mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in ftpsconnector.csr -out ftpsconnector.pem -config openssl.cnf

CA签署Java客户端证书
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'Chelseafc'
organizationalUnitName:PRINTABLE:'FTPTest'
commonName :PRINTABLE:'CHELSEA'
Certificate is to be certified until Oct 26 03:05:08 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

d:/openssl/mkcerts>openssl x509 -in ftpsconnector.pem -out ftpsconnector.cer

转换格式

d:/openssl/mkcerts>keytool -import -alias root -trustcacerts -file demoCA/cacert.crt -keystore ftps.jks

导入CA证书到jks文件并信任之(由此CA所签署的所有证书也因此在信任之列)

输入keystore密码: changeit
Owner: EMAILADDRESS=chelsea@chelseafc.com, CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, S
T=BEIJING, C=CN
发照者: EMAILADDRESS=chelsea@chelseafc.com, CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING,
ST=BEIJING, C=CN
序号: 0
有效期间: Wed Oct 26 10:55:43 CST 2005 至: Sat Oct 24 10:55:43 CST 2015
认证指纹:
MD5: 85:21:11:10:26:4A:CD:01:55:B7:47:DF:0D:58:AA:A3
SHA1: 91:74:88:03:B7:5C:E4:BD:27:1F:27:BF:10:23:0A:BA:2C:42:13:2B
信任这个认证? [否]: y
认证已添加至keystore中

d:/openssl/mkcerts>keytool -import -alias ftpsconnector -trustcacerts -file ftpsconnector.cer -keystore ftps.jks

导入自己的证书到jks文件(至此,此jks文件包括了建立SSL连接所需所有信息)
输入keystore密码: changeit
认证回复已安装在 keystore中

其它OpenSSL命令举例

openssl pkcs12 -export -clcerts -in client.pem -inkey clientkey.pem -out client.p12

openssl pkcs8 -inform PEM -nocrypt -in abcwebnet-pkcs8.key -out abcwebnet.key

openssl pkcs12 -export -out abcwebnet.pfx -inkey abcwebnet.key -in abcwebnet-pem.crt

... ...

 

2、keytool实践

keystore这个名字其实有点误导,应该是CertStore,可以同时包含两种信息:自己的keyEntry,和trusted cert entry.(自然包括自己的私钥公钥和信任的公钥了)(有时会分开,信任的证书存储在单独的文件中)

keystore可以有两类密码,一个是保护这个文件的(storepass),一种是保护文件里每一个key的(keypass)

可以为每个key指定alias,然后使用alias来引用或访问对应的key

Example:


rem 创建客户端keystore

keytool -genkey -keyalg RSA -keystore client.jks -storetype jks -storepass client -alias client_rsa -keypass client_rsa -dname "CN=Client, OU=IBM, C=US" -keysize 1024 -validity 1460


rem 创建服务端keystore

keytool -genkey -keyalg RSA -keystore server.jks -storetype jks -storepass server -alias server_rsa -keypass server_rsa -dname "CN=Server, OU=IBM, C=US" -keysize 1024 -validity 1460


rem 从客户端keystore中导出通用格式的证书,以备导入到服务端keystore

keytool -export -keystore client.jks -storetype jks -storepass client -alias client_rsa -file client_rsa.cer


rem 从服务端keystore中导出通用格式的证书,以备导入到客户端keystore

keytool -export -keystore server.jks -storetype jks -storepass server -alias server_rsa -file server_rsa.cer


rem 导入客户端证书到服务端keystore(此动作的后果是使服务端信任客户端)

keytool -import -noprompt -keystore server.jks -storetype jks -storepass server -alias client_rsa -file client_rsa.cer


rem 导入服务端证书到客户端keystore(此动作的后果是使客户端信任服务端)

keytool -import -noprompt -keystore client.jks -storetype jks -storepass client -alias server_rsa -file server_rsa.cer


rem 列出客户端keystore包含的信息供查看

keytool -list -keystore client.jks -storepass client -v

rem 列出服务端keystore包含的信息供查看

keytool -list -keystore server.jks -storepass server -v

 

3、Java客户端

客户端通常有一个文件,包含了所有信任的证书信息(包括SSL服务器),如上面的ftps.jks,可以以编程的方式将此文件的位置密码格式等告知客户端socket运行时,这样在试图建立SSL连接时收到服务器发送过来的证书时,便可以进行信任验证

可以通过java.security file in jdk folder 或者 -Djavax.net.ssl.keyStore=xxx -Djavax.net.ssl.keyStorePassword=yyy 来设置

可以参考: http://www-128.ibm.com/developerworks/cn/websphere/techjournal/0502_benantar/0502_benantar.html

分享到:
评论

相关推荐

    https证书生成工具(openssl和jre(自带keytool)) for windows.rar

    压缩包中可能包含详细的操作步骤文档,包括如何配置openssl和keytool环境,如何执行相关命令,以及可能出现的问题及解决方法。务必仔细阅读并按照说明进行操作,以确保证书的正确生成。 6. **安全性注意事项** - ...

    java生成证书 包括openssl

    Java 生成证书是指通过 Java 的 keytool 工具和 OpenSSL 库生成数字证书的过程。在 HTTPS 环境下,证书是必不可少的组件, play a crucial role in ensuring the security and authenticity of online transactions....

    nginx 离线安装包 openssl and zlib

    本文将深入探讨如何离线安装Nginx,并结合openssl和zlib这两个关键组件进行详细讲解。 首先,openssl是开源的SSL/TLS协议实现,用于提供加密通信和身份验证。它支持多种加密算法,包括RSA、DSA、ECDH等,是构建安全...

    openSSL 0.9.8 and openSSH 6.0 for AIX 5 AIX 6 AIX 7

    (1)选择[Install and Update Software] (2)选择[Install Software] (3)输入当前路径(./) (4)修改[ACCEPT new license agreements?]的值为[yes](按[Tab]键),之后按下[Enter]键 (5)再次按下[Enter]键,开始...

    openssl 生成client.jks与server.jks文件的方法

    openssl 生成 client.jks 与 server.jks 文件的方法 在 WS 安全性设计中,使用 OpenSSL 生成 client.jks 与 server.jks 文件是非常必要的。下面我们将详细介绍如何使用 OpenSSL 生成这两个文件。 Step 1: 创建证书...

    openssl_lib_and_dll_debug_release

    标题“openssl_lib_and_dll_debug_release”指向的是OpenSSL在Windows平台上的不同构建版本,包括静态库和动态库,以及它们的Debug和Release模式。 首先,让我们来理解OpenSSL的静态库(lib)和动态库(dll)。静态...

    OpenSSL生成的ssl证书

    **OpenSSL生成的ssl证书** 在互联网安全领域,SSL(Secure Socket Layer)证书是保障网站数据传输安全的重要工具。OpenSSL是一个开源的库,包含了各种加密算法,它提供了生成SSL证书的功能。本教程将详细介绍如何...

    openssl和openssl-devel离线rpm安装包.zip_OPENSSL 库_openssl_openssl-deve

    `openssl-devel` 是OpenSSL的开发库,包含了头文件和静态链接库,用于编译和链接到OpenSSL功能的应用程序。开发人员在编写需要使用OpenSSL的软件时,需要安装这个包,以便在编译时可以正确地引用OpenSSL的函数和结构...

    openssl-1.0.2u + openssl-1.0.2k

    标题中的"openssl-1.0.2u + openssl-1.0.2k"指的是OpenSSL库的两个不同版本,1.0.2u和1.0.2k。OpenSSL是一个开源项目,提供安全套接层(SSL)和传输层安全(TLS)协议的实现,用于加密通信,确保网络数据传输的安全...

    java + keytool+openssl 实现批量生成客户端证书

    使用Java实现根据ca购买到的根证书 批量生产客户端需要的.bks和.cer文件,从而实现双向认证

    openssl-1.0.0.tar.gz~~openssl-3.3.1.tar.gz.zip

    不同版本的OpenSSL压缩包: openssl-1.0.0.tar.gz openssl-1.0.1.tar.gz openssl-1.0.2.tar.gz openssl-1.1.0.tar.gz openssl-1.1.1.tar.gz openssl-3.0.14.tar.gz openssl-3.1.6.tar.gz openssl-3.2.2.tar.gz ...

    openssl-win32工具 win32OpenSSL

    用openSSL工具生成密钥使用说明: 安装后进入OpenSSL工具,输入如下命令: • Linux用户(以Ubuntu为例): $ openssl 进入OpenSSL程序 OpenSSL&gt; genrsa -out rsa_private_key.pem 1024 生成私钥 OpenSSL&gt; pkcs8 -...

    openssl(include and lib )

    标题中的"openssl (include and lib)"指的是OpenSSL库的头文件(include)和编译库文件(lib),它们是开发者在构建支持SSL/TLS功能的应用程序时必不可少的部分。 **1. OpenSSL的头文件(include)** 头文件包含了...

    openssl 1.0.0 天涯浪子

    The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. OpenSSL is based on the ...

    安装openssl和openssl-develd 的依赖包

    这里我们关注的是“openssl”和“openssl-devel”这两个关键组件,它们是实现安全套接字层(SSL)和传输层安全(TLS)协议的基础。SSL/TLS协议用于加密网络通信,确保数据在传输过程中不被窃取或篡改。 **openssl**...

    centosopenssl-1.1.1u+openssl-1.1.1vopenssl1.1.1u+openssl1.1.1v

    centos7 最新版本的openssl rpm安装包 openssl-1.1.1u-1.el7.x86_64.rpm openssl-debuginfo-1.1.1u-1.el7.x86_64.rpm openssl-devel-1.1.1u-1.el7.x86_64.rpm openssl-1.1.1v-1.el7.x86_64.rpm openssl-debuginfo-...

Global site tag (gtag.js) - Google Analytics