数字证书 学习笔记.docxVIP

数字证书 学习笔记工具准备软件下载 JDK /technetwork/java/javase/downloads/index.htmlOPenSSL/projects/openssl/files 环境变量配置 JAVA_HOME : C:\Program Files\Java\jdk1.7.0_07OpenSSL_HOME :D:\ProgramFiles\opensslPath : %JAVA_HOME%\bin;%OpenSSL_HOME%\bin;...... 环境校验 创建CA证书 创建根证书私钥 openssl genrsa -out rootKey.pem 1024创建根证书请求文件openssl req -new -key rootKey.pem -out rootReq.csr -text -config f -subj /countryName=CN/stateOrProvinceName=Zhejiang/localityName=Hangzhou/organizationName=MyCompany/organizationalUnitName=MyDept/commonName=localhost/emailAddress=ca@/# 注：f 文件可在 %OpenSSL_HOME%\bin 目录中找到对根证书请求文件进行自签名openssl x509 -req -in rootReq.csr -out rootCrt.pem -sha1 -signkey rootKey.pem -days 3650 -text -extfile f -extensions v3_ca导出根证书 openssl pkcs12 -export -cacerts -in rootCrt.pem -inkey rootKey.pem -out root.p12创建 Server 证书创建 Server 证书私钥openssl genrsa -out serverKey.pem 1024创建 Server 证书请求文件openssl req -new -key serverKey.pem -out serverReq.csr -text -config f -subj /countryName=CN/stateOrProvinceName=Zhejiang/localityName=Hangzhou/organizationName=MyCompany/organizationalUnitName=MyDept/commonName=/emailAddress=server@/使用 CA 证书对 Server 证书签名 openssl x509 -req -in serverReq.csr -CA rootCrt.pem -CAkey rootKey.pem -CAcreateserial -out serverCrt.pem -days 3650 -text导出 Server 证书openssl pkcs12 -export -clcerts -in serverCrt.pem -inkey serverKey.pem -out server.p12创建证书库 创建证书库 keytool -genkeypair -alias tomcat -keyalg RSA -keystore tomcatStore -dname CN=,OU=MyDept,O=MyCompany,L=Hangzhou,ST=Zhejiang,C=CN -keypass 123456 -storepass 123456创建证书请求文件 keytool -certreq -keyalg RSA -alias tomcat -file tomcatCrtReq.csr -keystore tomcatStore -storepass 123456对证书请求文件进行签名openssl x509 -req -in tomcatCrtReq.csr -CA rootCrt.pem -CAkey rootKey.pem -CAcreateserial -out tomcatCrt.pem -days 3650导入 CA 根证书keytool -import -alias root -keystore tomcatStore -trustcacerts -file rootCrt.pem -storepass 123456导入签名后证书keytool -import -alias tomcat -keystore tomcatStore -file tomcatCrt.pem -storepass 123456Tomcat 中配置 SSL单向认证