Certificate Generation and Management summary

One, OpenSSL tool management certificate

OpenSSL is a powerful Secure Sockets Layer cipher library that includes cryptographic algorithms, common key and certificate management, and SSL protocol functions. OpenSSL provides a number of commands that simply list the actions of OpenSSL to generate keys and certificates (Windows needs to run CMD as an administrator):

• Generate a key in PEM format

OpenSSL genrsa-out Rsakey0.pem 2048

The algorithm is RSA, the length is 2048, and is persisted to the Rsakey0.pem file.

OpenSSL genrsa-des3-out Rootca.key 1024

Using DES3 encryption

• Generate a self-signed certificate in X509 format

OpenSSL req-x509-new-days 365-key rsakey.pem-out cert0.crt

You will be asked to enter information about the DN of the distinguished name (country, city, organization, name, email, etc.).

The root certificate is the certificate issued by the certification authority (Certificate authority) to itself, the issuer is itself, is the beginning of the chain of trust. It contains the CA information, the CA public key, and the signature of the information with its own private key. Downloading and using a root certificate means that you trust its source authority, and you naturally Trust all certificates issued under the certificate. A certificate can be authenticated with the public key in the issuing certificate, and the certificate is issued with a previous layer of certificate issued to verify that the certificate is trustworthy until it is authenticated by the public key in the root certificate.

• Generate a request file that requires a root certificate to issue a child certificate

OpenSSL Req-new-key rsakey1.pem-out SUBCERTREQ.CSR

You will be asked to enter information about the DN of the distinguished name (country, city, organization, name, email, etc.) and additional attributes are required: Password and optional company name.

• To issue a child certificate with a root certificate

OpenSSL x509-req-in subcertreq.csr-ca cert0.crt-cakey rsakey0.pem-cacreateserial-days 365-out subcert.crt

You can also create a configuration file for a CA and issue a sub-certificate with the CA Management subcommand (not tested)

OpenSSL ca-config ca.config-out user.crt-infiles USER.CSR

• Package certificates and keys in PKCS12 format library

OpenSSL pkcs12-export-in Subcert.crt-inkey rsakey1.pem-out subcert.p12

You need to enter the PKCS12 file password.

• View Certificate Contents

OpenSSL x509-noout-text-in Rootca.crt

• Verifying certificates

Verify -cafile rootca.crt subcert.crt

Verifying the signature in the SUBCERT.CRT with the ROOTCA.CRT public key

• Related documents

The key file (. Pem) generated by OpenSSL, the issue request file (. CSR), and the certificate file (. Cet) are saved with BASE64 encoded information in plain text format. You can open it in a text editor with the following content:

-----BEGIN RSA PRIVATE KEY-----
Miieogibaakcaqearlux2v998y+ek/azoddsbw7ilyrpwxvbmdqmof3zzpbp/4vo
..... Omit several lines ...
bul0a0bofi7dyjjwgteyytfqgyseezhl/+xyohujltyvzwupm5w=
-----END RSA PRIVATE KEY-----

The first and the end rows are ignored, and the type of information stored in the file is displayed in the first row.

Second, Keytool tool management Certificate

Keytool is a key, certificate, and certificate store management tool provided by Java. You can complete various operations such as generating keys, generating certificates, and so on.

The KEYTOOL subcommand is as follows:

-certreq Generating a certificate request
-changealias changing an alias for an entry
-delete Deleting entries
-exportcert Exporting certificates
-genkeypair generating a key pair
-genseckey Generating Keys
-gencert generating a certificate based on a certificate request
-importcert Importing a certificate or certificate chain
-importkeystore importing one or all entries from another KeyStore
-KEYPASSWD changing the key password for an entry
-list listing entries in the KeyStore
-printcert Printing Certificate Contents
-printcertreq Print the contents of a certificate request
-PRINTCRL Printing the contents of a CRL file
-STOREPASSWD changing the store password of the KeyStore

You can also use keytool-command_name -help to view Help for individual subcommands

• Certificate Import JKS Certificate Library in PKCS12 library (Java keystore format)

keytool -importkeystore-srckeystore subcert.p12-destkeystore subcert.jks-srcstoretype pkcs12

You need to enter the password for the target library and the password for the source library, which is automatically generated if the JKS library file does not exist.

• Import Certificate to JKs Library

Keytool-importcert-keystore Subcert.jks-alias Rootca-file ROOTCERT.CRT

You need to enter the target library password and whether to trust the added certificate. -alias can be omitted and will be generated automatically if the JKS library file does not exist.

The certificate library, or the KeyStore, can hold the key or store the certificate, and if it contains only the certificate (the public key in the certificate) without the private key, the resulting library is the Trust library.

Resources:

Oppenssl Document: https://www.openssl.org/docs/apps/openssl.html

Keytool Document: http://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html

http://zhtx168.blog.163.com/blog/static/41601548200812503248/

http://blog.csdn.net/kimylrong/article/details/43525333

Certificate Generation and Management summary