Certificate Generation and Management summary

Source: Internet
Author: User
Tags begin rsa private key openssl x509 pkcs12

One, OpenSSL tool management certificate

OpenSSL is a powerful Secure Sockets Layer cipher library that includes cryptographic algorithms, common key and certificate management, and SSL protocol functions. OpenSSL provides a number of commands that simply list the actions of OpenSSL to generate keys and certificates (Windows needs to run CMD as an administrator):

    • Generate a key in PEM format
OpenSSL genrsa-out Rsakey0.pem 2048

The algorithm is RSA, the length is 2048, and is persisted to the Rsakey0.pem file.

OpenSSL genrsa-des3-out Rootca.key 1024

Using DES3 encryption

    • Generate a self-signed certificate in X509 format
OpenSSL req-x509-new-days 365-key rsakey.pem-out cert0.crt

You will be asked to enter information about the DN of the distinguished name (country, city, organization, name, email, etc.).

The root certificate is the certificate issued by the certification authority (Certificate authority) to itself, the issuer is itself, is the beginning of the chain of trust. It contains the CA information, the CA public key, and the signature of the information with its own private key. Downloading and using a root certificate means that you trust its source authority, and you naturally Trust all certificates issued under the certificate. A certificate can be authenticated with the public key in the issuing certificate, and the certificate is issued with a previous layer of certificate issued to verify that the certificate is trustworthy until it is authenticated by the public key in the root certificate.

    • Generate a request file that requires a root certificate to issue a child certificate
OpenSSL Req-new-key rsakey1.pem-out SUBCERTREQ.CSR

You will be asked to enter information about the DN of the distinguished name (country, city, organization, name, email, etc.) and additional attributes are required: Password and optional company name.

    • To issue a child certificate with a root certificate
OpenSSL x509-req-in subcertreq.csr-ca cert0.crt-cakey rsakey0.pem-cacreateserial-days 365-out subcert.crt

You can also create a configuration file for a CA and issue a sub-certificate with the CA Management subcommand (not tested)

OpenSSL ca-config ca.config-out user.crt-infiles USER.CSR

    • Package certificates and keys in PKCS12 format library
OpenSSL pkcs12-export-in Subcert.crt-inkey rsakey1.pem-out subcert.p12

You need to enter the PKCS12 file password.

    • View Certificate Contents
OpenSSL x509-noout-text-in Rootca.crt

    • Verifying certificates
Verify -cafile rootca.crt subcert.crt

Verifying the signature in the SUBCERT.CRT with the ROOTCA.CRT public key

    • Related documents

The key file (. Pem) generated by OpenSSL, the issue request file (. CSR), and the certificate file (. Cet) are saved with BASE64 encoded information in plain text format. You can open it in a text editor with the following content:

-----BEGIN RSA PRIVATE KEY-----
Miieogibaakcaqearlux2v998y+ek/azoddsbw7ilyrpwxvbmdqmof3zzpbp/4vo
..... Omit several lines ...
bul0a0bofi7dyjjwgteyytfqgyseezhl/+xyohujltyvzwupm5w=
-----END RSA PRIVATE KEY-----

The first and the end rows are ignored, and the type of information stored in the file is displayed in the first row.

Second, Keytool tool management Certificate

Keytool is a key, certificate, and certificate store management tool provided by Java. You can complete various operations such as generating keys, generating certificates, and so on.

The KEYTOOL subcommand is as follows:

-certreq Generating a certificate request
-changealias changing an alias for an entry
-delete Deleting entries
-exportcert Exporting certificates
-genkeypair generating a key pair
-genseckey Generating Keys
-gencert generating a certificate based on a certificate request
-importcert Importing a certificate or certificate chain
-importkeystore importing one or all entries from another KeyStore
-KEYPASSWD changing the key password for an entry
-list listing entries in the KeyStore
-printcert Printing Certificate Contents
-printcertreq Print the contents of a certificate request
-PRINTCRL Printing the contents of a CRL file
-STOREPASSWD changing the store password of the KeyStore

You can also use keytool-command_name -help to view Help for individual subcommands

    • Certificate Import JKS Certificate Library in PKCS12 library (Java keystore format)
keytool -importkeystore-srckeystore subcert.p12-destkeystore subcert.jks-srcstoretype pkcs12

You need to enter the password for the target library and the password for the source library, which is automatically generated if the JKS library file does not exist.

    • Import Certificate to JKs Library
Keytool-importcert-keystore Subcert.jks-alias Rootca-file ROOTCERT.CRT

You need to enter the target library password and whether to trust the added certificate. -alias can be omitted and will be generated automatically if the JKS library file does not exist.

The certificate library, or the KeyStore, can hold the key or store the certificate, and if it contains only the certificate (the public key in the certificate) without the private key, the resulting library is the Trust library.

Resources:

Oppenssl Document: https://www.openssl.org/docs/apps/openssl.html

Keytool Document: http://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html

http://zhtx168.blog.163.com/blog/static/41601548200812503248/

http://blog.csdn.net/kimylrong/article/details/43525333

Certificate Generation and Management summary

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.