openssl与java混合证书生成

最近项目上有关于同时生产openssl和keystore证书的需求。于是简单的了解了一下。以下是生成证书步骤:

  1. 生成ca证书认证中心的公钥证书和私钥
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    [root@localcert]# opensslreq-newkeyrsa:2048-x509-keyoutca.key-outca.crt
    Generatinga2048bitRSAprivatekey
    ....................................................+++
    ........................+++
    writingnewprivatekeyto'ca.key'
    EnterPEMpassphrase:输入CA密码
    Verifying-EnterPEMpassphrase:再次输入CA密码
    -----
    Youareabouttobeaskedtoenterinformationthatwillbeincorporated
    intoyourcertificaterequest.
    WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
    Therearequiteafewfieldsbutyoucanleavesomeblank
    Forsomefieldstherewillbeadefaultvalue,
    Ifyouenter'.',thefieldwillbeleftblank.
    -----
    CountryName(2lettercode)[XX]:CN
    StateorProvinceName(fullname)[]:BeiJing
    LocalityName(eg,city)[DefaultCity]:BeiJing
    OrganizationName(eg,company)[DefaultCompanyLtd]:BankOfMobile
    OrganizationalUnitName(eg,section)[]:Inc
    CommonName(eg,yournameoryourserver\'shostname)[]:BankOfCA
    EmailAddress[]:394806487@qq.com
  1. 生成keystore文件

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    [root@localcert]# keytool-genkey-aliasbank_server-validity3650-keyalgRSA
    -keysize2048-keypass123456-storepass123456-keystoreserver_keystore
    您的名字与姓氏是什么?
    [Unknown]:liu.weihua
    您的组织单位名称是什么?
    [Unknown]:BankOfMobile
    您的组织名称是什么?
    [Unknown]:Inc
    您所在的城市或区域名称是什么?
    [Unknown]:BeiJing
    您所在的省/市/自治区名称是什么?
    [Unknown]:BeiJing
    该单位的双字母国家/地区代码是什么?
    [Unknown]:CN
    CN=liu.weihua,OU=BankOfMobile,O=Inc,L=BeiJing,ST=BeiJing,C=CN是否正确?
    [否]:是
  2. 生成用户证书请求文件,并写入keystore

    1
    [root@localcert]# keytool-certreq-aliasbank_server-sigalgMD5withRSA -filebank_server.csr-keypass123456-storepass123456 -keystoreserver_keystore
  3. 根据用户请求文件、ca证书和ca私钥生成用户证书

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    [root@localcert]# Usingconfigurationfrom/etc/pki/tls/openssl.cnf
    Enterpassphraseforca.key:
    Checkthattherequestmatchesthesignature
    Signatureok
    CertificateDetails:
    SerialNumber:1099511627780(0x10000000004)
    Validity
    NotBefore:Jun1802:20:182015GMT
    NotAfter:Jun1702:20:182016GMT
    Subject:
    countryName=CN
    stateOrProvinceName=BeiJing
    organizationName=Inc
    organizationalUnitName=BankOfMobile
    commonName=liu.weihua
    X509v3extensions:
    X509v3BasicConstraints:
    CA:FALSE
    NetscapeComment:
    OpenSSLGeneratedCertificate
    X509v3SubjectKeyIdentifier:
    63:16:6B:28:FA:A8:88:40:86:CF:7C:4D:CD:4C:AB:09:55:19:49:B4
    X509v3AuthorityKeyIdentifier:
    keyid:4A:7F:36:58:9C:37:C0:0B:65:81:FE:F5:78:F9:A3:CE:9A:99:AD:12
    CertificateistobecertifieduntilJun1702:20:182016GMT(365days)
    Signthecertificate?[y/n]:y
    1outof1certificaterequestscertified,commit?[y/n]y
    Writeoutdatabasewith1newentries
    DataBaseUpdated
  4. 把ca证书写入keystore文件,别名设置为my_ca_root

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    [root@localcert]# keytool-import-v-trustcacerts-aliasmy_ca_root-fileca.crt
    -storepass123456-keystoreserver_keystore
    所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
    发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
    序列号:b06c467d0d1ff815
    有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
    :01CST2015
    证书指纹:
    MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
    SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
    SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
    :37:1B:B3:D4:8B:AD:3F:2D:7E
    签名算法名称:SHA1withRSA
    版本:3
    扩展:
    #1:ObjectId:2.5.29.35Criticality=false
    AuthorityKeyIdentifier[
    KeyIdentifier[
    0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
    0010:9A99AD12....
    ]
    ]
    #2:ObjectId:2.5.29.19Criticality=false
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]
    #3:ObjectId:2.5.29.14Criticality=false
    SubjectKeyIdentifier[
    KeyIdentifier[
    0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
    0010:9A99AD12....
    ]
    ]
    是否信任此证书?[否]:是
    证书已添加到密钥库中
    [正在存储server_keystore]
  5. 把用户证书写入keystore,别名设置为bank_server

    1
    2
    3
    4
    [root@localcert]#keytool-import-v-aliasbank_server-filebank_server.crt
    -storepass123456-keystoreserver_keystore
    证书回复已安装在密钥库中
    [正在存储server_keystore]
  6. 查看所有存储在keystore上的证书

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    [root@localcert]#keytool-list-v-keystoreserver_keystore
    输入密钥库口令:
    密钥库类型:JKS
    密钥库提供方:SUN
    您的密钥库包含2个条目
    别名:my_ca_root
    创建日期:2015-6-18
    条目类型:trustedCertEntry
    所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
    发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
    序列号:b06c467d0d1ff815
    有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
    :01CST2015
    证书指纹:
    MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
    SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
    SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
    :37:1B:B3:D4:8B:AD:3F:2D:7E
    签名算法名称:SHA1withRSA
    版本:3
    扩展:
    #1:ObjectId:2.5.29.35Criticality=false
    AuthorityKeyIdentifier[
    KeyIdentifier[
    0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
    0010:9A99AD12....
    ]
    ]
    #2:ObjectId:2.5.29.19Criticality=false
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]
    #3:ObjectId:2.5.29.14Criticality=false
    SubjectKeyIdentifier[
    KeyIdentifier[
    0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
    0010:9A99AD12....
    ]
    ]
    *******************************************
    *******************************************
    别名:bank_server
    创建日期:2015-6-18
    条目类型:PrivateKeyEntry
    证书链长度:2
    证书[1]:
    所有者:CN=liu.weihua,OU=BankOfMobile,O=Inc,ST=BeiJing,C=CN
    发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
    序列号:10000000004
    有效期开始日期:ThuJun1810:20:18CST2015,截止日期:FriJun1710:20
    :18CST2016
    证书指纹:
    MD5:A9:D9:89:03:35:DC:B7:D6:8D:16:2F:2E:0D:B2:2C:34
    SHA1:F2:40:B5:5F:3D:22:2F:3C:75:89:E7:62:97:A8:03:94:78:DF:47:DD
    SHA256:BD:AD:DE:D6:EA:2C:6E:49:82:AC:71:9F:59:D6:07:D0:A9:A9:3D:B4:CB:00:34
    :AA:03:7C:1A:7F:80:8B:F1:F6
    签名算法名称:SHA1withRSA
    版本:3
    扩展:
    #1:ObjectId:2.16.840.1.113730.1.13Criticality=false
    0000:161D4F70656E53534C2047656E657261..OpenSSLGenera
    0010:746564204365727469666963617465tedCertificate
    #2:ObjectId:2.5.29.35Criticality=false
    AuthorityKeyIdentifier[
    KeyIdentifier[
    0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
    0010:9A99AD12....
    ]
    ]
    #3:ObjectId:2.5.29.19Criticality=false
    BasicConstraints:[
    CA:false
    PathLen:undefined
    ]
    #4:ObjectId:2.5.29.14Criticality=false
    SubjectKeyIdentifier[
    KeyIdentifier[
    0000:63166B28FAA8884086CF7C4DCD4CAB09c.k(...@...M.L..
    0010:551949B4U.I.
    ]
    ]
    证书[2]:
    所有者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
    发布者:EMAILADDRESS=liu.weihua@rytong.com,CN=BankOfCA,OU=Inc,O=BankOfMobile,L
    =BeiJing,ST=BeiJing,C=CN
    序列号:b06c467d0d1ff815
    有效期开始日期:ThuJun1810:17:01CST2015,截止日期:SatJul1810:17
    :01CST2015
    证书指纹:
    MD5:B8:ED:67:09:68:2A:7C:E0:FF:57:18:C9:2B:6D:C7:2A
    SHA1:18:64:40:BA:88:92:FC:8D:4D:19:17:87:19:A2:4B:E0:D3:CA:FD:46
    SHA256:AF:A6:FA:80:15:FD:BC:8F:6C:44:F6:C1:06:41:46:57:32:F1:36:77:72:13:E1
    :37:1B:B3:D4:8B:AD:3F:2D:7E
    签名算法名称:SHA1withRSA
    版本:3
    扩展:
    #1:ObjectId:2.5.29.35Criticality=false
    AuthorityKeyIdentifier[
    KeyIdentifier[
    0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
    0010:9A99AD12....
    ]
    ]
    #2:ObjectId:2.5.29.19Criticality=false
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]
    #3:ObjectId:2.5.29.14Criticality=false
    SubjectKeyIdentifier[
    KeyIdentifier[
    0000:4A7F36589C37C00B6581FEF578F9A3CEJ.6X.7..e...x...
    0010:9A99AD12....
    ]
    ]
    *******************************************
    *******************************************
  7. 生成安卓和IOS客户端所需的CA证书的二进制格式文件

坚持原创技术分享,如果觉得文章对你有帮助,给点鼓励更好!