如何使用 keytool 创建证书?
How to create a certificate with keytool?
我已经看过 4 个(是的,4 个)教程,但仍然不明白如何让它工作。
在我的 Glassfish 4.1.1 服务器中设置为 HTTPS 配置的第二个 HTTP 侦听器后,我尝试创建一个证书,因此我的浏览器中不会出现安全错误。问题是,我只是没有让 keytool 正常工作;无论我做什么,它都会搞砸并抛出奇怪的错误。例如,它没有找到许多指南推荐的一些命令。
我猜工具在 Java 8 或其他版本中发生了变化,我真的不知道。
事情是:我想创建一个证书,将其导出到我的 Glassfish 服务器,并正确实施 HTTPS 并用于测试目的。我该怎么办?
编辑:说真的,我因此遇到了麻烦。我什么也做不了:cacerts 密码不是典型的 "changeit",我无法在密钥库之外获取我的密钥,因此我无法对证书做任何事情。
我很多年前在 tomcat 上做过,我记得不要一开始就做对。
除非你想花钱(我猜网站上没有免费的证书签名),我建议使用自签名证书。
你试过这个吗?
http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html
如果您需要做的只是创建一对自签名证书...我也许可以提供帮助。
在 Microsoft Windows 机器上:
- 创建一个空目录并将以下脚本保存在那里 (GenTestCerts.ps1)。
- 编辑脚本并将别名值(和其他变量)更改为您需要的值。
- 执行脚本。
将服务器 (tomcat.server.net.p12) 证书复制到服务器期望的位置。
将信任库 (truststore.p12) 复制到您的服务器期望的位置。
在您的 Windows 密钥库中安装管理员 (tomcat-admin.p12) 证书,接受根到您的受信任的根证书颁发机构部分。
<#
This sample Windows PowerShell script will:
1.) Create a Certificate Authority
2.) Create a Server Certificate signed by the Certificate Authority
3.) Create a Client Certificate signed by the Certificate Authority
4.) Create a TrustStore containing the public Certificate Authority key
The first section defines variables
The second section does the work
All Key Stores are PKCS12
The Server Certificate includes a Subject Alternative Name
The command below uses the serverAlias as the serverDNS value, but may be changed to whatever you need
You just have Java 7 (or higher) installed and keytool in your path
#>
<# Your Organizational Information #>
$organizationalUnit="USN"
$organization="NRL"
$locality="Washington"
$state="DC"
$country="USA"
<# Certificate Alias #>
$authorityAlias="tomcat-root"
$serverAlias="tomcat.server.net"
$clientAlias="tomcat-admin"
<# Subject Alternative Name #>
$serverDNS="$serverAlias"
<# Extensions #>
$certAuthExtension="BasicConstraints:critical=ca:true,pathlen:10000"
$altNameExtension="san=dns:$serverDNS"
<# Trust Store #>
$trustCertName="truststore"
<# Key size and effective period #>
$keySize="4096"
$validity="365"
<# Key and Store Password #>
$certPassword="changeit"
<# ------------------------------------------------------------------------------------------ #>
<# ------------------ Use caution if you change anything below this line ------------------ #>
<# ------------------------------------------------------------------------------------------ #>
$authorityDN="CN=$authorityAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$serverDN="CN=$serverAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$clientDN="CN=$clientAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
rm "$authorityAlias.*"
rm "$serverAlias.*"
rm "$clientAlias.*"
rm "$trustCertName.*"
echo ""
echo "Generating the Root Authority Certificate..."
keytool -genkeypair -alias "$authorityAlias" -keyalg RSA -dname "$authorityDN" -ext "$certAuthExtension" `
-validity "$validity" -keysize "$keySize" -keystore "$authorityAlias.p12" -keypass "$certPassword" `
-storepass "$certPassword" -deststoretype pkcs12
echo "- Exporting Root Authority Certificate Public Key..."
keytool -exportcert -rfc -alias "$authorityAlias" -file "$authorityAlias.cer" -keypass "$certPassword" `
-keystore "$authorityAlias.p12" -storepass "$certPassword"
echo ""
echo "Generating the Server Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$serverAlias" -keyalg RSA -dname "$serverDN" `
-ext "$altNameExtension" -keystore "$serverAlias.p12" -keypass "$certPassword" -storepass "$certPassword" `
-deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$serverAlias" -ext "$altNameExtension" -keystore "$serverAlias.p12" -file "$serverAlias.csr" `
-keypass "$certPassword" -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$serverAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -ext "$altNameExtension" -outfile "$serverAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$serverAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$serverAlias.p12" -file "$serverAlias.pem" -alias "$serverAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$serverAlias.csr"
rm "$serverAlias.pem"
echo ""
echo "Generating the Client Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$clientAlias" -keyalg RSA -dname "$clientDN" `
-keystore "$clientAlias.p12" -keypass "$certPassword" -storepass "$certPassword" -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$clientAlias" -keystore "$clientAlias.p12" -file "$clientAlias.csr" -keypass "$certPassword" `
-storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$clientAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -outfile "$clientAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$clientAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$clientAlias.p12" -file "$clientAlias.pem" -alias "$clientAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$clientAlias.csr"
rm "$clientAlias.pem"
echo ""
echo "Generating the Trust Store and put the Client Certificate in it..."
keytool -importcert -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$trustCertName.p12" `
-storepass "$certPassword" -noprompt
echo ""
echo "Removing Public Key Files..."
rm "$authorityAlias.cer"
希望对您有所帮助。
最好的,
王牌
我已经看过 4 个(是的,4 个)教程,但仍然不明白如何让它工作。
在我的 Glassfish 4.1.1 服务器中设置为 HTTPS 配置的第二个 HTTP 侦听器后,我尝试创建一个证书,因此我的浏览器中不会出现安全错误。问题是,我只是没有让 keytool 正常工作;无论我做什么,它都会搞砸并抛出奇怪的错误。例如,它没有找到许多指南推荐的一些命令。
我猜工具在 Java 8 或其他版本中发生了变化,我真的不知道。
事情是:我想创建一个证书,将其导出到我的 Glassfish 服务器,并正确实施 HTTPS 并用于测试目的。我该怎么办?
编辑:说真的,我因此遇到了麻烦。我什么也做不了:cacerts 密码不是典型的 "changeit",我无法在密钥库之外获取我的密钥,因此我无法对证书做任何事情。
我很多年前在 tomcat 上做过,我记得不要一开始就做对。
除非你想花钱(我猜网站上没有免费的证书签名),我建议使用自签名证书。
你试过这个吗? http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html
如果您需要做的只是创建一对自签名证书...我也许可以提供帮助。
在 Microsoft Windows 机器上:
- 创建一个空目录并将以下脚本保存在那里 (GenTestCerts.ps1)。
- 编辑脚本并将别名值(和其他变量)更改为您需要的值。
- 执行脚本。
将服务器 (tomcat.server.net.p12) 证书复制到服务器期望的位置。
将信任库 (truststore.p12) 复制到您的服务器期望的位置。
在您的 Windows 密钥库中安装管理员 (tomcat-admin.p12) 证书,接受根到您的受信任的根证书颁发机构部分。
<#
This sample Windows PowerShell script will:
1.) Create a Certificate Authority
2.) Create a Server Certificate signed by the Certificate Authority
3.) Create a Client Certificate signed by the Certificate Authority
4.) Create a TrustStore containing the public Certificate Authority key
The first section defines variables
The second section does the work
All Key Stores are PKCS12
The Server Certificate includes a Subject Alternative Name
The command below uses the serverAlias as the serverDNS value, but may be changed to whatever you need
You just have Java 7 (or higher) installed and keytool in your path
#>
<# Your Organizational Information #>
$organizationalUnit="USN"
$organization="NRL"
$locality="Washington"
$state="DC"
$country="USA"
<# Certificate Alias #>
$authorityAlias="tomcat-root"
$serverAlias="tomcat.server.net"
$clientAlias="tomcat-admin"
<# Subject Alternative Name #>
$serverDNS="$serverAlias"
<# Extensions #>
$certAuthExtension="BasicConstraints:critical=ca:true,pathlen:10000"
$altNameExtension="san=dns:$serverDNS"
<# Trust Store #>
$trustCertName="truststore"
<# Key size and effective period #>
$keySize="4096"
$validity="365"
<# Key and Store Password #>
$certPassword="changeit"
<# ------------------------------------------------------------------------------------------ #>
<# ------------------ Use caution if you change anything below this line ------------------ #>
<# ------------------------------------------------------------------------------------------ #>
$authorityDN="CN=$authorityAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$serverDN="CN=$serverAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$clientDN="CN=$clientAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
rm "$authorityAlias.*"
rm "$serverAlias.*"
rm "$clientAlias.*"
rm "$trustCertName.*"
echo ""
echo "Generating the Root Authority Certificate..."
keytool -genkeypair -alias "$authorityAlias" -keyalg RSA -dname "$authorityDN" -ext "$certAuthExtension" `
-validity "$validity" -keysize "$keySize" -keystore "$authorityAlias.p12" -keypass "$certPassword" `
-storepass "$certPassword" -deststoretype pkcs12
echo "- Exporting Root Authority Certificate Public Key..."
keytool -exportcert -rfc -alias "$authorityAlias" -file "$authorityAlias.cer" -keypass "$certPassword" `
-keystore "$authorityAlias.p12" -storepass "$certPassword"
echo ""
echo "Generating the Server Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$serverAlias" -keyalg RSA -dname "$serverDN" `
-ext "$altNameExtension" -keystore "$serverAlias.p12" -keypass "$certPassword" -storepass "$certPassword" `
-deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$serverAlias" -ext "$altNameExtension" -keystore "$serverAlias.p12" -file "$serverAlias.csr" `
-keypass "$certPassword" -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$serverAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -ext "$altNameExtension" -outfile "$serverAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$serverAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$serverAlias.p12" -file "$serverAlias.pem" -alias "$serverAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$serverAlias.csr"
rm "$serverAlias.pem"
echo ""
echo "Generating the Client Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$clientAlias" -keyalg RSA -dname "$clientDN" `
-keystore "$clientAlias.p12" -keypass "$certPassword" -storepass "$certPassword" -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$clientAlias" -keystore "$clientAlias.p12" -file "$clientAlias.csr" -keypass "$certPassword" `
-storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$clientAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -outfile "$clientAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$clientAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$clientAlias.p12" -file "$clientAlias.pem" -alias "$clientAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$clientAlias.csr"
rm "$clientAlias.pem"
echo ""
echo "Generating the Trust Store and put the Client Certificate in it..."
keytool -importcert -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$trustCertName.p12" `
-storepass "$certPassword" -noprompt
echo ""
echo "Removing Public Key Files..."
rm "$authorityAlias.cer"
希望对您有所帮助。
最好的, 王牌