- 浏览: 96705 次
- 性别:
- 来自: 上海
最新评论
-
shmily2038:
有相应的例子? 给的全部是英文,还不如自己看官网e文。 上代 ...
ActiveMQ集群随记 -
lutian1984:
你好,你验证过你转发的这个东西吗?为什么在我这里还是报错呢?
jquery.form.js ajax上传文件问题 -
chenhongwei0924:
精辟.
如何防止SQL注入 -
fairyhawk:
简单的几句,经验的总结。
如何防止SQL注入 -
joliny:
谢谢了,这个问题也困扰了我很久、!
Apache整合Tomcat后get方式提交中文乱码问题解决
常用导入证书
%JAVA_HOME%\jre\lib\security>keytool -import -keystore cacerts -alias "gatewaytest" -storepass "changeit" -file gatewaytest.crt
常用删除证书
keytool -delete -alias "gateway" -keystore cacerts
常用证书列表
keytool -list -v -keystore cacerts
http://shib.kuleuven.be/docs/ssl_commands.shtml
openssl
generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)
openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key
add -nodes to create an unencrypted private key
add -config <openssl.cnf> if your config file has not been set in the environment
decrypt private key
openssl rsa -in MYKEY.key >> MYKEY-NOCRYPT.key
generate a certificate siging request for an existing private key
openssl req -out MYCSR.csr -key MYKEY.key -new
generate a certificate signing request based on an existing x509 certificate
openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key
create self-signed certificate (can be used to sign other certificates)
openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 365
sign a Certificate Signing Request
openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365
-days has to be less than the validity of the CA certificate
convert DER (.crt .cer .der) to PEM
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
convert PEM to DER
openssl x509 -outform der -in MYCERT.pem -out MYCERT.der
convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates
openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes
add -nocerts for private key only; add -nokeys for certificates only
convert (add) a seperate key and certificate to a new keystore of type PKCS#12
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat"
convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain
you can repeat the combination of "-CAfile" and "-caname" for each intermediate certificate
check a private key
openssl rsa -in MYKEY.key -check
add -noout to not disclose the key
check a Certificate Signing Request
openssl req -text -noout -verify -in MYCSR.csr
check a certificate
openssl x509 -in MYCERT.crt -text -noout
check a PKCS#12 keystore
openssl pkcs12 -info -in KEYSTORE.p12
check a trust chain of a certificate
openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt
trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
to check for server usage: -purpose sslserver
to check for client usage: -purpose sslient
debug an SSL connection [server doesn't require certificate authentication]
openssl s_client -connect idp.example.be:443
debug an SSL connection with mutual certificate authentication
openssl s_client -connect idp.example.be:8443 -CAfile MY-CA-CERT.crt -cert MYCERT.crt -key MYKEY.key
trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3
keytool
keytool does not support management of private keys inside a keystore. You need to use another tool for that. If you are using the JKS format, that means you need another java-based tool. extkeytool from the Shibboleth distribution can do this.
Create an empty keystore
keytool -genkey -alias foo -keystore truststore.jks
keytool -delete -alias foo -keystore truststore.jks
Generate a private key and an initial certificate as a JKS keystore
keytool -genkey -keyalg RSA -alias "selfsigned" -keystore KEYSTORE.jks -storepass "secret" -validity 360
you can also pass the data for the DN of the certificate as command-line parameters: -dname "CN=${pki-cn}, OU=${pki-ou}, O=${pki-o}, L=${pki-l}, S=${pki-s}, C=${pki-c}"
Generate a secret key that can be used for symmetric encryption. For this to work, you need to make use of a JCEKS keystore.
keytool -genseckey -alias "secret_key" -keystore KEYSTORE.jks -storepass "secret" -storetype "JCEKS"
Generate a Certificate Signing Request for a key in a JKS keystore
keytool -certreq -v -alias "selfsigned" -keystore KEYSTORE.jks -storepass "secret" -file MYCSR.csr
Import a (signed) certificate into a JKS keystore
keytool -import -keystore KEYSTORE.jks -storepass "secret" -file MYCERT.crt
add a public certificate to a JKS keystore, eg the JVM truststore
keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt -keystore MYSTORE.jks
If the JVM truststore contains your certificate or the certificate of the root CA that signed your certificate, then the JVM will trust and thus might accept your certificate. The default truststore already contains the root certificates of most commonly used sommercial CA's. Use this command to add another certificate for trust:
keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt -keystore $JAVA_HOME/lib/security/cacerts
the default password of the Java truststore is "changeit".
if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/jre/lib/security/cacerts
keytool does NOT support adding trust certificates to a PKCS12 keystore (which is very unfortunate but probably a good move to promote JKS)
delete a public certificate from a JAVA keystore (JKS; eg JVM truststore)
keytool -delete -alias "sensible-name-for-ca" -keystore $JAVA_HOME/lib/security/cacerts
the default password of the Java truststore is "changeit".
if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/jre/lib/security/cacerts
List the certificates inside a keystore
keytool -list -v -keystore KEYSTORE.jks
-storetype pkcs12 can be used
Get information about a stand-alone certificate
keytool -printcert -v -file MYCERT.crt
Convert a JKS file to PKCS12 format (Java 1.6.x and above)
keytool -importkeystore -srckeystore KEYSTORE.jks -destkeystore KEYSTORE.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt
certutil
Add a PKCS12 to a windows certificate store
certutil -p secret -importpfx KEYSTORE.p12
notes:
openssl for win32 can be downloaded at http://www.slproweb.com/products/Win32OpenSSL.html. Version v0.9.8 is known to cause problems in combination with Shibboleth SP v1.3!
keytool is a part of each Sun Java distribution (binary). You need it to manipulate the Java KeyStore (JKS) format.
hash format: the -CApath directory should contain each certificate that needs to be trusted. The name of each certificate has to be its hashed value and a number. When running unix, execute "$ c_rehash ./" to create symlinks with the correct names. You can also do this manually with the -hash option of openssl (see "openssl verify").
please send remarks, corrections and other often used commands to shib@kuleuven.net
%JAVA_HOME%\jre\lib\security>keytool -import -keystore cacerts -alias "gatewaytest" -storepass "changeit" -file gatewaytest.crt
常用删除证书
keytool -delete -alias "gateway" -keystore cacerts
常用证书列表
keytool -list -v -keystore cacerts
http://shib.kuleuven.be/docs/ssl_commands.shtml
openssl
generate a new private key and matching Certificate Signing Request (eg to send to a commercial CA)
openssl req -out MYCSR.csr -pubkey -new -keyout MYKEY.key
add -nodes to create an unencrypted private key
add -config <openssl.cnf> if your config file has not been set in the environment
decrypt private key
openssl rsa -in MYKEY.key >> MYKEY-NOCRYPT.key
generate a certificate siging request for an existing private key
openssl req -out MYCSR.csr -key MYKEY.key -new
generate a certificate signing request based on an existing x509 certificate
openssl x509 -x509toreq -in MYCRT.crt -out MYCSR.csr -signkey MYKEY.key
create self-signed certificate (can be used to sign other certificates)
openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 365
sign a Certificate Signing Request
openssl x509 -req -in MYCSR.csr -CA MY-CA-CERT.crt -CAkey MY-CA-KEY.key -CAcreateserial -out MYCERT.crt -days 365
-days has to be less than the validity of the CA certificate
convert DER (.crt .cer .der) to PEM
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
convert PEM to DER
openssl x509 -outform der -in MYCERT.pem -out MYCERT.der
convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates
openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes
add -nocerts for private key only; add -nokeys for certificates only
convert (add) a seperate key and certificate to a new keystore of type PKCS#12
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat"
convert (add) a seperate key and certificate to a new keystore of type PKCS#12 for use with a server that should send the chain too (eg Tomcat)
openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname myCA -chain
you can repeat the combination of "-CAfile" and "-caname" for each intermediate certificate
check a private key
openssl rsa -in MYKEY.key -check
add -noout to not disclose the key
check a Certificate Signing Request
openssl req -text -noout -verify -in MYCSR.csr
check a certificate
openssl x509 -in MYCERT.crt -text -noout
check a PKCS#12 keystore
openssl pkcs12 -info -in KEYSTORE.p12
check a trust chain of a certificate
openssl verify -CAfile MYCHAINFILE.pem -verbose MYCERT.crt
trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
to check for server usage: -purpose sslserver
to check for client usage: -purpose sslient
debug an SSL connection [server doesn't require certificate authentication]
openssl s_client -connect idp.example.be:443
debug an SSL connection with mutual certificate authentication
openssl s_client -connect idp.example.be:8443 -CAfile MY-CA-CERT.crt -cert MYCERT.crt -key MYKEY.key
trust chain is in directory (hash format): replace -CAfile with -CApath /path/to/CAchainDir/
send the starttls command (smtp or pop3 style): -starttls smtp or -starttls pop3
keytool
keytool does not support management of private keys inside a keystore. You need to use another tool for that. If you are using the JKS format, that means you need another java-based tool. extkeytool from the Shibboleth distribution can do this.
Create an empty keystore
keytool -genkey -alias foo -keystore truststore.jks
keytool -delete -alias foo -keystore truststore.jks
Generate a private key and an initial certificate as a JKS keystore
keytool -genkey -keyalg RSA -alias "selfsigned" -keystore KEYSTORE.jks -storepass "secret" -validity 360
you can also pass the data for the DN of the certificate as command-line parameters: -dname "CN=${pki-cn}, OU=${pki-ou}, O=${pki-o}, L=${pki-l}, S=${pki-s}, C=${pki-c}"
Generate a secret key that can be used for symmetric encryption. For this to work, you need to make use of a JCEKS keystore.
keytool -genseckey -alias "secret_key" -keystore KEYSTORE.jks -storepass "secret" -storetype "JCEKS"
Generate a Certificate Signing Request for a key in a JKS keystore
keytool -certreq -v -alias "selfsigned" -keystore KEYSTORE.jks -storepass "secret" -file MYCSR.csr
Import a (signed) certificate into a JKS keystore
keytool -import -keystore KEYSTORE.jks -storepass "secret" -file MYCERT.crt
add a public certificate to a JKS keystore, eg the JVM truststore
keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt -keystore MYSTORE.jks
If the JVM truststore contains your certificate or the certificate of the root CA that signed your certificate, then the JVM will trust and thus might accept your certificate. The default truststore already contains the root certificates of most commonly used sommercial CA's. Use this command to add another certificate for trust:
keytool -import -trustcacerts -alias "sensible-name-for-ca" -file CAcert.crt -keystore $JAVA_HOME/lib/security/cacerts
the default password of the Java truststore is "changeit".
if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/jre/lib/security/cacerts
keytool does NOT support adding trust certificates to a PKCS12 keystore (which is very unfortunate but probably a good move to promote JKS)
delete a public certificate from a JAVA keystore (JKS; eg JVM truststore)
keytool -delete -alias "sensible-name-for-ca" -keystore $JAVA_HOME/lib/security/cacerts
the default password of the Java truststore is "changeit".
if $JAVA_HOME is set to the root of the JDK, then the truststore is it $JAVA_HOME/jre/lib/security/cacerts
List the certificates inside a keystore
keytool -list -v -keystore KEYSTORE.jks
-storetype pkcs12 can be used
Get information about a stand-alone certificate
keytool -printcert -v -file MYCERT.crt
Convert a JKS file to PKCS12 format (Java 1.6.x and above)
keytool -importkeystore -srckeystore KEYSTORE.jks -destkeystore KEYSTORE.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt
certutil
Add a PKCS12 to a windows certificate store
certutil -p secret -importpfx KEYSTORE.p12
notes:
openssl for win32 can be downloaded at http://www.slproweb.com/products/Win32OpenSSL.html. Version v0.9.8 is known to cause problems in combination with Shibboleth SP v1.3!
keytool is a part of each Sun Java distribution (binary). You need it to manipulate the Java KeyStore (JKS) format.
hash format: the -CApath directory should contain each certificate that needs to be trusted. The name of each certificate has to be its hashed value and a number. When running unix, execute "$ c_rehash ./" to create symlinks with the correct names. You can also do this manually with the -hash option of openssl (see "openssl verify").
please send remarks, corrections and other often used commands to shib@kuleuven.net
发表评论
-
佳文收藏 - How to redirect a web page, the smart way
2010-08-05 10:48 1662本文引自:http://www.stevenhargrove. ... -
关于sojo输出json中出现~unique-id~字样的问题
2010-07-20 10:27 3116问题:在项目中,问题的表现如下,使用SojoJsonStrin ... -
jquery.form.js ajax上传文件问题
2010-07-20 10:25 4858问题:使用jquery.form.js实现ajax上传文件功能 ... -
Ehcache集群随记
2009-11-10 09:28 1730Distributed Caching with ehcach ... -
ActiveMQ集群随记
2009-11-10 09:28 3961Problem: cluster on JMS queue o ... -
常用第3方类库
2009-11-02 10:47 810转自:http://www.iteye.com/n ... -
项目中一次正则表达式的实践
2009-10-23 17:13 970今天在项目中遇到这样一个需求: 要求把一段HTML代码中的注释 ... -
DateFormat
2009-08-20 17:01 822from http://shib.kuleuven.be/do ... -
缓存比较笔录
2009-07-29 18:08 1028ehcache 比较常用的轻量级缓存框架,是hibernate ... -
CAS单点登录入门使用
2009-07-29 16:34 1018单点登录------CAS http://zhyerr.blo ... -
MySQL数据库引擎介绍
2009-07-29 16:28 1728如果你是个赛车手,并 ... -
在Sql Server中使用pst根据字符型类型查询的性能问题
2009-03-23 10:59 995问题:在使用mssqlserver的jdbc时,当根据字符型列 ... -
Ibatis事务的一些小结
2009-03-11 10:33 3143问题发生:原先在使用Ibatis的时候进行insert, up ... -
Ajax应用的安全性小结
2009-02-12 09:47 856对Ajax应用的安全性进行一下小结: 1.基于各浏览器的ser ... -
如何防止SQL注入
2009-02-10 10:05 4119归纳一下,主要有以下几点: 1.永远不要信任用户的输入。对用户 ... -
How to make thread safe
2009-01-11 16:39 977How to make thread safe 1.Use i ... -
Java怎样中断一个运行中的线程
2009-01-09 10:15 1045程序是很简易的。然而,在编程人员面前,多线程呈现出了一组新的难 ... -
Apache整合Tomcat后get方式提交中文乱码问题解决
2009-01-08 11:34 2665我在Tomcat中的8080的connector里配置了URI ... -
Quartz 与 Spring 配置注意事项
2008-08-29 18:05 1469在Spring配置和Quartz集成内容时,有两点需要注意 1 ... -
GLASSFISH 的里里外外
2008-07-13 15:13 1249GlassFish 有很广大的用户,仅仅一年之内就有4.5万次 ...
相关推荐
Overhaul huge code bases with a few simple commands, maintain legacy projects, and make your code easier to read and understand. 2.Long, descriptive names for symbols makes reading and ...
在日常英语交流中,掌握一些常用的短语动词是至关重要的,它们能够帮助我们更自然、流畅地表达思想。以下是一些常见的短语动词及其用法: 1. **break** - 分解或破裂 - break down:设备故障,不能正常工作;...
Brief Description Download the Secure Socket Layer (SSL) troubleshooting ... Included in the full install is a SSL Frequently Asked Questions that can assist in the learning of SSL for administrators.
`ginh` generates a bar chart of your most frequently used shell commands, according to your shell's history file. Options: -a disable reversing aliases to find the command they reference -n NUM ...
Frequently-used-code-blocks Some frequently used code blocks. Python project structure for a learning paper Reference: , Self's AnomalyDetection - Dataset(Fold) - 保存和处理真实数据集 - dataset1(Fold)...
You can easily organize prompt windows, use Windows style text editing behavior, auto-log, highlight keywords, configure font and colors, customize a toolbar for frequently used commands or tools, ...
在编程领域,C语言是一种非常基础且强大的编程语言,它被广泛应用于系统编程、嵌入式开发、软件工程等多个方面。Visual C++是微软公司推出的一款集成开发环境(IDE),专门用于编写C和C++代码,它提供了丰富的功能,...
35. Where can I find information about available, used and deprecated features? 36. Does SAP HANA provide a history of DDL operations? 37. What is the difference between the SAP HANA enterprise ...
根据提供的文档信息,我们可以深入探讨FreeBSD操作系统的常见问题及其解答。这不仅涵盖了FreeBSD的基础知识,还涉及了具体的版本信息和技术细节。以下是从给定的文档标题、描述、标签和部分内容中提取的关键知识点。...
4) 最不经常使用法(Least Frequently Used) 5) 最近未使用法(No Used Recently) 其中,命中率=1-页面失效次数/页地址流长度。试对上述算法的性能加以较:页面个数和命中率间的关系;同样情况下的命中率...
### 如何撰写一篇被频繁引用的文章 #### 引言 在科研领域,撰写一篇能够被广泛引用的文章是每个研究者梦寐以求的目标。这样的文章不仅能够提升作者的学术地位,还能促进整个领域的进步和发展。...
3.5.2 Adding Frequently Installed Packages to a Spool Directory 54 3.5.3 Removing Software Packages 56 Chapter 4 Software Management: Patches 59 4.1 Managing Software with Patches 59 4.2 What Is a ...
Frequently Asked Questions about FMC+? 1. What is FMC? FMC is the acronym for FPGA Mezzanine Card. It is a small mezzanine module optimized to provide the physical interface for FPGAs on a carrier ...
What You Will LearnDevelop containerized applications using the Docker version 17.03Build Docker images from containers and launch ...yourself with the frequently used commands such as docker exec...
book that explains the most frequently used file formats with enough depth for the reader to implement them, as opposed to one that covered many different formats at a high level or one that avoided ...
The masks were generated by calculating the NWDI (Normalized Water Difference Index) which is frequently used to detect and measure vegetation in satellite images, but a greater thres
vary more frequently with clients in different languages: blocking commands, transactions, pipelines, and scripting. Chapter 6, Common Pitfalls (Avoiding Traps), illustrates some common mistakes when ...