准备x.509证书
首先要下载openssl,我的是win32openssl-0_9_8d.exe,安装后,配置一下环境变量,和jdk配置一样.接下来创建x.509.颜色标识:该颜色表示你要输入的东西第一步:创建私钥(这里输入命令即可)C:\OpenSSL\apps>openssl genrsa -out root/root-key.pem 1024Loading 'screen' into random state - doneGenerating RSA private key, 1024 bit long modulus...++++++......++++++e is 65537 (0x10001)
C:\OpenSSL\apps>
第二步:创建证书请求(这里输入命名后会让你填写一些东西)C:\OpenSSL\apps>openssl req -new -out root/root-req.csr -key root/root-key.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CN //这里往下会让你输入一些东西State or Province Name (full name) [Some-State]:shanghaiLocality Name (eg, city) []:shanghaiOrganization Name (eg, company) [Internet Widgits Pty Ltd]:chuanyuOrganizational Unit Name (eg, section) []:chuanyuCommon Name (eg, YOUR name) []:weishuweiEmail Address []:weishuwei112@sina.com Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:passwordAn optional company name []:chuanyu
C:\OpenSSL\apps>
第三步:产生受信任的证书文件(根据root-req.csr产生,而root-req.csr又是通过root-key.pem产生,也就是说私钥文件签署了该证书文件,注:这个是自签署文件,下面有自签署和非自签署的区别)C:\OpenSSL\apps>openssl x509 -req -in root/root-req.csr -out root/root-cert.pem-signkey root/root-key.pem -days 3650Loading 'screen' into random state - doneSignature oksubject=/C=CN/ST=shanghai/L=shanghai/O=chuanyu/OU=chuanyu/CN=weishuwei/emailAddress=weishuwei112@sina.comGetting Private key
第四步:将受信任的证书导出成浏览器支持的.p12(PKCS12)格式.C:\OpenSSL\apps>openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkey root/root-key.pem -out root/root.p12Loading 'screen' into random state - doneEnter Export Password: ****** // (DOS下不会显示星号,光标也不动,感觉没输入上一样);Verifying - Enter Export Password:****** //重新输入一次刚才输入的密码
C:\OpenSSL\apps>
第五步:将受信任的证书导出成JKS格式(这一步可选,这种格式供tomcat使用,tomcat的trustStore同时支持JKS和PKCS12两种格式,直接用上步的p12格式也行)C:\OpenSSL\apps\root>keytool -import -v -trustcacerts -storepass password -alias root -file root-cert.pem -keystore root.jksOwner: EMAILADDRESS=weishuwei112@sina.com, CN=weishuwei, OU=chuanyu, O=chuanyu,L=shanghai, ST=shanghai, C=CN发照者: EMAILADDRESS=weishuwei112@sina.com, CN=weishuwei, OU=chuanyu, O=chuanyu, L=shanghai, ST=shanghai, C=CN序号: 9a8cf5246b9bb7a7有效期间: Thu May 17 09:28:44 CST 2007 至: Sun May 14 09:28:44 CST 2017认证指纹: MD5: 6B:23:EB:8B:0B:3D:D0:61:ED:59:26:45:F7:DD:EE:37 SHA1: EB:CF:D6:53:58:15:9B:88:91:6D:79:38:6E:2B:E4:BD:A8:65:BA:E3信任这个认证? [否]: y认证已添加至keystore中[正在存储 root.jks]