SSL Customs Keytool Command (ii) __ Small Technology

Source: Internet
Author: User
Tags dname pkcs12 rfc ssl certificate

In the previous blog, the first step in speaking of SSL was to create a certificate. (or buy from a third party)

PS: The final on-line product, the certificate will be to the Third-party certification body to buy, but in the development process, is created by themselves.

The common tool for creating certificates is Keytool, a JDK-only tool that can be used if the computer is installed with JDK (and the environment variables are configured).

Linux systems do not use Keytool, use OpenSSL.

The commands listed in this article are Keytool commands.


First, list the reference articles:

1, create the certificate process reference:

Http://wenku.baidu.com/link?url=uWTSct_ Uzyrcbg0rppwtz4lmhz177uv4xlmybw6554ykzcg00gmkdscp36lsfdb3vdhpq2ew4vhuuzkyljqdmepzbbpp29qxsayzmrfje9o

Http://www.blogjava.net/icewee/archive/2012/06/04/379947.html

http://czj4451.iteye.com/blog/1487684

2, Keytool command to explain the reference:

http://blog.csdn.net/ygc87/article/details/7620942

Http://www.cnblogs.com/benio/archive/2010/09/15/1826990.html (Very detailed)


Here's a brief description of a few common commands:

Keytool Common Commands
-alias Generate aliases
-keystore Specifies the name of the KeyStore (just like a database certificate library, you can have a number of certificates, cacerts This file is from the JRE,
You can also use other file names, if not the file name, it will create such a
-STOREPASS Specifies the password for the KeyStore
-KEYPASS Specifies the password for the alias entry
-list Displays the certificate information in the KeyStore
-V Display certificate details in KeyStore
-export Export the certificate specified by the alias to a file
The-file parameter specifies the file name to export to the file
-delete Delete an entry in the KeyStore
-import to import a signed digital certificate into the KeyStore
-KEYPASSWD Modify the key library for the specified entry password
-dname Specify certificate owner information
-keyalg the algorithm that specifies the key
-validity specify how many days the certificate is valid for creation
-keysize Specify key length

Next, enter the key--keytool command in this article to create an SSL certificate:

PS: Only use the following command to create BKS is not successful, because the lack of a BKS support jar, the specific solution can be Baidu, a lot of online. The simple thing is to download a jar into the JDK's two directories, and then modify the two configuration files.

First, one-way verification success: 1, production server-side certificate:
Keytool-validity 365-genkey-v-alias server-keyalg rsa-keystore D:\ssl\bks\server.jks-dname "cn=10.100.100.24,ou=tes T,O=TEST,L=HAIDIAN,ST=BEIJING,C=CN "-storepass 123456-keypass 123456
2. Export Certificate
Keytool-exportcert-v-alias server-keystore D:\ssl\bks\server.jks-storepass 123456-rfc-file D:\ssl\bks\server.cert
3, the production of Android available client certificate

Keytool-importcert-keystore D:\ssl\bks\client.bks-file D:\ssl\bks\server.cert-storetype Bks-provider Org.bouncycastle.jce.provider.bouncycastleprovider-storepass 123456


Ps:ios No certificate required for single validation
Two, the same server, two different client certificates (one for bks,android, one for Jks,ios), two-way certification success:

1. Create Server side Certificate:

Keytool-validity 365-genkey-v-alias server-keyalg rsa-keystore D:\ssl\server.keystore-dname "Cn=10.100.100.24,ou=te ST,O=TEST,L=HAIDIAN,ST=BEIJING,C=CN "-storepass 123456-keypass 123456


2. Create Android Client Certificate: (bi-directional (Android) verification successful)

The final certificate to be used for the client is: Client-bks-trust.bks, Client-bks.bks
Keytool-validity 365-genkeypair-v-alias client-bks-keyalg rsa-storetype bks-keystore " CN=CLIENT,OU=TEST,O=TEST,L=HAIDIAN,ST=BEIJING,C=CN "-storepass 123456-keypass 123456


Keytool-export-v-alias client-bks-keystore D:\ssl\client-bks.bks-storetype bks-storepass 123456-rfc-file Ient-bks.crt


Keytool-export-v-alias server-keystore D:\ssl\server.keystore-storepass 123456-rfc-file D:\ssl\server.crt


Keytool-importcert-keystore D:\ssl\client-bks-trust.bks-file D:\ssl\server.crt-storetype Bks-provider Org.bouncycastle.jce.provider.bouncycastleprovider-storepass 123456


Keytool-import-v-alias client-bks-file D:\ssl\client-bks.crt-keystore D:\ssl\server.keystore-storepass 123456


3, the creation of iOS client certificate (iOS: Two-way authentication successful)

The certificate that is eventually sent to the iOS client is: Client-ios.truststore (this format can also be. P12, but the file here is different from the Client-ios.p12 file generated in the first line below)


Keytool-validity 365-genkeypair-v-alias client-ios-keyalg rsa-storetype pkcs12-keystore E "CN=CLIENT-IOS,OU=TEST,O=TEST,L=HAIDIAN,ST=BEIJING,C=CN"-storepass 123456-keypass 123456


Keytool-export-v-alias client-ios-keystore D:\ssl\client-ios.p12-storetype pkcs12-storepass 123456-rfc-file \client-ios.cer-provider Org.bouncycastle.jce.provider.bouncycastleprovider-storepass 123456


Keytool-export-v-alias server-keystore D:\ssl\server.keystore-storepass 123456-rfc-file D:\ssl\server-ios.cer


Keytool-import-v-alias server-file D:\ssl\server-ios.cer-keystore D:\ssl\client-ios.truststore-storepass 123456


Keytool-import-v-alias client-ios-file D:\ssl\client-ios.cer-keystore D:\ssl\server.keystore-storepass 123456


Third, (also can use Java Code test)

Ios-jks: bi-directional success


Keytool-validity 365-genkey-v-alias server-keyalg rsa-keystore D:\ssl\ios-jks\server.keystore-dname "cn=10.100.100. 24,OU=TEST,O=TEST,L=HAIDIAN,ST=BEIJING,C=CN "-storepass 123456-keypass 123456


Keytool-validity 365-genkeypair-v-alias client-keyalg rsa-storetype pkcs12-keystore E "CN=CLIENT,OU=TEST,O=TEST,L=HAIDIAN,ST=BEIJING,C=CN"-storepass 123456-keypass 123456


Keytool-export-v-alias client-keystore D:\ssl\ios-jks\client.p12-storetype pkcs12-storepass 123456-rfc-file \ios-jks\client.cer-provider Org.bouncycastle.jce.provider.bouncycastleprovider-storepass 123456


Keytool-export-v-alias server-keystore D:\ssl\ios-jks\server.keystore-storepass 123456-rfc-file D:\ssl\ios-jks\ser Ver.cer


Keytool-import-v-alias server-file D:\ssl\ios-jks\server.cer-keystore D:\ssl\ios-jks\client.truststore-storepass 123456


Keytool-import-v-alias client-file D:\ssl\ios-jks\client.cer-keystore D:\ssl\ios-jks\server.keystore-storepass 123456

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.