Using Keytool for digital certificate management

Keytool is a Java-brought digital certificate management tool that allows you to perform a series of certificate management operations, such as application, import, export, and revocation of digital certificates.

Enter the Keytool command in CMD to view the command prompt for Keytool:

Compared to Openssl,keytool's Chinese hint is still relatively good ha. (English is not good to pass)

1. Build a self-signed certificate

Using-genkeypair for key and certificate management, the command can generate a digital certificate in *.keystore format, with the following detailed command parameters

Here we use "www.yezi.org" as an alias, using RSA as the encryption algorithm, and specify the key length is 2048 (general 1024 can be, the current asymmetric key can be solved to more than 700), using Sha1withrsa as a digital signature algorithm, The certificate is valid for 36,000 days and implements the following command:

Keytool-genkeypair-keyalg rsa-keysize 2048-sigalg sha1withrsa-validity 36000-alias www.yezi.org-keystore d:/keystor E/yezi.keystore

which

that your name and surname to fill in your own server domain name, note. is the domain name. Cannot make IP ...

We can also use-dname to specify user information in the following ways:

Keytool-genkeypair-keyalg rsa-keysize 2048-sigalg Sha1withrsa
-validity 36000-alias www.yezi.org-keystore d:/keystore/yezi.keystore-dname "cn=www.yezi.org, Ou=yezi, O=yezi, L=sz, S T=GD, C=CN "

2. Export digital certificate

With a digital certificate (although not CA certified, but can be used first), we need to export the digital certificate, in the form of *.cer, the command parameters are as follows:

Based on the KeyStore certificate just generated, we export the CER certificate, which is implemented as follows:

Keytool-exportcert-alias Www.yezi.org-keystore D:/keystore/yezi.keystore-file D:/KEYSTORE/YEZI.CER-RFC

Here we can use the-storepass parameter to specify the password used by the certificate

Keytool-exportcert-alias Www.yezi.org-keystore D:/keystore/yezi.keystore-file D:/keystore/yezi.cer-rfc-storepass 123456

A digital certificate is generated, and we can use the-printcert command to print out information about the certificate

Print digital certificate Command parameters

So far, we have generated two digital certificates using Keytool, one in keystore format, one in CER format, they are not certified by CA, no legal effect, but can be used normally, for example, to import the KeyStore format certificate into tomcat , the certificate in the CER format is imported into the browser, or a CER certificate is used to build the Java HTTPS request, which is HTTPS single authentication.

3. Build CA Issue Certificate

If one day, we need a CA agency Certified digital certificate (product on-line, will not let customers manually add a CER certificate to the browser), we need to generate a CA digital certificate issuance request (CSR), the certificate format is *.CSR

The command parameters for generating a certificate request are as follows:

Here we still rely on the KeyStore certificate in the afterlife by CSR

Keytool-certreq-alias Www.yezi.org-keystore D:/keystore/yezi.keystore-file d:/keystore/yezi.csr-v

is still more humane, there are hints.

4. Import Certificate Truststore

After obtaining the CA-issued digital certificate, we need to import it into the Truststore, using the command-importcert, with the following parameters:

The specific implementation is as follows:

Keytool-importcert-trustcacerts-alias www.yezi.org-file D:/keystore/yezi.cer-keystore D:/keystore/yezi.keystore

5. View Certificate Commands

Keytool-list-alias Www.yezi.org-keystore D:/keystore/yezi.keystore

OK, finished, cut a lot of pictures, now trouble, are for the convenience of later, haha