Google Cloud HSM 的 X509 证书
X509 certificate for Google Cloud HSM
我想为存储在 Google Cloud HSM 中的私钥生成 X509 证书。
使用 Java 密钥工具和本地 Java“密钥库”我会做这样的事情:
keytool -exportcert -alias sign1 -keystore signkeystore -storetype jks
-storepass password -file sign1.certificate
见http://tutorials.jenkov.com/java-cryptography/keytool.html
使用 OpenSSL 我会做这样的事情:
openssl genrsa -out private.key 1024
openssl req -new -x509 -key private.key -out publickey.cer -days 365
openssl pkcs12 -export -out public_privatekey.pfx -inkey private.key -in publickey.cer
见X.509: Private / Public Key
看起来,生成证书需要访问 “私钥”,以某种方式,直接像 OpenSSL 或间接像 keytool 使用私钥库。
Gcloud 文档似乎使用 OpenSSL 生成私钥。 https://cloud.google.com/load-balancing/docs/ssl-certificates
如何在 Google Cloud HSM 中获取私钥的 X509 证书。有人做过吗?
问候
苏恰克
我看过这个帖子 Creating an X509 Certificate in Java without BouncyCastle?。
然后我做了以下两个创建GCloud X509证书
- 在 GCloud HSM 中创建密钥(参见 https://cloud.google.com/kms/docs/hsm)
- 从 GCloud 下载 public 密钥。
- 使用下面的代码创建 X509 证书。
- 运行 一些单元测试。
/**
* Create a self-signed X.509 based on a public key
* @param googlePublicKey the Public key downloaded from Google Cloud HSM
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param days how many days from now the Example is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
*/
public static X509Certificate generateRSACertificate(String googlePublicKey, String dn, int days, String algorithm)
throws GeneralSecurityException, IOException {
byte[] derKey = Base64.decodeBase64(googlePublicKey);
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyPairGenerator.generateKeyPair();
PrivateKey privkey = keyPair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, owner);
info.set(X509CertInfo.ISSUER, owner);
info.set(X509CertInfo.KEY, new CertificateX509Key(rsaKey));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
// Update the algorith, and resign.
algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}
使用的进口是
import org.apache.commons.codec.binary.Base64;
import sun.security.x509.*;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.*;
import java.security.spec.X509EncodedKeySpec;
import java.util.Collection;
import java.util.Date;
我想为存储在 Google Cloud HSM 中的私钥生成 X509 证书。
使用 Java 密钥工具和本地 Java“密钥库”我会做这样的事情:
keytool -exportcert -alias sign1 -keystore signkeystore -storetype jks -storepass password -file sign1.certificate
见http://tutorials.jenkov.com/java-cryptography/keytool.html
使用 OpenSSL 我会做这样的事情:
openssl genrsa -out private.key 1024
openssl req -new -x509 -key private.key -out publickey.cer -days 365
openssl pkcs12 -export -out public_privatekey.pfx -inkey private.key -in publickey.cer
见X.509: Private / Public Key
看起来,生成证书需要访问 “私钥”,以某种方式,直接像 OpenSSL 或间接像 keytool 使用私钥库。
Gcloud 文档似乎使用 OpenSSL 生成私钥。 https://cloud.google.com/load-balancing/docs/ssl-certificates
如何在 Google Cloud HSM 中获取私钥的 X509 证书。有人做过吗?
问候 苏恰克
我看过这个帖子 Creating an X509 Certificate in Java without BouncyCastle?。
然后我做了以下两个创建GCloud X509证书
- 在 GCloud HSM 中创建密钥(参见 https://cloud.google.com/kms/docs/hsm)
- 从 GCloud 下载 public 密钥。
- 使用下面的代码创建 X509 证书。
- 运行 一些单元测试。
/**
* Create a self-signed X.509 based on a public key
* @param googlePublicKey the Public key downloaded from Google Cloud HSM
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param days how many days from now the Example is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
*/
public static X509Certificate generateRSACertificate(String googlePublicKey, String dn, int days, String algorithm)
throws GeneralSecurityException, IOException {
byte[] derKey = Base64.decodeBase64(googlePublicKey);
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = keyPairGenerator.generateKeyPair();
PrivateKey privkey = keyPair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, owner);
info.set(X509CertInfo.ISSUER, owner);
info.set(X509CertInfo.KEY, new CertificateX509Key(rsaKey));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
// Update the algorith, and resign.
algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}
使用的进口是
import org.apache.commons.codec.binary.Base64;
import sun.security.x509.*;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.*;
import java.security.spec.X509EncodedKeySpec;
import java.util.Collection;
import java.util.Date;