Generate and issue digital certificates with Keytool and OpenSSL

A)Keytool generate a private key file (. key) and a signature request file (. CSR), OpenSSL issues a digital certificate
J2SDK provides the KeyStore management tool keytool in directory%java_home%/bin for managing keys, certificates, and certificate chains. The command for the Keytool tool has changed in JavaSE6, but the previous command still supports it. Keytool can also be used to manage keys in symmetric cryptographic algorithms.

The simplest command is to generate a self-signed certificate and place it in the specified KeyStore file:

Keytool-genkey-alias Tomcat-keyalg Rsa-keystore C:/mykey

If the C:/mykey file does not exist, Keytool will generate this file. A digital certificate is generated by answering a series of questions as prompted by the command. Note that the public name (CN) should be the domain name of the server. There is an entity in KeyStore that is aliased to Tomcat, which includes the public key, the private key, and the certificate. This certificate is self-signed. <o:p></o:p>

The Keytool tool can export the certificate from KeyStore, but cannot export the private key. It is not very convenient to configure a server like Apache. In this case, use OpenSSL completely, as described below. But Keytool is very useful for the appserver, which is to store the certificate chain with KeyStore. KeyStore's role is similar to how Windows stores certificates, but across platforms, ^_^ use Keytool to generate a CSR (Certificate Signing Request) and generate a CA-signed certificate with OpenSSL.

1. Preparation
1) Create a new directory under the bin directory Democa, Democa/certs, Democa/certs, Democa/newcerts
2) Create an empty file in Democa index.txt
3) Create a text file in Democa serial, no extension, content is a valid 16 binary number, for example 0000
4) Configure the environment variable path, add%java_home%/bin, this article uses the JavaSDK1.6

2. Generate a self-signed certificate for the CA
OpenSSL req-new-x509-keyout ca.key-out ca.crt-config openssl.cnf

3. Generate server-side certificates
1) Generate KeyPair generate key pair
keytool-genkey-alias tomcat_server-validity 365-keyalg rsa-keysize 1024-keypass 123456-storepass 123456-keys Tore Server_keystore
when you enter common name, you want to keep the domain name of the server consistent.
2) Generate a certificate signing request
keytool-certreq-alias tomcat_server-sigalg md5withrsa-file tomcat_server.csr-keypass 123456-storepass 123456-ke Ystore Server_keystore
3) sign with the CA private key, or you can request a CA signature from an authoritative authority.
OpenSSL ca-in tomcat_server.csr-out tomcat_server.crt-cert ca.crt-keyfile ca.key-notext-config openssl.cnf
where-notext indicates that the contents of the certificate file should not be exported to the file, otherwise you will get an error when importing to KeyStore with Keytool.
4) Import the trusted CA root certificate to KeyStore
keytool-import-v-trustcacerts-alias my_ca_root-file ca.crt-storepass 123456-keystore server_keystore
5) Import the CA-Signed server-side certificate into KeyStore
keytool-import-v-alias tomcat_server-file tomcat_server.crt-storepass 123456-keystore server_keystore
6) View server-side certificates
keytool-list-v-keystore Server_keystore
you can see that the certificate chain length of Tomcat_server is 2
 
4. Generate client-side certificates
1) Generate client CSR
OpenSSL genrsa-des3-out tomcat_client.key 1024x768
OpenSSL req-new-key tomcat_client.key-out tomcat_client.csr-config openssl.cnf
2) sign with CA private key or request CA signature from authoritative authority
OpenSSL ca-in tomcat_client.csr-out tomcat_client.crt-cert ca.crt-keyfile ca.key-notext-config openssl.cnf
3) Generate PKCS12 format certificate
OpenSSL pkcs12-export-inkey tomcat_client.key-in tomcat_client.crt-out tomcat_client.p12
4) Use Keytool to list the contents of the PKCS12 Certificate:
Keytool-rfc-list-keystore Tomcat_client.p12-storetype pkcs12

II)OpenSSL generates a private key file (. key) and a signature request file (. CSR), and a digital certificate is issued

Operation Directory is Openssl/bin (no way to change the environment variables, if you can change, you do not have to work in this directory), in order to facilitate the use of my apps under the OPENSSL.CNF also copied to this directory down. The filenames are in my own use:

1. First to generate the server-side private key (key file):
OpenSSL genrsa-des3-out Server.key 1024
The runtime prompts for a password, which is used to encrypt the key file (the parameter des3 is the encryption algorithm, and of course you can choose other algorithms that you think are safe). You will need to enter the password whenever you need to read this file (via the command or API provided by OpenSSL). If it's inconvenient, You can also remove this password, but be sure to take other protective measures!
command to remove the key file password:
OpenSSL rsa-in server.key-out Server.key

2.openssl Req-new-key server.key-out server.csr-config openssl.cnf
Generate the Certificate Signing request (CSR), and the resulting CSR file is handed to the CA to form its own certificate. The screen will prompt you to enter the required personal information in step steps according to its instructions.

3. The same command is generated for the client to generate key and CSR files:
OpenSSL genrsa-des3-out Client.key 1024
OpenSSL req-new-key client.key-out client.csr-config openssl.cnf

4.CSR files must be signed by a CA to form a certificate. This file can be sent to VeriSign and other places to be verified by it, to pay a large sum of money, why not do the CA itself.
OpenSSL req-new-x509-keyout ca.key-out ca.crt-config openssl.cnf

5. Sign the SERVER.CSR,CLIENT.CSR file that you just generated with the certificate of the generated CA:
Openssl ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config openssl.cnf
Openssl ca-in client.csr-out client.crt-cert ca.crt-keyfile ca.key-config openssl.cnf

Now all the files we need are generated.

Other:
The files used by the client are: Ca.crt,client.crt,client.key
The files used by the server are: Ca.crt,server.crt,server.key
The. crt file and. Key can be combined into a file, and I've synthesized 2 files into a. pem file (just copy the past)
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
Merge certificate file (CRT) and private key file (key):

#cat client.crt client.key > Client.pem
#cat server.crt server.key > Server.pem

This article is based on the attribution 2.5 China mainland license Agreement published, welcome reprint, deduction or for commercial purposes, but must and in the article page obvious location give the original link Dana, Li (including link), the specific operation method can refer here. If you have any questions or authorization to negotiate, please leave a message or add Q Group!

Generate and issue digital certificates with Keytool and OpenSSL