CAS单点登陆实践-1:创建x.509证书

准备x.509证书

首先要下载openssl,我的是win32openssl-0_9_8d.exe,安装后,配置一下环境变量,和jdk配置一样.
接下来创建x.509.
颜色标识:该颜色表示你要输入的东西
第一步:创建私钥(这里输入命令即可)
C:\OpenSSL\apps>openssl genrsa -out root/root-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...++++++
......++++++
e is 65537 (0x10001)

C:\OpenSSL\apps>

第二步:创建证书请求(这里输入命名后会让你填写一些东西)
C:\OpenSSL\apps>openssl req -new -out root/root-req.csr -key root/root-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN   //这里往下会让你输入一些东西
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:chuanyu
Organizational Unit Name (eg, section) []:chuanyu
Common Name (eg, YOUR name) []:weishuwei
Email Address []:weishuwei112@sina.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:chuanyu

C:\OpenSSL\apps>

第三步:产生受信任的证书文件(根据root-req.csr产生,而root-req.csr又是通过
root-key.pem产生,也就是说私钥文件签署了该证书文件,注:这个是自签署文件,下面有自签署和非自签署的区别)
C:\OpenSSL\apps>openssl x509 -req -in root/root-req.csr -out root/root-cert.pem
-signkey root/root-key.pem -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=chuanyu/OU=chuanyu/CN=weishuwei/emailAddr
ess=weishuwei112@sina.com
Getting Private key

第四步:将受信任的证书导出成浏览器支持的.p12(PKCS12)格式.
C:\OpenSSL\apps>openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkey root/root-key.pem -out root/root.p12
Loading 'screen' into random state - done
Enter Export Password: ******    // (DOS下不会显示星号,光标也不动,感觉没输入上一样);
Verifying - Enter Export Password:******   //重新输入一次刚才输入的密码

C:\OpenSSL\apps>

第五步:将受信任的证书导出成JKS格式(这一步可选,这种格式供tomcat使用,tomcat的trustStore同时支持JKS和PKCS12两种格式,直接用上步的p12格式也行)
C:\OpenSSL\apps\root>keytool -import -v -trustcacerts -storepass password -alias
 root -file root-cert.pem -keystore root.jks
Owner: EMAILADDRESS=weishuwei112@sina.com, CN=weishuwei, OU=chuanyu, O=chuanyu,
L=shanghai, ST=shanghai, C=CN
发照者： EMAILADDRESS=weishuwei112@sina.com, CN=weishuwei, OU=chuanyu, O=chuanyu
, L=shanghai, ST=shanghai, C=CN
序号： 9a8cf5246b9bb7a7
有效期间： Thu May 17 09:28:44 CST 2007 至： Sun May 14 09:28:44 CST 2017
认证指纹：
         MD5：  6B:23:EB:8B:0B:3D:D0:61:ED:59:26:45:F7:DD:EE:37
         SHA1： EB:CF:D6:53:58:15:9B:88:91:6D:79:38:6E:2B:E4:BD:A8:65:BA:E3
信任这个认证？ [否]：  y
认证已添加至keystore中
[正在存储 root.jks]

自签署证书文件和非自签署证书文件的命令差别:
1,注意:这个是自签署证书文件.
openssl x509 -req -in root/root-req.csr -out root/root-cert.pem -signkey root/root-key.pem -days 3650
2,注意:这个是有别的签署证书文件.server client
openssl x509 -req -in server/ server -req.csr -out server /root-cert.pem -signkey root/root-key.pem –CA root/root-cert.pem –CAkey root/root-key.pem CAcreateserial –days 3650

评论

1 楼 stone 2007-05-17  

呵呵，不错，挺详细的
以前cas的时候看到ssl就头大，准备自己做证书有些无从下手
学习了