JAVA digital certificate generation and java digital certificate generation

JAVA digital certificate generation and java digital certificate generation

1. Encryption Algorithm

To ensure packet security in network communication, packets need to be encrypted. Currently, common encryption algorithms include:

Asymmetric encryption algorithms: public key encryption algorithms, such as RSA, DSA, and DSS, are the most commonly used RSA Algorithms (Public algorithms can be used by Baidu to learn about algorithm details ), the algorithm generates a public key and a private key. Messages encrypted with the public key can only be decrypted with the private key, and messages encrypted with the private key can only be decrypted with the public key;

Symmetric encryption algorithms: 3DES, AES, and RC4. The encryption keys are the same as the decryption keys. They are generally used for communication only when both parties know the keys;

HASH algorithms: MD5, SHA1, and SHA256 are HASH values planned by the HASH algorithm. The encryption process is irreversible. The HASH values cannot obtain the original plaintext, which is generally used for digest signature;

2. Digital Certificate

A digital Certificate is issued by a CA (Certificate Authority) for Identity Authentication in network communication, interested partners can search for them online;

A digital certificate contains information such as the certificate owner, certificate user, Certificate Name, and certificate public key.

3. Certificate generation

Use the certificate management tool keytool provided by JDK to create a certificate. The command is as follows:

Keytool-genkey-keyalg RSA-keysize 2048-validity 36500-alias SEC_TEST-keypass 123456-keystore test. keystore-storepass 123456-dname "CN = localhost, OU = DEP, O = CN, L = BJ, ST = BJ, C = CN"

-Keyalg specifies the algorithm,

-Keysize: Specifies the key size,

-Validity indicates the validity period, in days,

-Alias

-Keypass specifies the password for the private key,

-Keystore: Specifies the keystore name,

-Password used by the storepass certificate store. The password is required when the public key is extracted from it.

-Dname: name of the CN owner. Generally, it is the website name or IP address + port, for example, www.baidu.com, OU organization name O organization name L city ST state or province C Country Code

After the above command is executed, a keystore file will be generated in the current directory, which stores the key and certificate information;

Export public key:

Keytool-export-alias SEC_TEST-file test_pub_cer.cer-keystore test. keystore-storepass 123456

A test_pub_cer.cer certificate is generated in the current directory, which contains public key information and Certificate-related information;

Import the public key of the partner:

Assume that the communication parties are A and B. A has published its own certificate and published the public key. After all the packets encrypted by the public key of B are sent to A, A can be correctly decrypted, if A sends A message to B, A encrypts it with the private key, and B can decrypt it with the public key, but the problem here is that the public key is public, and A sends the message to B, any person with A public key can decrypt and cannot guarantee the security of information sent by A to B. Therefore, B also needs to make its own certificate and publish its own public key to, in this way, A sends information to B and encrypts it with the public key of B, so that B can decrypt the information with the private key. Other people who intercept the information cannot decrypt the information without the private key; A needs to import the public key of B to its certificate library;

Keytool-import-file B. cer-keystore test. keystore-storepass 123456

Prompt whether to trust this authentication, y, press enter to import, and then view the certificate entries in the certificate Library:

Keytool-list-v-keystore test. keystore-storepass 123456

First, let's take the HTTPS protocol as an example to describe how to use it.