Generating RSA private key, 2048 bit long modulus
..................+++
.....+++
e is 65537 (0x10001)2 创建根证书(用根证书来签发服务器端请求文件):
[root@ ~]# openssl req -x509 -new -key rootkey.pem -out root.crt输出如下:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Apache
Organizational Unit Name (eg, section) []:Tomcat
Common Name (eg, your name or your server's hostname) []:Tomcat
Email Address []:tomcat@apache.com
根据提示,需要输入国家、省份、城市、以及公司信息等。
3 创建服务器秘钥:
[root@ ~]# openssl genrsa -out serverkey.pem 2048
输出如下:
Generating RSA private key, 2048 bit long modulus
............................................................+++
................................+++
e is 65537 (0x10001)
4 生成服务器端证书的请求文件:
[root@ ~]# openssl req -new -key serverkey.pem -out server.csr
输出如下:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Apache
Organizational Unit Name (eg, section) []:Tomcat
Common Name (eg, your name or your server's hostname) []:Tomcat
Email Address []:tomcat@apache.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:Tomcat
同样,根据提示,需要输入国家、省份、城市等信息。
5用根证书来签发服务器端请求文件,生成服务器端证书:
[root@ ~]# openssl x509 -req -in server.csr -CA root.crt -CAkey rootkey.pem -CAcreateserial -days 3650 -out server.crt
输出如下:
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Apache/OU=Tomcat/CN=Tomcat/emailAddress=tomcat@apache.comf\x08
Getting CA Private Key
以上我们创建的是自签名证书,多用于开发测试环境。在生产中,我们需要向数字证书颁发机构(CA)提交请求文件(server.csr),CA则返回给我们数字证书。这个过程一般是要收费的。
6 将证书导出为pkcs12格式:
[root@ ~]# openssl pkcs12 -export -in server.crt -inkey serverkey.pem -out server.pkcs12
输出如下:
Enter Export Password:
Verifying - Enter Export Password:
根据提示输出一个导出密码
7 执行keytool命令生成服务端秘钥库:
[root@ ~]# keytool -importkeystore -srckeystore server.pkcs12 -destkeystore mykey.keystore -srcstoretype pkcs12
输出如下
Importing keystore server.pkcs12 to mykey.keystore...
Enter destination keystore password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
根据提示输入秘钥库密码已经上一步的导出密码。
至此,我们创建了一个mykey.keystore秘钥库文件
这半天创建的相关文件如下
[root@ ~]# ll
total 36
-rw-r--r--. 1 root root 4461 Apr 16 16:41 mykey.keystore
-rw-r--r--. 1 root root 1407 Apr 16 16:21 root.crt
-rw-r--r--. 1 root root 1679 Apr 16 16:14 rootkey.pem
-rw-r--r--. 1 root root 17 Apr 16 16:31 root.srl
-rw-r--r--. 1 root root 1289 Apr 16 16:31 server.crt
-rw-r--r--. 1 root root 1110 Apr 16 16:28 server.csr
-rw-r--r--. 1 root root 1675 Apr 16 16:26 serverkey.pem
-rw-r--r--. 1 root root 2517 Apr 16 16:37 server.pkcs12
8 通过keytool的list命令,可以查看其包含的证书信息:
根据提示输入秘钥库密码后,既输出秘钥库包含的证书信息
[root@ ~]# keytool -list -v -keystore mykey.keystore输出如下:
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: tomcat
Creation date: Apr 16, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN
Issuer: CN=Tomcat, OU=Apache, O=Apache, L=Beijing, ST=Beijing, C=CN
Serial number: 5f59c5e3
Valid from: Mon Apr 16 15:36:30 CST 2018 until: Sun Jul 15 15:36:30 CST 2018
Certificate fingerprints:
MD5: 0E:FB:D2:73:54:89:51:9A:20:96:E8:22:2B:92:36:B6
SHA1: 2C:DF:97:E9:88:85:72:0E:15:68:B1:09:19:76:7E:67:FC:A7:F9:12
SHA256: EE:42:E8:96:CE:E1:B5:A6:2C:EC:57:82:44:3A:A8:AD:A3:89:04:01:C8:E8:85:7D:CA:96:B4:E4:63:87:91:49
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions: