利用openssl创建一个简单的ca+在glassfishV2中使用ssl

一、创建CA需要用到的目录和文件
执行命令如下：
mkdir "$HOME/testca"
cd "$HOME/testca"
mkdir newcerts private conf
chmod g-rwx,o-rwx private
echo "01" > serial
touch index.txt
说明：
/testca为待建CA的主目录。
其中newcerts子目录将存放CA签署（颁发）过的数字证书（证书备份目录）。
而private目录用于存放CA的私钥。
目录conf只是用于存放一些简化参数用的配置文件。
文件serial和index.txt分别用于存放下一个证书的序列号和证书信息数据库。
当然，偷懒起见，可以只用按照本文操作即可，不一定需要关心各个目录和文件的作用。

二、生成CA的私钥和自签名证书(即根证书)
创建文件：
vi "$HOME/testca/conf/gentestca.conf"
文件内容如下：
{
####################################
[ req ]
default_keyfile = $ENV::HOME/testca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions

[ ca_distinguished_name ]
organizationName = TestOrg
organizationalUnitName = TestDepartment
commonName = TestCA
emailAddress = ca_admin@testorg.com

[ ca_extensions ]
basicConstraints = CA:true
########################################
}
然后执行命令如下：
cd "$HOME/testca"
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 2190 -config "$HOME/testca/conf/gentestca.conf"
openssl x509 -in cacert.pem -text –noout
执行过程中需要输入CA私钥的保护密码，假设我们输入密码： 888888
可以用如下命令查看一下CA自己证书的内容
openssl x509 -in cacert.pem -text –noout

三、创建一个配置文件，以便后续CA日常操作中使用
vi "$HOME/testca/conf/testca.conf"
文件内容如下：
{
####################################
[ ca ]
default_ca = testca # The default ca section

[ testca ]
dir = $ENV::HOME/testca # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir

certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem # CA private key
RANDFILE = $dir/private/.rand # random number file

default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
 # several ctificates with same subject.
policy = policy_any # default policy

[ policy_any ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

########################################
}

四、停止glassfish服务器
asadmin stop-domain

五、更改域 domain1 的主密码
asadmin change-master-password --savemasterpassword=true
输入66666666

六、删除glassfish 自带的证书
cd E:\Java\jdk1.5.0_12\bin
keytool -delete -alias s1as -keystore E:\glassfish\domains\domain1\config\keystore.jks -storepass 66666666

七、查看里面的证书是否还存在，如果空了说明删除成功
keytool -list -rfc -keystore E:\glassfish\domains\domain1\config\keystore.jks

八、为glassfish服务器生成新密钥对
keytool -genkey -keyalg rsa -keystore E:\glassfish\domains\domain1\config\keystore.jks -validity 365 -alias s1as
{
输入keystore密码：  66666666
您的名字与姓氏是什么？
  [Unknown]：  jlx.zju.edu.cn
您的组织单位名称是什么？
  [Unknown]：  zf
您的组织名称是什么？
  [Unknown]：  zfsoft
您所在的城市或区域名称是什么？
  [Unknown]：  hz
您所在的州或省份名称是什么？
  [Unknown]：  zj
该单位的两字母国家代码是什么
  [Unknown]：  cn
CN=jlx.zju.edu.cn, OU=zf, O=zfsoft, L=hz, ST=zj, C=cn 正确吗？
  [否]：  是

输入<s1as>的主密码
        （如果和 keystore 密码相同，按回车）：
}

九、生成证书签名请求(CSR文件)
keytool -certreq -alias s1as -file E:\glassfish\domains\domain1\config\req\s1as.csr -keystore E:\glassfish\domains\domain1\config\keystore.jks -storepass 66666666

十、使用openssl签名证书
openssl ca -in $HOME/testca/newcerts/s1as.csr -out $HOME/testca/newcerts/s1as.crt -config "$HOME/testca/conf/testca.conf"

十一、查看已签好的证书
openssl x509 -in $HOME/testca/newcerts/s1as.crt -text -noout
{
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: O=TestOrg, OU=TestDepartment, CN=TestCA/emailAddress=ca_admin@testorg.com
        Validity
            Not Before: Feb 15 02:51:36 2011 GMT
            Not After : Feb 15 02:51:36 2012 GMT
        Subject: C=cn, ST=zj, L=hz, O=zfsoft, OU=zf, CN=jlx.zju.edu.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a9:dd:bf:32:0a:59:49:00:a1:97:6d:f6:79:75:
                    b5:1c:14:26:be:72:d7:54:dd:05:cc:95:f5:cb:55:
                    b7:4b:a6:ba:96:f9:2b:b7:31:8c:2c:e4:1a:48:6d:
                    62:74:16:46:90:a5:1f:d0:d3:38:4c:4b:12:86:b4:
                    36:d0:5c:7a:9e:45:07:29:bc:9e:28:32:f6:16:b5:
                    61:03:27:03:5f:d9:13:b1:4f:21:4e:24:8d:93:92:
                    b2:bc:75:74:08:d2:8e:78:41:81:1a:c1:c3:e5:17:
                    df:ce:da:a6:ba:32:ec:33:77:7e:6b:86:c9:d3:63:
                    34:ca:0d:2b:25:6f:37:c5:75
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        8b:13:94:fa:09:7f:4a:51:1b:10:be:28:c7:45:f4:f5:ed:5f:
        98:2e:71:02:37:85:48:1b:f6:83:6b:94:9f:bc:8b:cb:91:39:
        df:f4:e8:b0:8a:b1:c6:f6:dd:45:47:15:c4:7c:ec:a5:0a:89:
        35:0f:b5:17:80:2c:57:80:83:28:7b:25:19:26:dc:b7:af:3f:
        70:72:41:14:e5:60:b5:9f:a9:e0:ab:c6:2a:5c:fe:8c:10:b0:
        a1:03:c1:6d:ef:67:5e:41:68:53:b8:40:5a:f0:17:44:bd:67:
        54:07:58:aa:34:d8:08:74:ae:1e:86:d8:9b:e8:86:02:fc:1f:
        d9:03:39:57:e4:78:38:28:ed:90:2e:2c:35:64:24:0d:43:a2:
        08:ff:92:33:7c:92:b7:93:00:e3:7d:b9:1d:8f:f5:7b:95:fe:
        a3:03:34:28:89:e2:a9:60:e4:72:7a:03:f1:b0:8a:8a:cb:70:
        db:e1:0e:dd:d4:9d:6d:50:3c:fb:0f:68:86:c2:dc:18:74:d1:
        7b:ed:c4:ac:04:d7:17:0e:0d:7b:6f:f1:62:21:56:d8:5b:a7:
        5d:da:69:ec:95:1b:6c:3a:ba:45:50:a2:ca:9f:ce:f7:f7:ff:
        fb:ef:a2:5b:fa:3f:de:4a:25:bc:bb:53:a2:99:ea:ff:b3:d6:
        a6:2f:d9:0b
}

十二、将s1as.crt文件中的如下内容拷贝到新文件s1as.jsk中
{
-----BEGIN CERTIFICATE-----
MIICrzCCAZcCAQEwDQYJKoZIhvcNAQEEBQAwYTEQMA4GA1UEChMHVGVzdE9yZzEX
MBUGA1UECxMOVGVzdERlcGFydG1lbnQxDzANBgNVBAMTBlRlc3RDQTEjMCEGCSqG
SIb3DQEJARYUY2FfYWRtaW5AdGVzdG9yZy5jb20wHhcNMTEwMjE1MDI1MTM2WhcN
MTIwMjE1MDI1MTM2WjBeMQswCQYDVQQGEwJjbjELMAkGA1UECBMCemoxCzAJBgNV
BAcTAmh6MQ8wDQYDVQQKEwZ6ZnNvZnQxCzAJBgNVBAsTAnpmMRcwFQYDVQQDEw5q
bHguemp1LmVkdS5jbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqd2/MgpZ
SQChl232eXW1HBQmvnLXVN0FzJX1y1W3S6a6lvkrtzGMLOQaSG1idBZGkKUf0NM4
TEsShrQ20Fx6nkUHKbyeKDL2FrVhAycDX9kTsU8hTiSNk5KyvHV0CNKOeEGBGsHD
5RffztqmujLsM3d+a4bJ02M0yg0rJW83xXUCAwEAATANBgkqhkiG9w0BAQQFAAOC
AQEAixOU+gl/SlEbEL4ox0X09e1fmC5xAjeFSBv2g2uUn7yLy5E53/TosIqxxvbd
RUcVxHzspQqJNQ+1F4AsV4CDKHslGSbct68/cHJBFOVgtZ+p4KvGKlz+jBCwoQPB
be9nXkFoU7hAWvAXRL1nVAdYqjTYCHSuHobYm+iGAvwf2QM5V+R4OCjtkC4sNWQk
DUOiCP+SM3ySt5MA4325HY/1e5X+owM0KIniqWDkcnoD8bCKistw2+EO3dSdbVA8
+w9ohsLcGHTRe+3ErATXFw4Ne2/xYiFW2FunXdpp7JUbbDq6RVCiyp/O9/f/+++i
W/o/3kolvLtTopnq/7PWpi/ZCw==
-----END CERTIFICATE-----
}

十三、导入证书到glassfish
keytool -import -file E:\glassfish\domains\domain1\config\cazs\s1as.jsk -alias slas -keystore E:\glassfish\domains\domain1\config\keystore.jks -storepass 66666666

十四、查看glassfish中的证书
keytool -list -rfc -keystore E:\glassfish\domains\domain1\config\keystore.jks -storepass 66666666