证书制作和申请流程
DER是二进制编码的证书,PEM是ASCII编码证书,CRT是证书,可能是二进制也可能是ASCII
keystore可以看成一个放key的库,key就是公钥,私钥,数字签名等组成的一个信息。 truststore里存放的是只包含公钥的数字证书,代表了可以信任的证书,而keystore是包含私钥的
1
2
3
4
5
6
a. 自颁发证书签发过程
生成私钥--->用私钥生成证书请求---->机构用自己的私钥来签发
private.key--> certificate.req---->(req+private.key)---> certificate.crt****
b. 向CA申请颁发证书过程
private.key---> certificate.req------>(my.req+ca.key+ca.crt)--> certificate.crt
证书制作
- 证书制作相关命令
- 生成私钥:
openssl genrsa -out caprivate.key 1024
- 生成证书请求:
openssl req -key caprivate.key -new -out cacertificate.req
- 生成证书,可设定有效期:
openssl x509 -days 1 -req -in cacertificate.req -signkey caprivate.key -out cacertificate.crt
- 生成私钥:
- 证书申请和颁发过程实例
- 制作私钥,
openssl genrsa -out ops.key 1024
- 生成证书申请,
openssl req -key ops.key -new -out ops.req
- 颁发证书
openssl x509 -req -in ops.req -CA ca_ops.pem -CAkey ca_ops.key -out ops.pem -CAcreateserial
- 查看证书,
openssl x509 -in ops.pem -noout -text
- 制作私钥,
客户端测试
1.客户端导入证书
keytool -genkey -keystore "/root/ops.keystore" -alias ops -keyalg RSA -validity 365
,创建密钥库
keytool -list -keystore ops
,查看密钥库中的证书
keytool -import -keystore ops -file ops.crt -alias inteliOld
,向密钥库中导入证书
keytool -delete -alias ops -keystore ops
,从密钥库中删除证书
2.客户端访问代码
vim FoxClient.java javac FoxClient.java javac编译 java FoxClient 测试https
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import java.io.*;
import java.net.Socket;
import java.security.KeyStore;
import javax.net.ssl.*;
public class FoxClient {
public static void main(String[] args) throws Exception {
String clientTrustKeyStoreFile = "ops";
String clientTrustKeyStorePwd = "123456";
KeyStore clientTrustKeyStore = KeyStore.getInstance("JKS");
clientTrustKeyStore.load(new FileInputStream(clientTrustKeyStoreFile), clientTrustKeyStorePwd.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(clientTrustKeyStore);
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(null, tmf.getTrustManagers(), null);
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
Socket socket = socketFactory.createSocket("1.1.1.1",443);
PrintWriter out = new PrintWriter(socket.getOutputStream(), true);
BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
send("GET / HTTP/1.1", out);
send("Host: ops.intellicredit.cn", out);
send("\n\n",out);
receive(in);
socket.close();
}
public static void send(String s, PrintWriter out) throws IOException {
System.out.println("Sending: " + s);
out.println(s);
}
public static void receive(BufferedReader in) throws IOException {
String s;
while ((s = in.readLine()) != null) {
System.out.println("Reveived: " + s);
}
}
}
自签发CA证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
vim /etc/pki/tls/openssl.conf
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zzc
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = ops_test.intellicredit.cn
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = zhangshun@intellicredit.cn
# SET-ex3 = SET extension number 3
____________________________________________________________________________________________________________
### CA自签发证书
[root@k8s-node02 CA]# pwd
/etc/pki/CA
## 生成必要文件
[root@k8s-node02 CA]# touch index.txt serial crlnumber
[root@k8s-node02 CA]# echo 01 > serial
## 生成ca证书私钥,注意权限
[root@k8s-node02 CA]# {umask 077; openssl genrsa -out private/cakey.pem 2048}
## 生成ca证书
[root@k8s-node02 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
[root@k8s-node02 CA]# cd /tmp
## 生成 服务端私钥,注意权限
[root@k8s-node02 CA]# {(umask 077;openssl genrsa -out server.key 2048); }
## 生成 服务端证书申请,注意:主机名要设置成对应的域名
[root@k8s-node02 CA]# openssl req -new -key server.key -out server.csr
## 生成 CA签发的服务端证书
[root@k8s-node02 CA]# openssl ca -in server.csr -out server.crt -days 365
[root@k8s-node02 CA]# cat /etc/pki/CA/index.txt
V 200520070531Z 01 unknown /C=CN/ST=Beijing/O=zzc/OU=IT/CN=ops_test.intellicredit.cn/emailAddress=zhangshun@intellicredit.cn
ca签发证书时,同一个域名只能签发一个,如果想要一个域名签发多个证书,需要改ca的配置,/etc/pki/CA/index.txt.attr
_____________________________________________________________________________________________________
在windows下测试,导入签发后的证书访问提示不安全,导入CA证书后部分浏览器访问ok(谷歌、360都不行,firefox跟IE可以)