[cryptogram]——KeyTool与OpenSSL生成证书

wangxm 4月前 ⋅ 140 阅读

KeyTool

public class _01_Keytool {
    /**
     * passwd:123456
     *
        1. 构建自签名证书
            #构建证书前,生成密钥对,即基于一种非对称加密的公私钥
             C:\Users\wangxueming>keytool -genkeypair -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -validity 36000 -alias www.eussi.top -keystore eussi.keystore -storepass 123456 -dname "CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN"
             输入 <www.eussi.top> 的密钥口令
             (如果和密钥库口令相同, 按回车):

            #上述操作创建了数字证书,虽然还未经过CA认证,但是并不影响使用,我们仍可以导出,发给合作伙伴进行加密交互
             C:\Users\wangxueming>keytool -exportcert -alias www.eussi.top -keystore eussi.keystore -file eussi.cer -rfc -storepass 123456
             存储在文件 <eussi.cer> 中的证书

            #查看证书内容
             C:\Users\wangxueming>keytool -printcert -file eussi.cer
             所有者: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
             发布者: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
             序列号: 16126345
             有效期开始日期: Sun Jun 23 11:30:40 CST 2019, 截止日期: Sat Jan 15 11:30:40 CST 2118
             证书指纹:
             MD5: 86:B7:1B:72:8F:1F:14:34:70:AD:B7:AE:4F:93:A0:F2
             SHA1: C2:17:F8:02:73:95:CE:87:5F:B8:0B:15:22:FE:83:DB:62:5E:79:10
             SHA256: F6:D7:DD:A9:83:2B:8C:E6:AE:F2:43:5B:93:67:6F:28:94:2F:28:75:B1:DE:FF:35:C5:44:C3:33:34:6A:06:D8
             签名算法名称: SHA1withRSA
             版本: 3

             扩展:

             #1: ObjectId: 2.5.29.14 Criticality=false
             SubjectKeyIdentifier [
             KeyIdentifier [
             0000: 1F EB 76 14 B1 1B 95 AD   94 C7 80 45 15 7F BF 91  ..v........E....
             0010: 7A 16 02 7E                                        z...
             ]
             ]
        2. 构建CA签发证书
            #获取CA机构认证的数字证书,需要生成数字签发申请(CSR),经由CA机构认证并颁发,同时将认证后的证书导入本地密钥库和信任库
             C:\Users\wangxueming>keytool -certreq -alias www.eussi.top -keystore eussi.keystore -file eussi.csr -V -storepass 123456
             存储在文件 <eussi.csr> 中的认证请求
             将此提交给您的 CA

            #此处我并未提交给CA,只是重新导入一下自己生成的证书,这里会报错,正常情况下,是导入CA下发的证书
             C:\Users\wangxueming>keytool -importcert -trustcacerts -alias www.eussi.top -file eussi.cer -keystore eussi.keystore -storepass 123456
             keytool 错误: java.lang.Exception: 证书回复与密钥库中的证书是相同的

            #导入后便可以查看证书了
             C:\Users\wangxueming>keytool -list -alias www.eussi.top -keystore eussi.keystore
             输入密钥库口令:
             www.eussi.top, 2019-6-23, PrivateKeyEntry,
             证书指纹 (SHA1): C2:17:F8:02:73:95:CE:87:5F:B8:0B:15:22:FE:83:DB:62:5E:79:10

            #加-V或者-rfc显示更加详细的信息
             C:\Users\wangxueming>keytool -list -alias www.eussi.top -keystore eussi.keystore -V  -storepass 123456
             别名: www.eussi.top
             创建日期: 2019-6-23
             条目类型: PrivateKeyEntry
             证书链长度: 1
             证书[1]:
             所有者: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
             发布者: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
             序列号: 16126345
             有效期开始日期: Sun Jun 23 11:30:40 CST 2019, 截止日期: Sat Jan 15 11:30:40 CST 2118
             证书指纹:
             MD5: 86:B7:1B:72:8F:1F:14:34:70:AD:B7:AE:4F:93:A0:F2
             SHA1: C2:17:F8:02:73:95:CE:87:5F:B8:0B:15:22:FE:83:DB:62:5E:79:10
             SHA256: F6:D7:DD:A9:83:2B:8C:E6:AE:F2:43:5B:93:67:6F:28:94:2F:28:75:B1:DE:FF:35:C5:44:C3:33:34:6A:06:D8
             签名算法名称: SHA1withRSA
             版本: 3

             扩展:

             #1: ObjectId: 2.5.29.14 Criticality=false
             SubjectKeyIdentifier [
             KeyIdentifier [
             0000: 1F EB 76 14 B1 1B 95 AD   94 C7 80 45 15 7F BF 91  ..v........E....
             0010: 7A 16 02 7E                                        z...
             ]
             ]


             C:\Users\wangxueming>keytool -list -alias www.eussi.top -keystore eussi.keystore -rfc  -storepass 123456
             别名: www.eussi.top
             创建日期: 2019-6-23
             条目类型: PrivateKeyEntry
             证书链长度: 1
             证书[1]:
             -----BEGIN CERTIFICATE-----
             MIIDXzCCAkegAwIBAgIEFhJjRTANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJDTjELMAkGA1UE
             CBMCU0gxCzAJBgNVBAcTAlNIMQ4wDAYDVQQKEwVldXNzaTEOMAwGA1UECxMFZXVzc2kxFjAUBgNV
             BAMTDXd3dy5ldXNzaS50b3AwIBcNMTkwNjIzMDMzMDQwWhgPMjExODAxMTUwMzMwNDBaMF8xCzAJ
             BgNVBAYTAkNOMQswCQYDVQQIEwJTSDELMAkGA1UEBxMCU0gxDjAMBgNVBAoTBWV1c3NpMQ4wDAYD
             VQQLEwVldXNzaTEWMBQGA1UEAxMNd3d3LmV1c3NpLnRvcDCCASIwDQYJKoZIhvcNAQEBBQADggEP
             ADCCAQoCggEBAOTK7kQEXiKFUaLeX6b7e3Brk1oOOb4TCH8q/MYbsnO3Bqo4/lbVTok1drHk4OUJ
             kg/+IzkZNptNFCM5prk/PBVyqGnq4JHgoRr8vTLendGxP+198RdudJf7rZfSQM2IrV1ZEbBqD6Kd
             3oiQJQYRCgX9KZmc/zqFLv7ZzoHA7hd0+itlAjby3a+Tl9GPOQz1AA2O/0J8G7KqqJNscCyoEsxL
             oIlKeYFOr89e7qDElzaVnmaC62i9ZsOTr/sCXz+AZvb6sWjJiRx4T+iYAa+AM824ojdvVr2ka04M
             HH0S1RiaMz8/25cJNBwyCusWaOEmu55Kd66GfhcAr1WKzJaVg78CAwEAAaMhMB8wHQYDVR0OBBYE
             FB/rdhSxG5WtlMeARRV/v5F6FgJ+MA0GCSqGSIb3DQEBBQUAA4IBAQAt0+iPcNzs25UWC67kqwGD
             nMdRDGfoJqpzVoaFRe7xsWlZ/2RZ9FCMTXAFPEvChY1cPrOUzpqQ6ZoAQqvGPL1jhObGsBqjL51o
             1LjSKLAtYHjBMFCldgKSZJLEm8GMqaDFDNlEMaRhQrkrcTXJ22qgv/9SQOObJT0r+Q18H147BsHG
             kQnLlRKwGoW++zIWsLaxbTw0kDvwFS1jr+BghqTNdocf0XDBalDsJJ9WsP5GlcfRKT94FRht4+Sr
             DdJy33OTpIjv+EoCD7qSC2caPBWwsvGhM5SkRETeNq+Pmju2sDzWKVsaYf7bEjtT/KoXjNN5jVMZ
             3jDPs6jx0QGHc6X3
             -----END CERTIFICATE-----


            #完成以上操作后,我们需要再次导出证书,将上面【-exportcert】证书导出命令,接着便可以将证书发给合作伙伴使用了

            #注意,此处的CA认证可以省略,直接使用步骤1里导出的未认证的证书,同样可以实现证书的功能
     */

}


OpenSSL

public class _02_Openssl {
    /**
     * passwd:123456
     *
        OpenSSL是一个开源的代码软件包,实现了SSL及相关加密技术,时最常用的证书管理工具。
        其功能远胜于KeyTool,可用于根证书,服务器证书和客户证书的管理

        1. 准备工作
            # 配置openssl配置文件
            [root@app2 ~]# pwd
            /root
            [root@app2 ~]# cp /etc/pki/tls/openssl.cnf ./
            [root@app2 ~]# grep dir  openssl.cnf
            dir		= /root/TestCa		# Where everything is kept
            ......
            [root@app2 ~]# export OPENSSL_CONF=/root/openssl.cnf

            #建立CA工作目录,以及一些子目录,用于存放证书,密钥等,最终证书在certs目录中
            [root@app2 ~]# mkdir TestCa
            [root@app2 ~]# cd TestCa/
            [root@app2 TestCa]# mkdir certs #构建已发行证书存放目录
            [root@app2 TestCa]# mkdir newcerts #构建新证书存放目录
            [root@app2 TestCa]# mkdir private #构建私钥存放目录
            [root@app2 TestCa]# mkdir crl #构建证书吊销列表存放目录

            #创建一些需要的文件
            [root@app2 TestCa]# echo 0>index.txt #构建索引文件
                                #注意,应该是>index.txt,此文件有值,
                                #签发客户端证书时:wrong number of fields on line 1 (looking for field 6, got 1, '' left)
            [root@app2 TestCa]# echo 01>serial #构建序列号文件

        2. 构建根证书
            #构建随机数文件
            [root@app2 TestCa]# openssl rand -out private/.rand 1000


            #构建根证书密钥
            [root@app2 TestCa]# openssl genrsa -aes256 -out private/ca.key.pem 2048
            Generating RSA private key, 2048 bit long modulus
            ........................................+++
            ....................................+++
            e is 65537 (0x10001)
            Enter pass phrase for private/ca.key.pem:
            Verifying - Enter pass phrase for private/ca.key.pem:

            #生成根证书签发申请文件
            [root@app2 TestCa]# openssl req -new -key private/ca.key.pem -out private/ca.csr -subj "/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=*.eussi.top"
            Enter pass phrase for private/ca.key.pem:

            #申请文件可以将其发送给CA机构,也可以自行签发根证书
            [root@app2 TestCa]# openssl x509 -req -days 10000 -sha1 -extensions v3_ca -signkey private/ca.key.pem -in private/ca.csr -out certs/ca.cer
            Signature ok
            subject=/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=*.eussi.top
            Getting Private key
            Enter pass phrase for private/ca.key.pem:


            #Openssl产生的证书不能在Java环境直接使用,需要将其转化为PKCS#12编码格式
            [root@app2 TestCa]# openssl pkcs12 -export -cacerts -inkey private/ca.key.pem -in certs/ca.cer -out certs/ca.p12
            Enter pass phrase for private/ca.key.pem:
            Enter Export Password:
            Verifying - Enter Export Password:

            #keytool工具查看
            [root@app2 TestCa]# keytool -list -keystore certs/ca.p12 -storetype pkcs12 -v -storepass 123456
            Keystore type: PKCS12
            Keystore provider: SunJSSE

            Your keystore contains 1 entry

            Alias name: 1
            Creation date: Jun 23, 2019
            Entry type: PrivateKeyEntry
            Certificate chain length: 1
            Certificate[1]:
            Owner: CN=*.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
            Issuer: CN=*.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
            Serial number: 895882440522d5af
            Valid from: Sun Jun 23 13:18:05 CST 2019 until: Thu Nov 08 13:18:05 CST 2046
            Certificate fingerprints:
            MD5:  91:4F:72:33:F2:E0:A8:58:98:E6:C6:1A:D0:1D:93:4B
            SHA1: 54:71:67:D8:2C:35:98:07:C7:90:87:0C:DB:9B:A5:B9:7E:BB:69:E1
            SHA256: 7E:0A:DA:6D:D6:A5:35:03:C9:85:F0:4B:C3:DF:A4:C5:3A:D7:5C:52:D6:0F:AD:1F:64:99:85:18:CF:AB:B3:60
            Signature algorithm name: SHA1withRSA
            Subject Public Key Algorithm: 2048-bit RSA key
            Version: 1

        3. 构建服务器证书

            #构建私钥
            [root@app2 TestCa]# openssl genrsa -aes256 -out private/server.key.pem 2048
            Generating RSA private key, 2048 bit long modulus
            ...........................+++
            .......................................................+++
            e is 65537 (0x10001)
            Enter pass phrase for private/server.key.pem:
            Verifying - Enter pass phrase for private/server.key.pem:

            #生成服务器签发申请
            [root@app2 TestCa]# openssl req -new -key private/server.key.pem -out private/server.csr -subj "/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=www.eussi.top"
            Enter pass phrase for private/server.key.pem:

            #使用根证书签发服务器证书
            [root@app2 TestCa]# openssl x509 -req -days 3650 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/ca.key.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
            Signature ok
            subject=/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=www.eussi.top
            Getting CA Private Key
            Enter pass phrase for private/ca.key.pem:

            #以下同理,转格式,然后查看
            [root@app2 TestCa]# openssl pkcs12 -export -clcerts -inkey private/server.key.pem -in certs/server.cer -out certs/server.p12
            Enter pass phrase for private/server.key.pem:
            Enter Export Password:
            Verifying - Enter Export Password:

            [root@app2 TestCa]# keytool -list -keystore certs/server.p12 -storetype pkcs12 -v -storepass 123456
            Keystore type: PKCS12
            Keystore provider: SunJSSE

            Your keystore contains 1 entry

            Alias name: 1
            Creation date: Jun 23, 2019
            Entry type: PrivateKeyEntry
            Certificate chain length: 1
            Certificate[1]:
            Owner: CN=www.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
            Issuer: CN=*.eussi.top, OU=eussi, O=eussi, L=SH, ST=SH, C=CN
            Serial number: 8b4ad5defd96b19c
            Valid from: Sun Jun 23 13:32:23 CST 2019 until: Wed Jun 20 13:32:23 CST 2029
            Certificate fingerprints:
            MD5:  A7:8F:7B:3E:89:1F:A0:71:7F:66:96:B8:91:51:B3:37
            SHA1: 04:D1:35:54:27:40:D5:65:66:23:AD:32:18:AF:C3:31:F0:A5:4E:68
            SHA256: 8C:64:14:28:AC:5A:37:3D:E6:1B:4B:E6:37:CF:CB:8A:12:34:41:CA:DB:2F:BD:A2:0E:9B:5E:38:3D:AD:7C:1C
            Signature algorithm name: SHA1withRSA
            Subject Public Key Algorithm: 2048-bit RSA key
            Version: 1


            *******************************************
            *******************************************

     4. 构建客户端证书
            #构建私钥
            [root@app2 TestCa]# openssl genrsa -aes256 -out private/client.key.pem 2048
            Generating RSA private key, 2048 bit long modulus
            ......+++
            .................................................................+++
            e is 65537 (0x10001)
            Enter pass phrase for private/client.key.pem:
            Verifying - Enter pass phrase for private/client.key.pem:

            #生成客户端签发申请
            [root@app2 TestCa]# openssl req -new -key private/client.key.pem -out private/client.csr -subj "/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=eussi"
            Enter pass phrase for private/client.key.pem:

            #使用根证书签发客户端证书
            [root@app2 TestCa]# openssl ca -days 3650 -in private/client.csr -out certs/client.cer -cert certs/ca.cer -keyfile private/ca.key.pem
            Using configuration from /root/openssl.cnf
            Enter pass phrase for private/ca.key.pem:
            Check that the request matches the signature
            Signature ok
            Certificate Details:
            Serial Number: 1 (0x1)
            Validity
            Not Before: Jun 23 05:46:39 2019 GMT
            Not After : Jun 20 05:46:39 2029 GMT
            Subject:
            countryName               = CN
            stateOrProvinceName       = SH
            organizationName          = eussi
            organizationalUnitName    = eussi
            commonName                = eussi
            X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            E2:DA:CC:8C:DA:08:15:11:BB:96:48:7F:5D:90:E5:30:D2:F4:C1:E6
            X509v3 Authority Key Identifier:
            DirName:/C=CN/ST=SH/L=SH/O=eussi/OU=eussi/CN=*.eussi.top
            serial:89:58:82:44:05:22:D5:AF

            Certificate is to be certified until Jun 20 05:46:39 2029 GMT (3650 days)
            Sign the certificate? [y/n]:y


            1 out of 1 certificate requests certified, commit? [y/n]y
            Write out database with 1 new entries
            Data Base Updated


            #以下同理,转格式,然后查看
            [root@app2 TestCa]# openssl pkcs12 -export -inkey private/client.key.pem -in certs/client.cer -out certs/client.p12
            Enter pass phrase for private/client.key.pem:
            Enter Export Password:
            Verifying - Enter Export Password:


     */
}

参考:《JAVA加密与解密的艺术》


全部评论: 0

    评论: