Premise:
Install the OpenSSL tool.
Entering the OpenSSL working folder through the Windows cmd command
Unzip the folder as:e:\ openssl-1.0.2-beta1
The working folder is E:\openssl-1.0.2-beta1\inc32\out32dll
Through cmd >cd/d E:\openssl-1.0.2-beta1\inc32\out32dll
Establish certificate store folder:E:\ssl
The following is the process of implementing a CA and issuing certificates using OPENSLL:
1) Generate CA key CA as an authoritative authority, he is also using a certificate to identify himself. The CA itself also has a private key.
In the process of issuing a digital certificate, the CA's private key is used primarily to encrypt user information and public keys in the user's certificate request.
Opensslgenrsa-out E:\SSL\CAKEY.PEM 1024
This command produces a private key file Cakey.pem with a length of 1024 bytes.
2) Generate CA certificate request
Opensslreq-new-out E:\ssl\careq.csr-key e:\ssl\cakey.pem-confige:\openssl-1.0.2-beta1\apps\openssl.cnf
Note: openssl.cnf files are requested in openssl-1.0.2-beta1 Search under Folders. Fill in the Detailed folder
Input Item Description:
AU: Country code CN represents China
Some-state: Region BJ own definition Beijing (here input to 1 below ) Generate initial keystore consistency)
Eg,city: City BJ Self definition beijing (Ibid. to 1 below ) Generate initial keystore consistency)
Internet widgits Pty Ltd: Organization name Cebbbak own definition Everbright (ibid. to be below 1) Generate initial keystore consistency)
Organization name Cebbank own definition Everbright (ibid. to 1 below ) Generate initial keystore consistency)
URL or IP (same as above 1) Generate initial keystore consistency)
The following items can be empty:
This command will generate the requested file CAREQ.CSR for the certificate based on CAKEY.PEM.
3) Self-signed with CA private key
Opensslx509-req-in E:\ssl\careq.csr-out E:\ssl\cacert.pem-signkey E:\ssl\cakey.pem-days 3650
Description: -days Specify the certificate validity period Ten years Define yourself
The command generates a CA certificate based on the certificate request entered and the CA private key. At this point, the certificate required as a CA is ready. The resulting CAKEY.PEM can be used to issue certificates in the future. The CACERT.PEM certificate, as a trusted certificate for the user, needs to be distributed to each entity that issued the certificate by that CA institution.
The server certificate and the client certificate are made slightly different from the client certificate because the server has a different certificate format than the client certificate.
For a server such as Tomcat or WebLogic, a file in JKS format is usually required, where the server private key, the server certificate, and the server root certificate chain are saved ( A list of CA certificates from ROOTCA to the server certification authority).
Server certificate to make this type of certificate, you need to use one of the tools provided by the JDK Keytool.
Note: Here you need to switch to JDK Working Environment:
If local is:D:\ProgramFiles\Java\jdk1.6.0_24\bin
Run CDM >cd/d D:\ProgramFiles\Java\jdk1.6.0_24\bin
The following is the process of making a certificate library using Keytool:
1) generate the initial KeyStore
Keytool-genkey-alias serveralias-keyalg rsa-keysize 1024-dname "Cn=10.192.109.227,ou=cebbank, O=cebbank,l=BJ, St=BJ, C=CN "-keypass password-keystore E:\ssl\server.jks-storepass password-validity 7300
The –dname in the middle of the description: Cn:server domain name or Ip,ou: affiliated institutions. O: the owning unit. L: Region, St: region, c: Country code, Keypass:password, Storepass:password
2) generate a certificate request
Keytool-certreq-alias serveralias-sigalg md5withrsa-file E:/ssl/server.csr-keystore e:/ssl/server.jks-keypass Password-storepass Password
The last generated certificate request file is SERVER.CSR.
The request is sent to the certification authority, which verifies the entity information in the certificate request. Then implement the visa.
Since we are doing our own CA. So this step of the visa is also our own to do.
3) Implementing a Visa visa still uses OpenSSL instead of keytool.
In OpenSSL. Enter the following command:
Switch to: OpenSSL folder
Run the following command:
Opensslx509-req-in e:/ssl/server.csr-out E:/ssl/servercert.pem-cae:/ssl/cacert.pem-cakey E:/ssl/cakey.pem- Cacreateserial-days 3650
The output of the Servercert.pem file is the certificate after the visa, which is the certificate request response.
The CAKEY.PEM used in the command
And Cacert.pem are the CA key files and CA root Certificates that are generated above.
After the CA visa is complete, return the certificate request response together with the CA root certificate to the requester. The applicant needs to import the CA root certificate (chain) and the certificate request response into
The JKS library. The tool used at this time is keytool.
Switch to: JDK folder
Run the following command:
Keytool-import-trustcacerts-keystore e:/ssl/server.jks-file E:/ssl/cacert.pem-alias RootCAkeytool
Run the following command again:
Keytool-import-trustcacerts-keystore e:/ssl/server.jks-file E:/ssl/servercert.pem-alias Serveralias
Note serveralias name in configuration WebLogic practical, detailed configuration WebLogic SSL please refer to Baidu
It is important to note that. The CA root certificate (chain) is imported first, and the certificate request response is imported, and the alias must be the same as the alias used when the JKS library is imported when importing the certificate request response. At this point, the server-side JKS file is complete and can be configured to the corresponding server.
Note: The JDK on WebLogic server needs to support RSA algorithms like some JDK does not support, preferably with WebLogic.
Weblogicssl fix apple iOS itms download problem