天天看點

OpenSSL and Keytool

1、OpenSSL實踐

工作中需要配置使用SSL來雙向認證并通信的FTP伺服器,以OpenSSL和Java的keytool為例,來完成證書的制作:

d:/openssl/mkcerts>openssl genrsa -out ca.key 1024

建立CA私鑰

Loading 'screen' into random state - done

warning, not much extra random data, consider using the -rand option

Generating RSA private key, 1024 bit long modulus

...................................................................++++++

.............++++++

e is 65537 (0x10001)

d:/openssl/mkcerts>openssl req -new -days 3650 -x509 -key ca.key -out cacert.pem -config openssl.cnf

建立CA自簽名證書(使用上一步建立的CA私鑰來簽名)

Using configuration from openssl.cnf

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:BEIJING

Locality Name (eg, city) []:BEIJING

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc

Organizational Unit Name (eg, section) []:FTPTest

Common Name (eg, YOUR name) []:CHELSEA

Email Address []:[email protected]

d:/openssl/mkcerts>openssl genrsa -des3 -out server.key 1024

建立伺服器私鑰

Loading 'screen' into random state - done

warning, not much extra random data, consider using the -rand option

Generating RSA private key, 1024 bit long modulus

..............++++++

.++++++

e is 65537 (0x10001)

Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:

d:/openssl/mkcerts>openssl rsa -in server.key -out serverkey.pem

加密伺服器私鑰(保護私鑰資訊)

read RSA key

Enter PEM pass phrase:

writing RSA key

d:/openssl/mkcerts>openssl req -new -days 3650 -key server.key -out server.csr-config openssl.cnf

建立申請伺服器所需證書的請求

Using configuration from openssl.cnf

Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:BEIJING

Locality Name (eg, city) []:BEIJING

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc

Organizational Unit Name (eg, section) []:FTPTest

Common Name (eg, YOUR name) []:CHELSEA

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

d:/openssl/mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in server.csr -out server.pem -config openssl.cnf

CA簽署伺服器證書(需要CA私鑰和序列号檔案demoCA/serial, demoCA/index.txt)

Using configuration from openssl.cnf

Loading 'screen' into random state - done

Check that the request matches the signature

Signature ok

The Subjects Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BEIJING'

localityName :PRINTABLE:'BEIJING'

organizationName :PRINTABLE:'Chelseafc'

organizationalUnitName:PRINTABLE:'FTPTest'

commonName :PRINTABLE:'CHELSEA'

emailAddress :IA5STRING:'[email protected]'

Certificate is to be certified until Oct 26 03:01:33 2006 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

d:/openssl/mkcerts>openssl x509 -in server.pem -out server.crt

轉換格式

d:/openssl/mkcerts>openssl x509 -in demoCA/cacert.pem -out demoCA/cacert.crt

轉換格式

d:/openssl/mkcerts>keytool -genkey -keyalg RSA -alias ftpsconnector -keystore ftps.jks -storepass changeit -storetype jks

産生Java用戶端私鑰檔案

您的名字與姓氏是什麼?

[Unknown]: CHELSEA

您的組織機關名稱是什麼?

[Unknown]: FTPTest

您的組織名稱是什麼?

[Unknown]: Chelseafc

您所在的城市或區域名稱是什麼?

[Unknown]: BEIJING

您所在的州或省份名稱是什麼?

[Unknown]: BEIJING

該機關的兩字母國家代碼是什麼

[Unknown]: CN

CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, ST=BEIJING, C=CN 正确嗎?

[否]: Y

輸入<ftpsconnector>的主密碼

(如果和 keystore 密碼相同,按回車):

d:/openssl/mkcerts>keytool -certreq -alias ftpsconnector -keyalg RSA -file ftpsconnector.csr -keystore ftps.jks

産生Java用戶端證書請求

輸入keystore密碼: changeit

d:/openssl/mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in ftpsconnector.csr -out ftpsconnector.pem -config openssl.cnf

CA簽署Java用戶端證書

Using configuration from openssl.cnf

Loading 'screen' into random state - done

Check that the request matches the signature

Signature ok

The Subjects Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BEIJING'

localityName :PRINTABLE:'BEIJING'

organizationName :PRINTABLE:'Chelseafc'

organizationalUnitName:PRINTABLE:'FTPTest'

commonName :PRINTABLE:'CHELSEA'

Certificate is to be certified until Oct 26 03:05:08 2006 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

d:/openssl/mkcerts>openssl x509 -in ftpsconnector.pem -out ftpsconnector.cer

轉換格式

d:/openssl/mkcerts>keytool -import -alias root -trustcacerts -file demoCA/cacert.crt -keystore ftps.jks

導入CA憑證到jks檔案并信任之(由此CA所簽署的所有證書也是以在信任之列)

輸入keystore密碼: changeit

Owner: [email protected], CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, S

T=BEIJING, C=CN

發照者: EMAILADDRESS=chelse[email protected], CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING,

ST=BEIJING, C=CN

序号: 0

有效期間: Wed Oct 26 10:55:43 CST 2005 至: Sat Oct 24 10:55:43 CST 2015

認證指紋:

MD5: 85:21:11:10:26:4A:CD:01:55:B7:47:DF:0D:58:AA:A3

SHA1: 91:74:88:03:B7:5C:E4:BD:27:1F:27:BF:10:23:0A:BA:2C:42:13:2B

信任這個認證? [否]: y

認證已添加至keystore中

d:/openssl/mkcerts>keytool -import -alias ftpsconnector -trustcacerts -file ftpsconnector.cer -keystore ftps.jks

導入自己的證書到jks檔案(至此,此jks檔案包括了建立SSL連接配接所需所有資訊)

輸入keystore密碼: changeit

認證回複已安裝在 keystore中

其它OpenSSL指令舉例

openssl pkcs12 -export -clcerts -in client.pem -inkey clientkey.pem -out client.p12

openssl pkcs8 -inform PEM -nocrypt -in abcwebnet-pkcs8.key -out abcwebnet.key

openssl pkcs12 -export -out abcwebnet.pfx -inkey abcwebnet.key -in abcwebnet-pem.crt

... ...

2、keytool實踐

keystore這個名字其實有點誤導,應該是CertStore,可以同時包含兩種資訊:自己的keyEntry,和trusted cert entry.(自然包括自己的私鑰公鑰和信任的公鑰了)(有時會分開,信任的證書存儲在單獨的檔案中)

keystore可以有兩類密碼,一個是保護這個檔案的(storepass),一種是保護檔案裡每一個key的(keypass)

可以為每個key指定alias,然後使用alias來引用或通路對應的key

Example:

rem 建立用戶端keystore

keytool -genkey -keyalg RSA -keystore client.jks -storetype jks -storepass client -alias client_rsa -keypass client_rsa -dname "CN=Client, OU=IBM, C=US" -keysize 1024 -validity 1460

rem 建立服務端keystore

keytool -genkey -keyalg RSA -keystore server.jks -storetype jks -storepass server -alias server_rsa -keypass server_rsa -dname "CN=Server, OU=IBM, C=US" -keysize 1024 -validity 1460

rem 從用戶端keystore中導出通用格式的證書,以備導入到服務端keystore

keytool -export -keystore client.jks -storetype jks -storepass client -alias client_rsa -file client_rsa.cer

rem 從服務端keystore中導出通用格式的證書,以備導入到用戶端keystore

keytool -export -keystore server.jks -storetype jks -storepass server -alias server_rsa -file server_rsa.cer

rem 導入用戶端證書到服務端keystore(此動作的後果是使服務端信任用戶端)

keytool -import -noprompt -keystore server.jks -storetype jks -storepass server -alias client_rsa -file client_rsa.cer

rem 導入服務端證書到用戶端keystore(此動作的後果是使用戶端信任服務端)

keytool -import -noprompt -keystore client.jks -storetype jks -storepass client -alias server_rsa -file server_rsa.cer

rem 列出用戶端keystore包含的資訊供檢視

keytool -list -keystore client.jks -storepass client -v

rem 列出服務端keystore包含的資訊供檢視

keytool -list -keystore server.jks -storepass server -v

3、Java用戶端

用戶端通常有一個檔案,包含了所有信任的證書資訊(包括SSL伺服器),如上面的ftps.jks,可以以程式設計的方式将此檔案的位置密碼格式等告知用戶端socket運作時,這樣在試圖建立SSL連接配接時收到伺服器發送過來的證書時,便可以進行信任驗證

可以通過java.security file in jdk folder 或者 -Djavax.net.ssl.keyStore=xxx -Djavax.net.ssl.keyStorePassword=yyy 來設定

可以參考: http://www-128.ibm.com/developerworks/cn/websphere/techjournal/0502_benantar/0502_benantar.html