如何使用keytool创建证书? [英] How to create a certificate with keytool?
本文介绍了如何使用keytool创建证书?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
在设置了第二个HTTP侦听器之后,配置完成后,对于我的Glassfish 4.1.1服务器中的HTTPS,我试图创建证书,所以我没有在浏览器中看到安全错误。问题是,我只是没有得到keytool正常工作;它只是弄虚作假,无论我做什么都会抛出奇怪的错误。举例来说,它没有找到许多指南推荐的一些命令。
我可以猜测,这个工具在Java 8或其他版本中改变了,我没有真正知道的。
事情是:我想创建一个证书,将其导出到我的Glassfish服务器,并且HTTPS正确地实现并用于测试目的。我该怎么做呢?
编辑:说真的,我因为这个而陷入困境。我只是无能为力:cacerts密码不是典型的changeit,我无法将密钥存储在密钥库之外,因此我无法对证书进行任何操作。
<如果您只需要创建一对自签名证书...我可以提供帮助。
在Microsoft Windows计算机上:
- 创建一个空目录并在其中保存下面的脚本(GenTestCerts.ps1)。
- 编辑脚本并将Alias值(和其他变量)更改为您需要的任何值。
- 执行脚本。
$ b
将服务器(tomcat.server.net.p12)cert复制到服务器预期的位置。
将Trust Store(truststore.p12)复制到您的服务器预期的位置。
将admin(tomcat-admin.p12)证书安装到您的Windows Key Store接受Root进入您的受信任的根证书颁发机构部分。
<#
此示例Windows PowerShell脚本将:
1.)创建一个证书颁发机构
2.)创建一个由证书颁发机构签署的服务器证书
3.)创建由证书颁发机构签署的客户机证书
4.)创建一个包含公共证书机构密钥的信任存储区
第一部分定义变量
第二部分完成工作
所有密钥存储都是PKCS12
服务器证书包含主题备用名称
以下命令使用serverAlias作为serverDNS值,但可能会更改为任何您需要的值
您只需安装Java 7(或更高版本)并在您的路径中安装keytool
#>
<#您的组织信息#>
$ organizationalUnit =USN
$ organization =NRL
$ locality =Washington
$ state =DC
$ country =USA
<#证书别名#>
$ authorityAlias =tomcat-root
$ serverAlias =tomcat.server.net
$ clientAlias =tomcat-admin
<#Subject替代名称#>
$ serverDNS =$ serverAlias
<#扩展#>
$ certAuthExtension =BasicConstraints:critical = ca:true,pathlen:10000
$ altNameExtension =san = dns:$ serverDNS
<#Trust Store#> ;
$ trustCertName =truststore
<#密钥大小和有效期#>
$ keySize =4096
$ validity =365
<#Key and Store Password#>
$ certPassword =changeit
<#----------------------------- -------------------------------------------------- -----------#>
<#------------------请谨慎操作,如果您在此行之下更改任何内容---------------- - #>
<#------------------------------------------- -----------------------------------------------#>
$ authorityDN =CN = $ authorityAlias,OU = $ organizationalUnit,O = $ organization,L = $ locality,ST = $ state,C = $ country
$ serverDN = CN = $ serverAlias,OU = $ organizationalUnit,O = $ organization,L = $ locality,ST = $ state,C = $ country
$ clientDN =CN = $ clientAlias,OU = $ organizationalUnit,O = $ organization,L = $ locality,ST = $ state,C = $ country
rm$ authorityAlias。*
rm$ serverAlias。*
rm $ clientAlias。*
rm$ trustCertName。*
echo
echo生成root权限证书...
keytool -genkeypair - 别名$ authorityAlias-keyalg RSA -dname$ authorityDN-ext$ certAuthExtension`
-validity$ validity-keysize$ keySize-keystore$ authorityAlias.p12-keypass$ certPassword
-storepass$ certPassword-deststoretype pkcs12
echo - 导出根证书证书公钥...
keytool -exportcert -rfc -alias$ authorityAlias-file $ authorityAlias.cer-keypass$ certPassword`
-keystore$ authorityA lias.p12-storepass$ certPassword
echo
echo生成服务器证书...
回显 - 创建密钥对
keytool -genkey -validity$ validity-keysize$ keySize-alias$ serverAlias-keyalg RSA -dname$ serverDN`
-ext$ altNameExtension-keystore$ serverAlias.p12 - keypass$ certPassword-storepass$ certPassword`
-deststoretype pkcs12
echo - 创建证书签名请求
keytool -certreq -alias$ serverAlias-ext$ altNameExtension -keystore$ serverAlias.p12-file$ serverAlias.csr`
-keypass$ certPassword-storepass$ certPassword
echo - 签名证书
keytool -gentrt -infile$ serverAlias.csr-keystore$ authorityAlias.p12-storepass$ certPassword`
-alias$ authorityAlias-ext$ altNameExtension-outfile$ serverAlias.pem
echo - 将证书颁发机构证书添加到密钥库
keytool -import -trustcacerts -alias$ authorityAlias-f ile$ authorityAlias.cer-keystore$ serverAlias.p12`
-storepass$ certPassword-noprompt
echo - 将证书添加到密钥库
keytool -import -keystore $ serverAlias.p12-file$ serverAlias.pem-alias$ serverAlias-keypass$ certPassword`
-storepass$ certPassword-noprompt
rm$ serverAlias.csr
rm$ serverAlias.pem
echo
echo生成客户端证书...
回显 - 创建密钥对
keytool -genkey -validity$ validity-keysize$ keySize-alias$ clientAlias-keyalg RSA -dname$ clientDN`
-keystore$ clientAlias.p12-keypass$ certPassword - storepass$ certPassword-deststoretype pkcs12
echo - 创建证书签名请求
keytool -certreq -alias$ clientAlias-keystore$ clientAlias.p12-file$ clientAlias.csr - keypass$ certPassword`
-storepass$ certPassword
echo - 签名证书
keytool -gentrt -infile$ clientAlias.csr-ke ystore$ authorityAlias.p12-storepass$ certPassword`
-alias$ authorityAlias-outfile$ clientAlias.pem
echo - 将证书颁发机构证书添加到密钥库
keytool -import -trustcacerts -alias$ authorityAlias-file$ authorityAlias.cer-keystore$ clientAlias.p12`
-storepass$ certPassword-noprompt
echo - 将证书添加到Keystore
keytool -import -keystore$ clientAlias.p12-file$ clientAlias.pem-alias$ clientAlias-keypass$ certPassword`
-storepass$ certPassword-noprompt
rm$ clientAlias.csr
rm$ clientAlias.pem
echo
echo生成Trust Store并将Client Certificate放入其中...
keytool -importcert -alias$ authorityAlias-file$ authorityAlias.cer-keystore$ trustCertName.p12`
-storepass$ certPassword-noprompt
echo
echo删除公钥文件...
rm$ authorityAlias.cer
希望这会有所帮助。
Best,
Ace
I've looked in 4 (yes, four) tutorials already and still don't get how to get this working.
After setting a second HTTP listener configured for HTTPS in my Glassfish 4.1.1 server, I'm trying to create a certificate, so I don't get security errors in my browser. The problem is, that I just don't get keytool working proper; it just messes up and throws strange errors whatever I do. Per example, it doesn't find some of the commands that many guides recommend.
I can guess that the tool changed in Java 8 or something else, I don't really know.
Thing is: I want to create a certificate, export it to my Glassfish server, and have HTTPS correctly implemented and working for testing purposes. What should I do for this?
EDIT: Seriously, I'm in a trouble because of this. I just can't do anything: cacerts password isn't the typical "changeit", I can't get my keys outside the keystore, and therefore I can't do anything with certificates.
解决方案
If all you need to do is create a pair of self-signed certificates... I may be able to help.
On a Microsoft Windows Machine:
- Create an empty directory and save the below script there (GenTestCerts.ps1).
- Edit the script and change the Alias values (and other variables) to whatever you need.
- Execute the script.
Copy the server (tomcat.server.net.p12) cert to wherever your server expects it to be.
Copy the Trust Store (truststore.p12) to wherever your server expects it to be.
Install the admin (tomcat-admin.p12) cert in your Windows Key Store accepting the Root into your Trusted Root Certification Authorities section.
<#
This sample Windows PowerShell script will:
1.) Create a Certificate Authority
2.) Create a Server Certificate signed by the Certificate Authority
3.) Create a Client Certificate signed by the Certificate Authority
4.) Create a TrustStore containing the public Certificate Authority key
The first section defines variables
The second section does the work
All Key Stores are PKCS12
The Server Certificate includes a Subject Alternative Name
The command below uses the serverAlias as the serverDNS value, but may be changed to whatever you need
You just have Java 7 (or higher) installed and keytool in your path
#>
<# Your Organizational Information #>
$organizationalUnit="USN"
$organization="NRL"
$locality="Washington"
$state="DC"
$country="USA"
<# Certificate Alias #>
$authorityAlias="tomcat-root"
$serverAlias="tomcat.server.net"
$clientAlias="tomcat-admin"
<# Subject Alternative Name #>
$serverDNS="$serverAlias"
<# Extensions #>
$certAuthExtension="BasicConstraints:critical=ca:true,pathlen:10000"
$altNameExtension="san=dns:$serverDNS"
<# Trust Store #>
$trustCertName="truststore"
<# Key size and effective period #>
$keySize="4096"
$validity="365"
<# Key and Store Password #>
$certPassword="changeit"
<# ------------------------------------------------------------------------------------------ #>
<# ------------------ Use caution if you change anything below this line ------------------ #>
<# ------------------------------------------------------------------------------------------ #>
$authorityDN="CN=$authorityAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$serverDN="CN=$serverAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$clientDN="CN=$clientAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
rm "$authorityAlias.*"
rm "$serverAlias.*"
rm "$clientAlias.*"
rm "$trustCertName.*"
echo ""
echo "Generating the Root Authority Certificate..."
keytool -genkeypair -alias "$authorityAlias" -keyalg RSA -dname "$authorityDN" -ext "$certAuthExtension" `
-validity "$validity" -keysize "$keySize" -keystore "$authorityAlias.p12" -keypass "$certPassword" `
-storepass "$certPassword" -deststoretype pkcs12
echo "- Exporting Root Authority Certificate Public Key..."
keytool -exportcert -rfc -alias "$authorityAlias" -file "$authorityAlias.cer" -keypass "$certPassword" `
-keystore "$authorityAlias.p12" -storepass "$certPassword"
echo ""
echo "Generating the Server Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$serverAlias" -keyalg RSA -dname "$serverDN" `
-ext "$altNameExtension" -keystore "$serverAlias.p12" -keypass "$certPassword" -storepass "$certPassword" `
-deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$serverAlias" -ext "$altNameExtension" -keystore "$serverAlias.p12" -file "$serverAlias.csr" `
-keypass "$certPassword" -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$serverAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -ext "$altNameExtension" -outfile "$serverAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$serverAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$serverAlias.p12" -file "$serverAlias.pem" -alias "$serverAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$serverAlias.csr"
rm "$serverAlias.pem"
echo ""
echo "Generating the Client Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$clientAlias" -keyalg RSA -dname "$clientDN" `
-keystore "$clientAlias.p12" -keypass "$certPassword" -storepass "$certPassword" -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$clientAlias" -keystore "$clientAlias.p12" -file "$clientAlias.csr" -keypass "$certPassword" `
-storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$clientAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -outfile "$clientAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$clientAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$clientAlias.p12" -file "$clientAlias.pem" -alias "$clientAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$clientAlias.csr"
rm "$clientAlias.pem"
echo ""
echo "Generating the Trust Store and put the Client Certificate in it..."
keytool -importcert -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$trustCertName.p12" `
-storepass "$certPassword" -noprompt
echo ""
echo "Removing Public Key Files..."
rm "$authorityAlias.cer"
Hope this helps.
Best, Ace
这篇关于如何使用keytool创建证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
