Fork me on GitHub

如何自己签发Https证书

此处输入图片的描述
本文介绍如何利用Open-SSL工具和Javakeytool生成自签名证书。

关于什么是https及https的加密过程、通信过程,可以参考博客,接下来的内容介绍生成https证书的详细步骤。

Open-SSL 工具

OpenSSL 是一个开源项目,其组成主要包括以下三个组件:

  • OpenSSL:多用途的命令行工具
  • libcrypto:加密算法库
  • libssl:加密模块应用库,实现了ssl及tls
    OpenSSL可以实现:秘钥证书管理、对称加密和非对称加密 。

生成秘钥和证书的过程

废话不多说,利用OpenSSL的命令行工具生成秘钥和证书的详细过程如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
D:\OpenSSL-Win64\bin>dir
驱动器 D 中的卷是 App
卷的序列号是 C67B-0BC3

D:\OpenSSL-Win64\bin 的目录

2019/06/04 15:08 <DIR> .
2019/06/04 15:08 <DIR> ..
2019/05/28 22:36 7,813 CA.pl
2019/05/28 22:36 69,120 capi.dll
2019/05/28 22:36 44,544 dasync.dll
2019/06/04 15:08 2,527 keystore.p12
2019/05/28 22:36 3,407,360 libcrypto-1_1-x64.dll
2019/05/28 22:36 681,472 libssl-1_1-x64.dll
2019/05/28 22:36 542,720 openssl.exe
2019/05/28 22:36 44,032 ossltest.dll
2019/05/28 22:36 39,936 padlock.dll
2019/05/31 16:01 <DIR> PEM
2019/05/28 22:36 5,562 progs.pl
2019/05/28 22:36 6,779 tsget.pl
11 个文件 4,851,865 字节
3 个目录 379,711,356,928 可用字节

D:\OpenSSL-Win64\bin>openssl genrsa -out server.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
................................................+++++
e is 65537 (0x010001)

D:\OpenSSL-Win64\bin>openssl req -x509 -new -key server.pem -out server.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyServer
Organizational Unit Name (eg, section) []:MySever
Common Name (e.g. server FQDN or YOUR name) []:www.baidu.com
Email Address []:

D:\OpenSSL-Win64\bin>openssl genrsa -out htx-server.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
........+++++
e is 65537 (0x010001)

D:\OpenSSL-Win64\bin>openssl req -new -key htx-server.pem -out htx-server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySever2
Organizational Unit Name (eg, section) []:Mysever2
Common Name (e.g. server FQDN or YOUR name) []:www.baidu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

D:\OpenSSL-Win64\bin>openssl x509 -req -in htx-server.csr -CA server.crt -CAkey server.pem -CAcreateserial -days 3650 -out htx-server.crt
Signature ok
subject=C = CN, ST = beijing, L = beijing, O = MySever2, OU = Mysever2, CN = www.baidu.com
Getting CA Private Key

D:\OpenSSL-Win64\bin>openssl pkcs12 -export -in htx-server.crt -inkey htx-server.pem -out htx-server.p12
Enter Export Password:
Verifying - Enter Export Password:

D:\OpenSSL-Win64\bin>keytool -importkeystore -srckeystore htx-server.p12 -destkeystore htx-server.jks -srcstoretype pkcs12
正在将密钥库 htx-server.p12 导入到 htx-server.jks...
输入目标密钥库口令:
再次输入新口令:
它们不匹配。请重试
输入目标密钥库口令:
再次输入新口令:
输入源密钥库口令:
已成功导入别名 1 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消

Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore htx-server.jks -destkeystore htx-server.jks -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。

D:\OpenSSL-Win64\bin>keytool -importcert -keystore htx-server.jks -file server.crt
输入密钥库口令:
所有者: CN=www.baidu.com, OU=MySever, O=MyServer, L=beijing, ST=beijing, C=CN
发布者: CN=www.baidu.com, OU=MySever, O=MyServer, L=beijing, ST=beijing, C=CN
序列号: 2086ab43ad3a294d722f1b14a0e4a3fa704e5087
有效期为 Tue Jun 04 15:33:51 CST 2019 至 Thu Jul 04 15:33:51 CST 2019
证书指纹:
MD5: 94:3D:FB:DF:15:27:63:7F:3B:8F:A9:78:A8:A0:48:C0
SHA1: 67:9D:FC:69:BB:E1:C9:F9:B2:DC:C8:3C:10:73:1C:EF:F0:DE:8C:71
SHA256: 5F:FB:EC:AE:C0:32:85:BF:3B:39:62:63:BB:F7:26:06:AA:37:67:B8:C9:9F:05:CD:67:23:B2:E0:B6:96:1C:FE
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 3

扩展:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 2A BC AE CE DB E9 7A F2 56 FC 1A B2 8D 22 AF 9D *.....z.V...."..
0010: B5 04 47 CB ..G.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2A BC AE CE DB E9 7A F2 56 FC 1A B2 8D 22 AF 9D *.....z.V...."..
0010: B5 04 47 CB ..G.
]
]

是否信任此证书? [否]: y
证书已添加到密钥库中

Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore htx-server.jks -destkeystore htx-server.jks -deststoretype pkcs12" 迁移到行业标准格式 PKCS12。

也可以用下面的方法签发证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
D:\OpenSSL-Win64\bin>openssl genrsa -out server.key 2048                                    Z
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................+++++
......+++++
e is 65537 (0x010001)

D:\OpenSSL-Win64\bin>openssl rsa -in server.key -pubout -out server.pem
writing RSA key

D:\OpenSSL-Win64\bin>openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................................+++++
.+++++
e is 65537 (0x010001)

D:\OpenSSL-Win64\bin>openssl rsa -in client.key -pubout -out client.pem
writing RSA key

D:\OpenSSL-Win64\bin>openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
...............................+++++
e is 65537 (0x010001)

D:\OpenSSL-Win64\bin>openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCA
Organizational Unit Name (eg, section) []:MyCA
Common Name (e.g. server FQDN or YOUR name) []:www.baidu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

D:\OpenSSL-Win64\bin>openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = CN, ST = beijing, L = beijing, O = MyCA, OU = MyCA, CN = www.baidu.com
Getting Private key

D:\OpenSSL-Win64\bin>openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyServer
Organizational Unit Name (eg, section) []:MyServer
Common Name (e.g. server FQDN or YOUR name) []:www.baidu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

D:\OpenSSL-Win64\bin>openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = CN, ST = beijing, L = beijing, O = MyServer, OU = MyServer, CN = www.baidu.com
Getting CA Private Key

D:\OpenSSL-Win64\bin>openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyClient
Organizational Unit Name (eg, section) []:Myclient
Common Name (e.g. server FQDN or YOUR name) []:www.baidu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

D:\OpenSSL-Win64\bin>openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=C = CN, ST = beijing, L = beijing, O = MyClient, OU = Myclient, CN = www.baidu.com
Getting CA Private Key

D:\OpenSSL-Win64\bin>dir
驱动器 D 中的卷是 App
卷的序列号是 C67B-0BC3

D:\OpenSSL-Win64\bin 的目录

2019/06/04 14:29 <DIR> .
2019/06/04 14:29 <DIR> ..
2019/06/04 14:27 1,236 ca.crt
2019/06/04 14:27 1,022 ca.csr
2019/06/04 14:25 1,706 ca.key
2019/05/28 22:36 7,813 CA.pl
2019/06/04 14:29 42 ca.srl
2019/05/28 22:36 69,120 capi.dll
2019/06/04 14:29 1,250 client.crt
2019/06/04 14:28 1,030 client.csr
2019/06/04 14:25 1,702 client.key
2019/06/04 14:25 460 client.pem
2019/05/28 22:36 44,544 dasync.dll
2019/05/28 22:36 3,407,360 libcrypto-1_1-x64.dll
2019/05/28 22:36 681,472 libssl-1_1-x64.dll
2019/05/28 22:36 542,720 openssl.exe
2019/05/28 22:36 44,032 ossltest.dll
2019/05/28 22:36 39,936 padlock.dll
2019/05/31 16:01 <DIR> PEM
2019/05/28 22:36 5,562 progs.pl
2019/06/04 14:28 1,250 server.crt
2019/06/04 14:28 1,030 server.csr
2019/06/04 14:24 1,706 server.key
2019/06/04 14:25 460 server.pem
2019/05/28 22:36 6,779 tsget.pl
22 个文件 4,862,232 字节
3 个目录 379,711,369,216 可用字节

注意

One

整个过程可以概括为:

  • 生成服务器的公钥和私钥
  • 生成客户端的公钥和私钥
  • 创建CSR文件,生成CA证书

Two

在配置过程中,Common Name应该是你需要配置的域名,例如下面是生成百度的证书:

1
Common Name (e.g. server FQDN or YOUR name) []:www.baidu.com

Three

keystore/JKS文件里,事实上包含两种数据:

  1. 密钥实体(Key entity)——密钥(secret key)又或者是私钥和配对公钥(采用非对称加密)
  2. 可信任的证书实体(trusted certificate entries)——只包含公钥

参考链接:

-------------本文结束感谢阅读-------------