1、OpenSSL實踐
工作中需要配置使用SSL來雙向認證并通信的FTP伺服器,以OpenSSL和Java的keytool為例,來完成證書的制作:
d:/openssl/mkcerts>openssl genrsa -out ca.key 1024
建立CA私鑰
Loading 'screen' into random state - done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
...................................................................++++++
.............++++++
e is 65537 (0x10001)
d:/openssl/mkcerts>openssl req -new -days 3650 -x509 -key ca.key -out cacert.pem -config openssl.cnf
建立CA自簽名證書(使用上一步建立的CA私鑰來簽名)
Using configuration from openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []:FTPTest
Common Name (eg, YOUR name) []:CHELSEA
Email Address []:[email protected]
d:/openssl/mkcerts>openssl genrsa -des3 -out server.key 1024
建立伺服器私鑰
Loading 'screen' into random state - done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
..............++++++
.++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
d:/openssl/mkcerts>openssl rsa -in server.key -out serverkey.pem
加密伺服器私鑰(保護私鑰資訊)
read RSA key
Enter PEM pass phrase:
writing RSA key
d:/openssl/mkcerts>openssl req -new -days 3650 -key server.key -out server.csr-config openssl.cnf
建立申請伺服器所需證書的請求
Using configuration from openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []:FTPTest
Common Name (eg, YOUR name) []:CHELSEA
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
d:/openssl/mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in server.csr -out server.pem -config openssl.cnf
CA簽署伺服器證書(需要CA私鑰和序列号檔案demoCA/serial, demoCA/index.txt)
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'Chelseafc'
organizationalUnitName:PRINTABLE:'FTPTest'
commonName :PRINTABLE:'CHELSEA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Oct 26 03:01:33 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
d:/openssl/mkcerts>openssl x509 -in server.pem -out server.crt
轉換格式
d:/openssl/mkcerts>openssl x509 -in demoCA/cacert.pem -out demoCA/cacert.crt
轉換格式
d:/openssl/mkcerts>keytool -genkey -keyalg RSA -alias ftpsconnector -keystore ftps.jks -storepass changeit -storetype jks
産生Java用戶端私鑰檔案
您的名字與姓氏是什麼?
[Unknown]: CHELSEA
您的組織機關名稱是什麼?
[Unknown]: FTPTest
您的組織名稱是什麼?
[Unknown]: Chelseafc
您所在的城市或區域名稱是什麼?
[Unknown]: BEIJING
您所在的州或省份名稱是什麼?
[Unknown]: BEIJING
該機關的兩字母國家代碼是什麼
[Unknown]: CN
CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, ST=BEIJING, C=CN 正确嗎?
[否]: Y
輸入<ftpsconnector>的主密碼
(如果和 keystore 密碼相同,按回車):
d:/openssl/mkcerts>keytool -certreq -alias ftpsconnector -keyalg RSA -file ftpsconnector.csr -keystore ftps.jks
産生Java用戶端證書請求
輸入keystore密碼: changeit
d:/openssl/mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in ftpsconnector.csr -out ftpsconnector.pem -config openssl.cnf
CA簽署Java用戶端證書
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'Chelseafc'
organizationalUnitName:PRINTABLE:'FTPTest'
commonName :PRINTABLE:'CHELSEA'
Certificate is to be certified until Oct 26 03:05:08 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
d:/openssl/mkcerts>openssl x509 -in ftpsconnector.pem -out ftpsconnector.cer
轉換格式
d:/openssl/mkcerts>keytool -import -alias root -trustcacerts -file demoCA/cacert.crt -keystore ftps.jks
導入CA憑證到jks檔案并信任之(由此CA所簽署的所有證書也是以在信任之列)
輸入keystore密碼: changeit
Owner: [email protected], CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, S
T=BEIJING, C=CN
發照者: EMAILADDRESS=chelse[email protected], CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING,
ST=BEIJING, C=CN
序号: 0
有效期間: Wed Oct 26 10:55:43 CST 2005 至: Sat Oct 24 10:55:43 CST 2015
認證指紋:
MD5: 85:21:11:10:26:4A:CD:01:55:B7:47:DF:0D:58:AA:A3
SHA1: 91:74:88:03:B7:5C:E4:BD:27:1F:27:BF:10:23:0A:BA:2C:42:13:2B
信任這個認證? [否]: y
認證已添加至keystore中
d:/openssl/mkcerts>keytool -import -alias ftpsconnector -trustcacerts -file ftpsconnector.cer -keystore ftps.jks
導入自己的證書到jks檔案(至此,此jks檔案包括了建立SSL連接配接所需所有資訊)
輸入keystore密碼: changeit
認證回複已安裝在 keystore中
其它OpenSSL指令舉例
openssl pkcs12 -export -clcerts -in client.pem -inkey clientkey.pem -out client.p12
openssl pkcs8 -inform PEM -nocrypt -in abcwebnet-pkcs8.key -out abcwebnet.key
openssl pkcs12 -export -out abcwebnet.pfx -inkey abcwebnet.key -in abcwebnet-pem.crt
... ...
2、keytool實踐
keystore這個名字其實有點誤導,應該是CertStore,可以同時包含兩種資訊:自己的keyEntry,和trusted cert entry.(自然包括自己的私鑰公鑰和信任的公鑰了)(有時會分開,信任的證書存儲在單獨的檔案中)
keystore可以有兩類密碼,一個是保護這個檔案的(storepass),一種是保護檔案裡每一個key的(keypass)
可以為每個key指定alias,然後使用alias來引用或通路對應的key
Example:
rem 建立用戶端keystore
keytool -genkey -keyalg RSA -keystore client.jks -storetype jks -storepass client -alias client_rsa -keypass client_rsa -dname "CN=Client, OU=IBM, C=US" -keysize 1024 -validity 1460
rem 建立服務端keystore
keytool -genkey -keyalg RSA -keystore server.jks -storetype jks -storepass server -alias server_rsa -keypass server_rsa -dname "CN=Server, OU=IBM, C=US" -keysize 1024 -validity 1460
rem 從用戶端keystore中導出通用格式的證書,以備導入到服務端keystore
keytool -export -keystore client.jks -storetype jks -storepass client -alias client_rsa -file client_rsa.cer
rem 從服務端keystore中導出通用格式的證書,以備導入到用戶端keystore
keytool -export -keystore server.jks -storetype jks -storepass server -alias server_rsa -file server_rsa.cer
rem 導入用戶端證書到服務端keystore(此動作的後果是使服務端信任用戶端)
keytool -import -noprompt -keystore server.jks -storetype jks -storepass server -alias client_rsa -file client_rsa.cer
rem 導入服務端證書到用戶端keystore(此動作的後果是使用戶端信任服務端)
keytool -import -noprompt -keystore client.jks -storetype jks -storepass client -alias server_rsa -file server_rsa.cer
rem 列出用戶端keystore包含的資訊供檢視
keytool -list -keystore client.jks -storepass client -v
rem 列出服務端keystore包含的資訊供檢視
keytool -list -keystore server.jks -storepass server -v
3、Java用戶端
用戶端通常有一個檔案,包含了所有信任的證書資訊(包括SSL伺服器),如上面的ftps.jks,可以以程式設計的方式将此檔案的位置密碼格式等告知用戶端socket運作時,這樣在試圖建立SSL連接配接時收到伺服器發送過來的證書時,便可以進行信任驗證
可以通過java.security file in jdk folder 或者 -Djavax.net.ssl.keyStore=xxx -Djavax.net.ssl.keyStorePassword=yyy 來設定
可以參考: http://www-128.ibm.com/developerworks/cn/websphere/techjournal/0502_benantar/0502_benantar.html