OpenSSL and Keytool

 

1、OpenSSL实践

工作中需要配置使用SSL来双向认证并通信的FTP服务器，以OpenSSL和Java的keytool为例，来完成证书的制作：

d:/openssl/mkcerts>openssl genrsa -out ca.key 1024

创建CA私钥
Loading 'screen' into random state - done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
...................................................................++++++
.............++++++
e is 65537 (0x10001)

d:/openssl/mkcerts>openssl req -new -days 3650 -x509 -key ca.key -out cacert.pem -config openssl.cnf

创建CA自签名证书(使用上一步创建的CA私钥来签名)
Using configuration from openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []:FTPTest
Common Name (eg, YOUR name) []:CHELSEA
Email Address []:chelsea@chelseafc.com

d:/openssl/mkcerts>openssl genrsa -des3 -out server.key 1024

创建服务器私钥
Loading 'screen' into random state - done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
..............++++++
.++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

d:/openssl/mkcerts>openssl rsa -in server.key -out serverkey.pem

加密服务器私钥(保护私钥信息)
read RSA key
Enter PEM pass phrase:
writing RSA key

d:/openssl/mkcerts>openssl req -new -days 3650 -key server.key -out server.csr-config openssl.cnf

创建申请服务器所需证书的请求
Using configuration from openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []:FTPTest
Common Name (eg, YOUR name) []:CHELSEA
Email Address []:chelsea@chelseafc.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

d:/openssl/mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in server.csr -out server.pem -config openssl.cnf

CA签署服务器证书(需要CA私钥和序列号文件demoCA/serial, demoCA/index.txt)
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'Chelseafc'
organizationalUnitName:PRINTABLE:'FTPTest'
commonName :PRINTABLE:'CHELSEA'
emailAddress :IA5STRING:'chelsea@chelseafc.com'
Certificate is to be certified until Oct 26 03:01:33 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

d:/openssl/mkcerts>openssl x509 -in server.pem -out server.crt

转换格式

d:/openssl/mkcerts>openssl x509 -in demoCA/cacert.pem -out demoCA/cacert.crt

转换格式

d:/openssl/mkcerts>keytool -genkey -keyalg RSA -alias ftpsconnector -keystore ftps.jks -storepass changeit -storetype jks

产生Java客户端私钥文件
您的名字与姓氏是什么？
[Unknown]： CHELSEA
您的组织单位名称是什么？
[Unknown]： FTPTest
您的组织名称是什么？
[Unknown]： Chelseafc
您所在的城市或区域名称是什么？
[Unknown]： BEIJING
您所在的州或省份名称是什么？
[Unknown]： BEIJING
该单位的两字母国家代码是什么
[Unknown]： CN
CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, ST=BEIJING, C=CN 正确吗？
[否]： Y

输入<ftpsconnector>的主密码
（如果和 keystore 密码相同，按回车）：

d:/openssl/mkcerts>keytool -certreq -alias ftpsconnector -keyalg RSA -file ftpsconnector.csr -keystore ftps.jks

产生Java客户端证书请求
输入keystore密码： changeit

d:/openssl/mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in ftpsconnector.csr -out ftpsconnector.pem -config openssl.cnf

CA签署Java客户端证书
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'Chelseafc'
organizationalUnitName:PRINTABLE:'FTPTest'
commonName :PRINTABLE:'CHELSEA'
Certificate is to be certified until Oct 26 03:05:08 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

d:/openssl/mkcerts>openssl x509 -in ftpsconnector.pem -out ftpsconnector.cer

转换格式

d:/openssl/mkcerts>keytool -import -alias root -trustcacerts -file demoCA/cacert.crt -keystore ftps.jks

导入CA证书到jks文件并信任之(由此CA所签署的所有证书也因此在信任之列)

输入keystore密码： changeit
Owner: EMAILADDRESS=chelsea@chelseafc.com, CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, S
T=BEIJING, C=CN
发照者： EMAILADDRESS=chelsea@chelseafc.com, CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING,
ST=BEIJING, C=CN
序号： 0
有效期间： Wed Oct 26 10:55:43 CST 2005 至： Sat Oct 24 10:55:43 CST 2015
认证指纹：
MD5： 85:21:11:10:26:4A:CD:01:55:B7:47:DF:0D:58:AA:A3
SHA1： 91:74:88:03:B7:5C:E4:BD:27:1F:27:BF:10:23:0A:BA:2C:42:13:2B
信任这个认证？ [否]： y
认证已添加至keystore中

d:/openssl/mkcerts>keytool -import -alias ftpsconnector -trustcacerts -file ftpsconnector.cer -keystore ftps.jks

导入自己的证书到jks文件(至此,此jks文件包括了建立SSL连接所需所有信息)
输入keystore密码： changeit
认证回复已安装在 keystore中

其它OpenSSL命令举例

openssl pkcs12 -export -clcerts -in client.pem -inkey clientkey.pem -out client.p12

openssl pkcs8 -inform PEM -nocrypt -in abcwebnet-pkcs8.key -out abcwebnet.key

openssl pkcs12 -export -out abcwebnet.pfx -inkey abcwebnet.key -in abcwebnet-pem.crt

... ...

 

2、keytool实践

keystore这个名字其实有点误导,应该是CertStore,可以同时包含两种信息:自己的keyEntry,和trusted cert entry.(自然包括自己的私钥公钥和信任的公钥了)(有时会分开,信任的证书存储在单独的文件中)

keystore可以有两类密码,一个是保护这个文件的(storepass),一种是保护文件里每一个key的(keypass)

可以为每个key指定alias,然后使用alias来引用或访问对应的key

Example:

rem 创建客户端keystore

keytool -genkey -keyalg RSA -keystore client.jks -storetype jks -storepass client -alias client_rsa -keypass client_rsa -dname "CN=Client, OU=IBM, C=US" -keysize 1024 -validity 1460


rem 创建服务端keystore

keytool -genkey -keyalg RSA -keystore server.jks -storetype jks -storepass server -alias server_rsa -keypass server_rsa -dname "CN=Server, OU=IBM, C=US" -keysize 1024 -validity 1460


rem 从客户端keystore中导出通用格式的证书,以备导入到服务端keystore

keytool -export -keystore client.jks -storetype jks -storepass client -alias client_rsa -file client_rsa.cer


rem 从服务端keystore中导出通用格式的证书,以备导入到客户端keystore

keytool -export -keystore server.jks -storetype jks -storepass server -alias server_rsa -file server_rsa.cer


rem 导入客户端证书到服务端keystore(此动作的后果是使服务端信任客户端)

keytool -import -noprompt -keystore server.jks -storetype jks -storepass server -alias client_rsa -file client_rsa.cer


rem 导入服务端证书到客户端keystore(此动作的后果是使客户端信任服务端)

keytool -import -noprompt -keystore client.jks -storetype jks -storepass client -alias server_rsa -file server_rsa.cer


rem 列出客户端keystore包含的信息供查看

keytool -list -keystore client.jks -storepass client -v

rem 列出服务端keystore包含的信息供查看

keytool -list -keystore server.jks -storepass server -v

 

3、Java客户端

客户端通常有一个文件,包含了所有信任的证书信息(包括SSL服务器),如上面的ftps.jks,可以以编程的方式将此文件的位置密码格式等告知客户端socket运行时,这样在试图建立SSL连接时收到服务器发送过来的证书时,便可以进行信任验证

可以通过java.security file in jdk folder 或者 -Djavax.net.ssl.keyStore=xxx -Djavax.net.ssl.keyStorePassword=yyy 来设置

可以参考: http://www-128.ibm.com/developerworks/cn/websphere/techjournal/0502_benantar/0502_benantar.html