CAS single-point logon practice-1: Create an X.509 Certificate

Prepare an X.509 Certificate

First, download openssl. my name is win32openssl-0_9_8d.exe. After installation, configure the environment variables, which is the same as the JDK configuration.
Next, create x.509.
Color identifier: this color indicates what you want to enter
Step 1: create a private key (enter the command here)
C: \ OpenSSL \ apps> OpenSSL genrsa-out root/root-key.pem 1024
Loading 'screen' into random state-Done
Generating RSA private key, 1024 bit long Modulus
... ++
... ++
E is 65537 (0x10001)

C: \ OpenSSL \ apps>

Step 2: Create a certificate request (enter the name here and you will be asked to enter something)
C: \ OpenSSL \ apps> OpenSSL req-New-out root/root-req.csr-key root/root-key.pem
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]: CN // you can enter something here.
State or province name (full name) [some-State]: Shanghai
Locality name (eg, city) []: Shanghai
Organization Name (eg, company) [Internet widgits Pty Ltd]: chuanyu
Organizational unit name (eg, section) []: chuanyu
Common name (eg, your name) []: weishuwei
Email Address []: weishuwei112@sina.com
 
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: Password
An optional company name []: chuanyu

C: \ OpenSSL \ apps>

Step 3: generate a trusted Certificate file (generated according to the root-req.csr, And the root-req.csr is
The root-key.pem is generated, that is, the private key file is signed with the Certificate file, note: this is the self-Signed file, the following is the difference between self-Signed and non-self-signed)
C: \ OpenSSL \ apps> OpenSSL X509-req-in root/root-req.csr-out root/root-cert.pem
-Signkey root/root-key.pem-days 3650
Loading 'screen' into random state-Done
Signature OK
Subject =/C = Cn/ST = Shanghai/L = Shanghai/o = chuanyu/ou = chuanyu/CN = weishuwei/emailaddr
Auto = weishuwei112@sina.com
Getting Private Key

Step 4: export the trusted Certificate to the. p12 (PKCS12) format supported by the browser.
C: \ OpenSSL \ apps> OpenSSL PKCS12-export-clcerts-in root/root-cert.pem-inkey root/root-key.pem-out root/root. p12
Loading 'screen' into random state-Done
Enter export password: ****** // (the asterisks are not displayed in DOS, and the cursor does not move. It does not feel like the input is the same );
Verifying-enter export password: ***** // re-enter the password you just entered

C: \ OpenSSL \ apps>

Step 5: Export trusted certificates to the jks format (this step is optional. This format is used by Tomcat. Tomcat truststore supports both jks and PKCS12 formats, directly use the p12 format in the previous step)
C: \ OpenSSL \ apps \ root> keytool-import-v-trustcacerts-storepass password-alias
Root-file root-cert.pem-keystore root. jks
Owner: emailaddress = weishuwei112@sina.com, Cn = weishuwei, ou = chuanyu, O = chuanyu,
L = Shanghai, St = Shanghai, c = Cn
Sender: emailaddress = weishuwei112@sina.com, Cn = weishuwei, ou = chuanyu, O = chuanyu
, L = Shanghai, St = Shanghai, c = Cn
No.: 9a8cf5246b9bb7a7
Valid Period: Thu May 17 09:28:44 CST 2007 to: Sun May 14 09:28:44 CST 2017
Authentication fingerprint:
MD5: 6B: 23: EB: 8B: 0b: 3D: D0: 61: ED: 59: 26: 45: F7: DD: EE: 37
Sha1: EB: Cf: D6: 53: 58: 15: 9B: 88: 91: 6d: 79: 38: 6e: 2b: e4: BD: A8: 65: BA: e3
Trust this certification? [No]: Y
The authentication has been added to the keystore.
[Storing root. jks]