OPENSSL多级证书链

原创
2017/12/09 19:23
阅读数 5.4K

1.CA子签名证书

openssl genrsa -out ca.key 2048 
openssl req -x509 -new -nodes -key ca.key -subj "/CN=chain.test.com/OU=department/O=CorpName/L=beijing/ST=Haidian/C=CN" -days 36500 -out ca.cert
openssl pkcs12 -export -clcerts -name ca -inkey ca.key -in ca.cert -out ca.p12

如果要作为服务器验证根证书,则不能直接用这个 ca.p12,因为这个是带私钥的privateKeyEntry,需要:

keytool -delete -alias ca -keystore ca.p12 -storetype PKCS12 -storepass changeit
keytool -import -alias ca -file ca.cert -keystore ca.p12 -storetype PKCS12 -storepass changeit

这样生成的是 trustedKeyEntry,只有证书

2.生成中间证书

openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -config croot.conf
openssl x509 -req -in root.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out root.cert -days 365 -extensions v3_req -extfile croot.conf
openssl pkcs12 -export -clcerts -name root -inkey root.key -in root.cert -out root.p12

keytool -delete -alias root -keystore root.p12 -storetype PKCS12 -storepass changeit
keytool -import -alias root -file root.cert -keystore root.p12 -storetype PKCS12 -storepass changeit

troot.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = CN
ST = BJ
L = BJ
O = BAIDU
OU = fsg
CN = www.root.test.com

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1=10.***

3.生成 Client 证书

openssl genrsa -out platform.key 2048
openssl req -new -key platform.key -out platform.csr -config cplatform.conf
openssl x509 -req -in platform.csr -CA root.cert -CAkey root.key -CAcreateserial -out platform.cert -days 365 -extensions v3_req -extfile cplatform.conf
openssl pkcs12 -export -clcerts -name secretkey -inkey platform.key -in platform.cert -out platform.p12
# 构建证书链,将上级证书加入platform.p12,platform 自己的证书是 privateKeyEntry
keytool -import -alias root -keystore platform.p12 -storetype PKCS12 -storepass changeit -trustcacerts -file root.cert

tplatform.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = CN
ST = BJ
L = BJ
O = BAIDU
OU = fsg
CN = www.platform.test.com

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1=10.115.***.95

查看一下最后生成的

$ keytool -list -keystore platform.p12 -storetype pkcs12 -storepass changeit

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 3 entries

secretkey, Dec 11, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 95:B9:97:52:46:25:83:C7:EE:6B:42:17:55:0B:6D:0D:D6:9F:9D:60
root, Dec 11, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): D5:D5:E9:2D:76:0B:C3:1D:79:1E:D8:08:FD:DE:A8:03:7E:8D:8F:0A
ca, Dec 11, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): AA:31:9E:AA:E8:79:EC:E8:E1:EF:89:C3:CD:86:75:79:6C:95:AF:B4

 

4.TOMCAT配置

<Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    sslProtocol="TLS" keystoreFile="${catalina.base}/webapps/ROOT/WEB-INF/classes/META-INF/caFiles/platform.p12"
    keystorePass="changeit" keystoreType="PKCS12"
    keyAlias="secretkey"
    truststoreFile="${catalina.base}/webapps/ROOT/WEB-INF/classes/META-INF/caFiles/root.p12"
    truststorePass="changeit" truststoreType="PKCS12"
    clientAuth="true"/>

 

展开阅读全文
打赏
0
0 收藏
分享

作者的其它热门文章

加载中
更多评论
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部