一、生成自签名证书
1 生成根证书CA
1.1 --生成根证书
set keystore=oa.keystore
set alias=rootca
set storepass=changeit
set keypass=changeit
set DNAME="CN=ChuanYeCA, OU=ChuanYe, O=ChuanYe, L=BeiJing, ST=BeiJing, C=CN"
set validity=3650
keytool -genkeypair -alias %alias% -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore %keystore% -storetype jks -storepass %storepass% -keypass %keypass% -dname %DNAME% -validity %validity%
1.2 --导出根证书
keytool -exportcert -keystore oa.keystore -storepass changeit -file rootca.cer -alias rootca
1.3 --导入证书到truststore中
keytool -import -alias trustrootca -file rootca.cer -storepass changeit -keystore oa.truststore
2 --生成二级CA
2.1--生成二级证书
set keystore=oa.keystore
set alias=subca
set storepass=changeit
set keypass=changeit
set DNAME="CN=SubCA, OU=ChuanYe Sub, O=ChuanYe Sub, L=BeiJing, ST=BeiJing, C=CN"
set validity=3650
keytool -genkeypair -alias %alias% -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore %keystore% -storetype jks -storepass %storepass% -keypass %keypass% -dname %DNAME% -validity %validity%
2.2 --从二级CA的秘钥对中生成证书请求
keytool -certreq -alias subca -keystore oa.keystore -storepass changeit -file subca.csr
2.3 --使用证书请求从根CA中签发证书
keytool -gencert -alias rootca -keystore oa.keystore -storepass changeit -infile subca.csr -outfile subca.cer
2.4 --导入二级CA到秘钥库中
#keytool -importcert -v -trustcacerts -alias subca -file subca.cer -storepass changeit -keystore oa.keystore
keytool -importcert -alias subca -file subca.cer -storepass changeit -keystore oa.keystore
2.5 --导入证书到truststore中
keytool -import -alias trustsubca -file subca.cer -storepass changeit -keystore oa.truststore
3 使用二级证书签发用户证书
3.1 --生成用户证书
set keystore=oa.keystore
set alias=shayne
set storepass=changeit
set keypass=changeit
set DNAME="CN=192.168.1.100, OU=SH, O=SH, L=BeiJing, ST=BeiJing, C=CN"
set validity=3650
keytool -genkeypair -alias %alias% -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore %keystore% -storetype jks -storepass %storepass% -keypass %keypass% -dname %DNAME% -validity %validity%
3.2 --导出用户证书请求
keytool -certreq -alias shayne -keystore oa.keystore -storepass changeit -file shayne.csr
3.3 --用二级CA签发用户证书
keytool -gencert -alias subca -keystore oa.keystore -storepass changeit -infile shayne.csr -outfile shayne.cer
3.4 --导入用户证书到秘钥库中
keytool -importcert -alias shayne -file shayne.cer -storepass changeit -keystore oa.keystore
4 --导入证书到truststore中
keytool -import -alias trustuserca -file shayne.cer -storepass changeit -keystore oa.truststore
5 --生成p12格式证书
keytool -importkeystore -srckeystore oa.keystore -destkeystore client.p12 -srcalias rootca -destalias rootca -srcstorepass changeit -deststorepass changeit -srcstoretype jks -deststoretype pkcs12 -noprompt
二、生成nginx需要的证书crt/cer、key
set keystore=ths.keystore
set alias=ths
set storepass=changeit
set keypass=changeit
set DNAME="CN=192.168.1.100, OU=SH, O=SH, L=BeiJing, ST=BeiJing, C=CN"
set validity=3650
keytool -genkeypair -alias %alias% -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore %keystore% -storetype jks -storepass %storepass% -keypass %keypass% -dname %DNAME% -validity %validity%
keytool -list -keystore server.keystore -storepass changeit
keytool -exportcert -keystore ths.keystore -file ths.cer -alias ths
keytool -import -trustcacerts -alias ths -keystore ths.truststore -file ths.cer -storepass changeit
keytool -importkeystore -srckeystore ths.keystore -destkeystore ths.p12 -srcalias ths -destalias ths -srcstoretype jks -deststoretype pkcs12 -noprompt
#将名为ths.keystore的证书库中别名为ths的证书条目导出到证书文件ths.crt/ths.cer中
keytool -export -alias ths -keystore ths.keystore -storepass changeit -rfc -file ths.cer
#key,需要通过代码生成,如下所示:
public static KeyStore getKeyStore(String keyStorePath, String password) throws Exception {
FileInputStream is = new FileInputStream(keyStorePath);
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(is, password.toCharArray());
is.close();
return ks;
}
public static PrivateKey getPrivateKey() {
try {
BASE64Encoder encoder = new BASE64Encoder();
KeyStore ks = getKeyStore("C:\\cert\\ths\\ths.keystore", "changeit");
PrivateKey key = (PrivateKey) ks.getKey("ths", "changeit".toCharArray());
String encoded = encoder.encode(key.getEncoded());
System.out.println("-----BEGIN RSA PRIVATE KEY-----");
System.out.println(encoded);
System.out.println("-----END RSA PRIVATE KEY-----");
return key;
} catch (Exception e) {
return null;
}
}
public static void main(String[] args) throws InterruptedException {
getPrivateKey();
}
三、查看转换管理证书
#生成p12格式证书
keytool -importkeystore -srckeystore serverKey.jks -destkeystore client.p12 -srcalias key_alias -destalias key_alias -srcstoretype jks -deststoretype pkcs12 -noprompt
#查看证书
keytool -list -storepass 123456 -keystore serverKey.jks
#删除证书
keytool -delete -alias ca_alias -storepass 123456 -keystore serverKey.jks
参考:[生成CA和二级CA证书]:https://www.hellojava.com/a/76445.html
【nginx ssl cert】:https://ma.ttias.be/nginx-ssl-certificate-errors-pem_read_bio_x509_aux-pem_read_bio_x509-ssl_ctx_use_privatekey_file/#PEM_read_bio_X509_AUX