openssl制作证书全过程
生活随笔
收集整理的這篇文章主要介紹了
openssl制作证书全过程
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
轉(zhuǎn)自:http://blog.csdn.net/aking21alinjuju/article/details/7654097
一:生成CA證書?
目前不使用第三方權(quán)威機(jī)構(gòu)的CA來認(rèn)證,自己充當(dāng)CA的角色。 ?
先決條件:從openssl官網(wǎng)下載www.openssl.org ? ? ? ? ? ? ? ?安裝openssl[windows和linux安裝不同]
開始生成證書和密鑰
如果沒有配置環(huán)境變量,則需要進(jìn)入openssl的bin目錄下執(zhí)行命令,如:C:/OpenSSL/bin
若只配置了環(huán)境變量,則在任意位置都可以執(zhí)行
在執(zhí)行命令前,新建兩個(gè)目錄ca和server
1. ? ? ? 創(chuàng)建私鑰 :?
C:/OpenSSL/bin>openssl genrsa -out ca/ca-key.pem 1024 ?
2.創(chuàng)建證書請求 :?
C:/OpenSSL/bin>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem ?
-----?
Country Name (2 letter code) [AU]:cn?
State or Province Name (full name) [Some-State]:zhejiang?
Locality Name (eg, city) []:hangzhou?
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision?
Organizational Unit Name (eg, section) []:test?
Common Name (eg, YOUR name) []:root?
Email Address []:sky?
3.自簽署證書 :?
C:/OpenSSL/bin>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650 ?
4.將證書導(dǎo)出成瀏覽器支持的.p12格式 : (不需要可以省略)
C:/OpenSSL/bin>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12 ?
密碼:changeit ? ? ??
二.生成server證書。 ?
1.創(chuàng)建私鑰 :?
C:/OpenSSL/bin>openssl genrsa -out server/server-key.pem 1024 ?
2.創(chuàng)建證書請求 :?
C:/OpenSSL/bin>openssl req -new -out server/server-req.csr -key server/server-key.pem ?
-----?
Country Name (2 letter code) [AU]:cn?
State or Province Name (full name) [Some-State]:zhejiang?
Locality Name (eg, city) []:hangzhou?
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision?
Organizational Unit Name (eg, section) []:test?
Common Name (eg, YOUR name) []:192.168.1.246 ? 注釋:一定要寫服務(wù)器所在的ip地址?
Email Address []:sky?
3.自簽署證書 :?
C:/OpenSSL/bin>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 ?
4.將證書導(dǎo)出成瀏覽器支持的.p12格式 :?
C:/OpenSSL/bin>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12 ?
密碼:changeit?
三.生成client證書。 ?
1.創(chuàng)建私鑰 :?
C:/OpenSSL/bin>openssl genrsa -out client/client-key.pem 1024 ?
2.創(chuàng)建證書請求 :?
C:/OpenSSL/bin>openssl req -new -out client/client-req.csr -key client/client-key.pem?
-----?
Country Name (2 letter code) [AU]:cn?
State or Province Name (full name) [Some-State]:zhejiang?
Locality Name (eg, city) []:hangzhou?
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision?
Organizational Unit Name (eg, section) []:test?
Common Name (eg, YOUR name) []:sky?
Email Address []:sky ? ? ?注釋:就是登入中心的用戶(本來用戶名應(yīng)該是Common Name,但是中山公安的不知道為什么使用的Email Address,其他版本沒有測試)?
??
Please enter the following 'extra' attributes?
to be sent with your certificate request?
A challenge password []:123456?
An optional company name []:tsing ?
3.自簽署證書 :?
C:/OpenSSL/bin>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 ?
4.將證書導(dǎo)出成瀏覽器支持的.p12格式 :?
C:/OpenSSL/bin>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 ?
密碼:changeit?
四.根據(jù)ca證書生成jks文件 ?
??
C:/Java/jdk1.5.0_09/bin > keytool -keystore C:/openssl/bin/jks/truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file C:/openssl/bin/ca/ca-cert.pem ?
五.配置tomcat ssl?
修改conf/server.xml。tomcat6中多了SSLEnabled="true"屬性。keystorefile, truststorefile設(shè)置為你正確的相關(guān)路徑 ?
xml 代碼?
?tomcat 5.5的配置:?
<Connector port="8443" maxHttpHeaderSize="8192"?
? ? ? ? ? ? ?maxThreads="150" minSpareThreads="25" maxSpareThreads="75"?
? ? ? ? ? ? ?enableLookups="false" disableUploadTimeout="true"?
? ? ? ? ? ? ?acceptCount="100" scheme="https" secure="true"?
? ? ? ? ? ? ?clientAuth="true" sslProtocol="TLS" ?
? ? ? ? ? ? ?keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12" ?
? ? ? ? ? ? ?truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" /> ??
tomcat6.0的配置:?
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"?
? ? ? ? ? ? ? ?maxThreads="150" scheme="https" secure="true"?
? ? ? ? ? ? ? ?clientAuth="true" sslProtocol="TLS"?
? ? ? ? ? ? ? ?keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12" ?
? ? ? ? ? ? ? ?truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>?
六.導(dǎo)入證書?
將ca.p12,client.p12分別導(dǎo)入到IE中去(打開IE->;Internet選項(xiàng)->內(nèi)容->證書)。 ?
ca.p12導(dǎo)入至受信任的根證書頒發(fā)機(jī)構(gòu),client.p12導(dǎo)入至個(gè)人?
??
七.驗(yàn)證ssl配置是否正確訪問你的應(yīng)用http://ip:8443/,如果配置正確的話會(huì)出現(xiàn)請求你數(shù)字證書的對話框。
一:生成CA證書?
目前不使用第三方權(quán)威機(jī)構(gòu)的CA來認(rèn)證,自己充當(dāng)CA的角色。 ?
先決條件:從openssl官網(wǎng)下載www.openssl.org ? ? ? ? ? ? ? ?安裝openssl[windows和linux安裝不同]
開始生成證書和密鑰
如果沒有配置環(huán)境變量,則需要進(jìn)入openssl的bin目錄下執(zhí)行命令,如:C:/OpenSSL/bin
若只配置了環(huán)境變量,則在任意位置都可以執(zhí)行
在執(zhí)行命令前,新建兩個(gè)目錄ca和server
1. ? ? ? 創(chuàng)建私鑰 :?
C:/OpenSSL/bin>openssl genrsa -out ca/ca-key.pem 1024 ?
2.創(chuàng)建證書請求 :?
C:/OpenSSL/bin>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem ?
-----?
Country Name (2 letter code) [AU]:cn?
State or Province Name (full name) [Some-State]:zhejiang?
Locality Name (eg, city) []:hangzhou?
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision?
Organizational Unit Name (eg, section) []:test?
Common Name (eg, YOUR name) []:root?
Email Address []:sky?
3.自簽署證書 :?
C:/OpenSSL/bin>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650 ?
4.將證書導(dǎo)出成瀏覽器支持的.p12格式 : (不需要可以省略)
C:/OpenSSL/bin>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12 ?
密碼:changeit ? ? ??
二.生成server證書。 ?
1.創(chuàng)建私鑰 :?
C:/OpenSSL/bin>openssl genrsa -out server/server-key.pem 1024 ?
2.創(chuàng)建證書請求 :?
C:/OpenSSL/bin>openssl req -new -out server/server-req.csr -key server/server-key.pem ?
-----?
Country Name (2 letter code) [AU]:cn?
State or Province Name (full name) [Some-State]:zhejiang?
Locality Name (eg, city) []:hangzhou?
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision?
Organizational Unit Name (eg, section) []:test?
Common Name (eg, YOUR name) []:192.168.1.246 ? 注釋:一定要寫服務(wù)器所在的ip地址?
Email Address []:sky?
3.自簽署證書 :?
C:/OpenSSL/bin>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 ?
4.將證書導(dǎo)出成瀏覽器支持的.p12格式 :?
C:/OpenSSL/bin>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12 ?
密碼:changeit?
三.生成client證書。 ?
1.創(chuàng)建私鑰 :?
C:/OpenSSL/bin>openssl genrsa -out client/client-key.pem 1024 ?
2.創(chuàng)建證書請求 :?
C:/OpenSSL/bin>openssl req -new -out client/client-req.csr -key client/client-key.pem?
-----?
Country Name (2 letter code) [AU]:cn?
State or Province Name (full name) [Some-State]:zhejiang?
Locality Name (eg, city) []:hangzhou?
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision?
Organizational Unit Name (eg, section) []:test?
Common Name (eg, YOUR name) []:sky?
Email Address []:sky ? ? ?注釋:就是登入中心的用戶(本來用戶名應(yīng)該是Common Name,但是中山公安的不知道為什么使用的Email Address,其他版本沒有測試)?
??
Please enter the following 'extra' attributes?
to be sent with your certificate request?
A challenge password []:123456?
An optional company name []:tsing ?
3.自簽署證書 :?
C:/OpenSSL/bin>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650 ?
4.將證書導(dǎo)出成瀏覽器支持的.p12格式 :?
C:/OpenSSL/bin>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12 ?
密碼:changeit?
四.根據(jù)ca證書生成jks文件 ?
??
C:/Java/jdk1.5.0_09/bin > keytool -keystore C:/openssl/bin/jks/truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file C:/openssl/bin/ca/ca-cert.pem ?
五.配置tomcat ssl?
修改conf/server.xml。tomcat6中多了SSLEnabled="true"屬性。keystorefile, truststorefile設(shè)置為你正確的相關(guān)路徑 ?
xml 代碼?
?tomcat 5.5的配置:?
<Connector port="8443" maxHttpHeaderSize="8192"?
? ? ? ? ? ? ?maxThreads="150" minSpareThreads="25" maxSpareThreads="75"?
? ? ? ? ? ? ?enableLookups="false" disableUploadTimeout="true"?
? ? ? ? ? ? ?acceptCount="100" scheme="https" secure="true"?
? ? ? ? ? ? ?clientAuth="true" sslProtocol="TLS" ?
? ? ? ? ? ? ?keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12" ?
? ? ? ? ? ? ?truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" /> ??
tomcat6.0的配置:?
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"?
? ? ? ? ? ? ? ?maxThreads="150" scheme="https" secure="true"?
? ? ? ? ? ? ? ?clientAuth="true" sslProtocol="TLS"?
? ? ? ? ? ? ? ?keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12" ?
? ? ? ? ? ? ? ?truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>?
六.導(dǎo)入證書?
將ca.p12,client.p12分別導(dǎo)入到IE中去(打開IE->;Internet選項(xiàng)->內(nèi)容->證書)。 ?
ca.p12導(dǎo)入至受信任的根證書頒發(fā)機(jī)構(gòu),client.p12導(dǎo)入至個(gè)人?
??
七.驗(yàn)證ssl配置是否正確訪問你的應(yīng)用http://ip:8443/,如果配置正確的話會(huì)出現(xiàn)請求你數(shù)字證書的對話框。
總結(jié)
以上是生活随笔為你收集整理的openssl制作证书全过程的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
