CAS single-point logon practice-1: Create an X.509 Certificate

Source: Internet
Author: User
Tags color identifier openssl x509 pkcs12

Prepare an X.509 Certificate

First, download openssl. my name is win32openssl-0_9_8d.exe. After installation, configure the environment variables, which is the same as the JDK configuration.
Next, create x.509.

Color identifier: this color indicates what you want to enter
Step 1: create a private key (enter the command here)
C: \ OpenSSL \ apps> OpenSSL genrsa-out root/root-key.pem 1024
Loading 'screen' into random state-Done
Generating RSA private key, 1024 bit long Modulus
... ++
... ++
E is 65537 (0x10001)

C: \ OpenSSL \ apps>

Step 2: Create a certificate request (enter the name here and you will be asked to enter something)
C: \ OpenSSL \ apps> OpenSSL req-New-out root/root-req.csr-key root/root-key.pem
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country name (2 letter code) [au]: CN // you can enter something here.
State or province name (full name) [some-State]: Shanghai
Locality name (eg, city) []: Shanghai
Organization Name (eg, company) [Internet widgits Pty Ltd]: chuanyu
Organizational unit name (eg, section) []: chuanyu
Common name (eg, your name) []: weishuwei
Email Address []:
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: Password
An optional company name []: chuanyu

C: \ OpenSSL \ apps>

Step 3: generate a trusted Certificate file (generated according to the root-req.csr, And the root-req.csr is
The root-key.pem is generated, that is, the private key file is signed with the Certificate file, note: this is the self-Signed file, the following is the difference between self-Signed and non-self-signed)
C: \ OpenSSL \ apps> OpenSSL X509-req-in root/root-req.csr-out root/root-cert.pem
-Signkey root/root-key.pem-days 3650
Loading 'screen' into random state-Done
Signature OK
Subject =/C = Cn/ST = Shanghai/L = Shanghai/o = chuanyu/ou = chuanyu/CN = weishuwei/emailaddr
Auto =
Getting Private Key

Step 4: export the trusted Certificate to the. p12 (PKCS12) format supported by the browser.
C: \ OpenSSL \ apps> OpenSSL PKCS12-export-clcerts-in root/root-cert.pem-inkey root/root-key.pem-out root/root. p12
Loading 'screen' into random state-Done
Enter export password: ****** // (the asterisks are not displayed in DOS, and the cursor does not move. It does not feel like the input is the same );
Verifying-enter export password: ***** // re-enter the password you just entered

C: \ OpenSSL \ apps>

Step 5: Export trusted certificates to the jks format (this step is optional. This format is used by Tomcat. Tomcat truststore supports both jks and PKCS12 formats, directly use the p12 format in the previous step)
C: \ OpenSSL \ apps \ root> keytool-import-v-trustcacerts-storepass password-alias
Root-file root-cert.pem-keystore root. jks
Owner: emailaddress =, Cn = weishuwei, ou = chuanyu, O = chuanyu,
L = Shanghai, St = Shanghai, c = Cn
Sender: emailaddress =, Cn = weishuwei, ou = chuanyu, O = chuanyu
, L = Shanghai, St = Shanghai, c = Cn
No.: 9a8cf5246b9bb7a7
Valid Period: Thu May 17 09:28:44 CST 2007 to: Sun May 14 09:28:44 CST 2017
Authentication fingerprint:
MD5: 6B: 23: EB: 8B: 0b: 3D: D0: 61: ED: 59: 26: 45: F7: DD: EE: 37
Sha1: EB: Cf: D6: 53: 58: 15: 9B: 88: 91: 6d: 79: 38: 6e: 2b: e4: BD: A8: 65: BA: e3
Trust this certification? [No]: Y
The authentication has been added to the keystore.
[Storing root. jks]


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.