SSL证书申请相关/Tips of SSL certificate

1. 生成CSR

felix@jira [~/ssl] $ keytool -genkey -alias tomcat -keyalg RSA -keystore xyz.keystore
Enter keystore password: xxxxxx
What is your first and last name?
[Unknown]: www.xyz.com
What is the name of your organizational unit?
[Unknown]: Networks
What is the name of your organization?
[Unknown]: Xyz aps
What is the name of your City or Locality?
[Unknown]: New York
What is the name of your State or Province?
[Unknown]: German
What is the two-letter country code for this unit?
[Unknown]:UK
Is CN=www.xyz.com, OU=Networks, O=Xyz aps, L=New York, ST=German, C=UK correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password): xxxxxx

felix@jira [~/ssl] $ keytool -certreq -alias tomcat -file xyz.csr -keystore xyz.keystore
Enter keystore password: xxxxxx
felix@jira [~/ssl] $ ls
xyz.csr xyz.keystore mms.csr request.csr sms.csr sp.keystore tamms.keystore tasms.keystore
felix@jira [~/ssl] $ more xyz.csr
—–BEGIN NEW CERTIFICATE REQUEST—–
MIIBvTCCASYCAQAwfTELMAkGA1UEBhMCREsxEDAOBgNVBAgTB0Rlbm1hcmsxETAPBgNVBAcTCEJp
cmtlcm9kMREwDwYDVQQKEwhNYWNoIGFwczEcMBoGA1UECwwTU2VjdXJpdHkgJiBOZXR3b3JrczEY

tw1PNsTrUrGrdwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAiAELgjNFZb4mu8ekFi9vYtiX2Rh+
a9xgqwqK8lxVtVVSOfeo29nnyUeteBn4vp9fuZr+JiH9awh2SUDVXIrosdGEeSfF+BJfSrmKJJIe
d1ro4glwnNt9x+ffDojRvfvRJCY8yMyUN+zvB30QYtga8YMg4KitlTr+D0b9FQe8lrs=
—–END NEW CERTIFICATE REQUEST—–
felix@jira [~/ssl] $ keytool -list -v -keystore xyz.keystore
Enter keystore password: xxxxxx

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Oct 12, 2009
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=www.xyz.com, OU= Networks, O=Xyz aps, L=Birkerod, ST=Denmark, C=DK
Issuer: CN=www.xyz.com, OU= Networks, O=Xyz aps, L=Birkerod, ST=Denmark, C=DK
Serial number: 4ad2f589
Valid from: Mon Oct 12 17:23:21 CST 2009 until: Sun Jan 10 17:23:21 CST 2010
Certificate fingerprints:
MD5: EA:AF:BB:B8:…:C5:E4:B5:BF:C3:74
SHA1: EE:A6:CD:F6:….:A3:54:05:4A:BA:BA:7C:64:FD:E3

*******************************************
*******************************************

需要注意的是:发给客户这个CSR时,要同时告诉客户用的是tomcat,需要java的keystore格式的certificate

2. 导入正常回来的certificate

felix@jira [~/ssl] $ keytool -import -trustcacerts -file sms.cert -keystore tasms.keystore -storepass xxxxxx -alias tomcat
Certificate reply was installed in keystore
felix@jira [~/ssl] $ keytool -list -v -keystore tasms.keystore -storepass xxxxxx

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Oct 15, 2009
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
…Serial number: 1
Valid from: Thu Aug 01 08:00:00 CST 1996 until: Fri Jan 01 07:59:59 CST 2021
Certificate fingerprints:
MD5: 06:9F:69:…:8C:8C:A2:C3:07:6F:3A
SHA1: 62:7F:…0:44:C9:FE:B3:F3:3E:FA:9A

*******************************************
*******************************************

3. 导入为Apache生成的X.509格式的certificate

虽然我们是用keytool生成的CSR,但是有时候客户说不能生成tomcat需要的java keystore格式的certificate,这时候也是可以导入的,不过有些区别

3.1 导出keystore的private key
参考URL:http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips
下载KeyTool-IUI, 地址是:http://yellowcat1.free.fr/index_ktl.html,使用这个java的图形化工具,导出keystore里边的private key为PEM格式

3.2 把PEM格式的private key和x.509的证书生成一个pcks12格式的keystore
felix@jira [~/ssl/xyz] $ openssl pkcs12 -export -out xyz.p12 -inkey m.pem -in xyz.cert
Enter Export Password:
Verifying – Enter Export Password:

felix@jira [~/ssl/xyz] $ keytool -list -v -keystore xyz.p12 -storetype pkcs12
Enter keystore password: xxxxxx

Keystore type: pkcs12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: 2
Creation date: Oct 15, 2009
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=www.xyz.com, OU= Networks, O=Xyz aps, L=New York, ST=German, C=UK
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign …1:82:D1:01:FC:DC:DC
SHA1: 92:7A:15:99:69:62:A7:DC:67:ED:6F:A0:40:3A:AF:E9:2B:08:36:4A

*******************************************
*******************************************

3.3 在tomcat的配置文件里配置
clientAuth=”false” sslProtocol=”TLS” keystoreFile=”/usr/local/tomcat/ssl/xyz.p12″ keystorePass=”xxxxxx” keystoreTyp
e=”pkcs12″ />

Leave a Reply

Your email address will not be published. Required fields are marked *