Issuing digital certificates in Java
Open cmd
1. Enter D:
2. Enter CD keys
3. Enter a command to view a list of certificates created by the KeyStore
Keytool-list-v-keystore Mykey.keystore-storepass 123456
4. Before exporting the Server.cer file, install this file to the operating system, process default.
5. Create a key pair, as before, enter the following command:
--Create a key pair
Keytool-genkey-dname "Cn=tmp, Ou=nc, O=shanghai University, L=zb, ST=SHANGHAI,C=CN"-alias client-keyalg Rsa-keystore Myclientkey.store-keypass 654321-storepass 654321-validity 1000
--Export public key
Keytool-export-trustcacerts-alias client-file Client.cer-keystore Myclientkey.store-storepass 654321
Double-click Client.cer to see:
The certificate is not trusted by the system, and the issuer and the issued to are TMP
5. Issue the certificate, which is used by the Java program to issue. Can be issued with OpenSSL or issued to a formal CA institution.
Because the Server.cer is installed on the client computer, the client operating system trusts the certificate issued by the institution in Server.cer.
This is where you use the server.cer to issue client.cer.
Issue code:
Package com.syspro.test;
Import java.io.*;
Import java.security.*;
Import java.security.cert.*;
Import java.util.*;
Import java.math.*;
Import sun.security.x509.*;
public class Signcert {
Private String Mkeystore = "D:/keys/mykey.keystore"; Lock Library Path
Private char[] Mkeystorepass = "123456". ToCharArray ();//Lock Library password
Private char[] Msignprivatekeypass = "123456". ToCharArray ();//The password required to obtain the issuer's private lock
Private String Msigncertalias = "keytest";//Issuer Alias
Private String Msignedcert = "D:/keys/client.cer"; Certificate of being signed
Private String Mnewcert = "D:/keys/clientsignkey.cer"; Full name of new certificate after issue
private int mvalidityday = 3000; New certificate validity period after issue (days)
Private Privatekey Msignprivatekey = private lock of null;//issuer
Private X509certinfo Msigncertinfo = null;//Issue certificate information
Private X509certinfo msignedcertinfo = null;//Visa book Information
public void sign () throws exception{
try {
/**
* Certificate Signature
*/
Getsigncertinfo (); Get the signing certificate information
Signcertificate (); To sign a certificate for signing with signing certificate information
Createnewcertificate (); Create and save a new certificate after signing
} catch (Exception e) {
System.out.println ("Error:" + e.getmessage ());
}
}
/**
* Obtain Signature certificate information
* @throws Exception
*/
private void Getsigncertinfo () throws Exception
{
FileInputStream Vfin=null;
KeyStore Vkeystore=null;
Java.security.cert.Certificate Vcert=null;
X509certimpl Vcertimpl=null;
Byte[] Vcertdata=null;
Get the signing Certificate lock library
Vfin=new FileInputStream (Mkeystore);
Vkeystore=keystore.getinstance ("JKS");
Vkeystore.load (Vfin,mkeystorepass);
Get the signing certificate
vcert= vkeystore.getcertificate (Msigncertalias);
Vcertdata=vcert.getencoded ();
Vcertimpl=new X509certimpl (Vcertdata);
Get the signing certificate information
msigncertinfo= (X509certinfo) vcertimpl.get (x509certimpl.name+ ".") +x509certimpl.info);
msignprivatekey= (Privatekey) Vkeystore.getkey (Msigncertalias,msignprivatekeypass);
Vfin.close ();
}
/**
* Obtain the information for the visa and sign the certificate pending
*
* @throws Exception
*/
private void Signcertificate () throws Exception {
FileInputStream vfin = null;
Java.security.cert.Certificate vcert = null;
Certificatefactory vcertfactory = null;
byte[] Vcertdata = null;
X509certimpl Vcertimpl = null;
Get the certificate to be signed
Vfin = new FileInputStream (Msignedcert);
Vcertfactory = Certificatefactory.getinstance ("the");
Vcert = Vcertfactory.generatecertificate (Vfin);
Vfin.close ();
Vcertdata = vcert.getencoded ();
Set up signing certificate information: valid date, serial number, signer, digital signature calculation
Vcertimpl = new X509certimpl (vcertdata);
Msignedcertinfo = (x509certinfo) vcertimpl.get (X509certimpl.name + ".")
+ X509certimpl.info);
Msignedcertinfo.set (X509certinfo.validity, getcertvalidity ());
Msignedcertinfo.set (X509certinfo.serial_number, Getcertserualnumber ());
Msignedcertinfo.set (X509certinfo.issuer + ".")
+ Certificateissuername.dn_name,
Msigncertinfo.get (X509certinfo.subject + ".")
+ certificateissuername.dn_name));
Msignedcertinfo.set (Certificatealgorithmid.name + ".")
+ Certificatealgorithmid.algorithm, Getalgorithm ());
}
/**
* After the visa is signed, save the new certificate
*
* @throws Exception
*/
private void Createnewcertificate () throws Exception {
FileOutputStream vOut = null;
X509certimpl Vcertimpl = null;
Use new certificate information to seal the new certificate
Vcertimpl = new X509certimpl (msignedcertinfo);
Generate Xinzheng Book Verification code
Vcertimpl.sign (Msignprivatekey, "Md5withrsa");
VOut = new FileOutputStream (Mnewcert);
Save As DER encoded binary-zero-format certificate
Vcertimpl.derencode (VOut);
Vout.close ();
}
Auxiliary method ===========================================================================
/**
* Get new Certificate Effective Date
*
* @throws Exception
* @return Certificatevalidity
*/
Private Certificatevalidity getcertvalidity () throws Exception {
Long vvalidity = (* * 1000L) * mvalidityday;
Calendar vCal = null;
Date vbegindate = null, venddate = NULL;
VCal = Calendar.getinstance ();
Vbegindate = Vcal.gettime ();
Venddate = Vcal.gettime ();
Venddate.settime (Vbegindate.gettime () + vvalidity);
return new Certificatevalidity (Vbegindate, venddate);
}
/**
* Get the serial number of the new certificate
*
* @return Certificateserialnumber
*/
Private Certificateserialnumber Getcertserualnumber () {
Calendar vCal = null;
VCal = Calendar.getinstance ();
int vserialnum = 0;
Vserialnum = (int) (Vcal.gettimeinmillis ()/1000);
return new Certificateserialnumber (Vserialnum);
}
/**
* Get the new certificate signature algorithm
*
* @return Algorithmid
*/
Private Algorithmid Getalgorithm () {
Algorithmid valgorithm = new Algorithmid (
Algorithmid.md5withrsaencryption_oid);
return valgorithm;
}
public static void Main (String args[]) throws Unsupportedencodingexception
{
Signcert s = new Signcert ();
try {
S.sign ();
} catch (Exception e) {
E.printstacktrace ();
}
}
}
Open the new certificate Clientsignkey.cer after the signature is complete, such as:
You will see that the operating system trusts the certificate and the issuer becomes localhost in server.cer
The signed digital certificate Clientsignkey.cer and the CA certificate server.cer are then imported into the Myclientkey.store library with the following command: note the sequencing
First pour the CA certificate
Keytool-import-alias Ca-keystore D:\keys\myclientkey.store-trustcacerts-file D:\keys\server.cer-storepass 654321
Note that-alias is not the same as before.
Re-import the signed certificate:
Keytool-import-alias Client-keystore D:\keys\myclientkey.store-trustcacerts-file D:\keys\
Clientsignkey.cer-storepass 654321
Note that the-alias is the same as before.
Modify Tomcat server After you finish the operation
. xml file, as follows:
<connector protocol= "Org.apache.coyote.http11.Http11NioProtocol"
Port= "8443" enablelookups= "true"
Disableuploadtimeout= "true" acceptcount= "100"
maxthreads= "Scheme=" "https" secure= "true"
Sslenabled= "true" sslprotocol= "TLS"
Clientauth= "false"
Keystorefile= "D:\keys\myclientkey.store"
keystorepass= "654321"/>
Then start tomcat and you'll notice no more prompts.
How to issue digital certificates with Java code