如何使用keytool创建证书?
[英]How to create a certificate with keytool?
问题描述
I've looked in 4 (yes, four) tutorials already and still don't get how to get this working. 
我已经看过4个(是的,四个)教程,但仍然不知道如何使它工作。
After setting a second HTTP listener configured for HTTPS in my Glassfish 4.1.1 server, I'm trying to create a certificate, so I don't get security errors in my browser. 在我的Glassfish 4.1.1服务器中设置为HTTPS配置的第二个HTTP侦听器之后,我尝试创建证书,因此在浏览器中没有出现安全错误。 The problem is, that I just don't get keytool working proper; 问题是,我只是无法使keytool正常工作。 it just messes up and throws strange errors whatever I do. 无论我做什么,它都会弄乱并抛出奇怪的错误。 Per example, it doesn't find some of the commands that many guides recommend. 例如,它找不到许多指南推荐的某些命令。
I can guess that the tool changed in Java 8 or something else, I don't really know. 我可以猜测,该工具在Java 8或其他方面已更改,我真的不知道。
Thing is: I want to create a certificate, export it to my Glassfish server, and have HTTPS correctly implemented and working for testing purposes. 问题是:我想创建一个证书,将其导出到我的Glassfish服务器,并正确实施HTTPS并用于测试目的。 What should I do for this? 我该怎么办?
EDIT: Seriously, I'm in a trouble because of this. 编辑:严重的是,因此我陷入了麻烦。 I just can't do anything: cacerts password isn't the typical "changeit", I can't get my keys outside the keystore, and therefore I can't do anything with certificates. 我只是无能为力:cacerts密码不是典型的“ changeit”,我无法将密钥保存在密钥库之外,因此我无法对证书进行任何操作。
2 个解决方案
解决方案1
2 已采纳 2017-10-26 18:02:53
If all you need to do is create a pair of self-signed certificates... I may be able to help. 如果您需要做的就是创建一对自签名证书,我可能会帮助您。
On a Microsoft Windows Machine: 在Microsoft Windows计算机上:
- Create an empty directory and save the below script there (GenTestCerts.ps1). 创建一个空目录,并将以下脚本保存在那里(GenTestCerts.ps1)。
- Edit the script and change the Alias values (and other variables) to whatever you need. 编辑脚本,并将Alias值(和其他变量)更改为所需的值。
- Execute the script. 执行脚本。
Copy the server (tomcat.server.net.p12) cert to wherever your server expects it to be. 将服务器(tomcat.server.net.p12)证书复制到服务器期望的位置。
Copy the Trust Store (truststore.p12) to wherever your server expects it to be. 将信任存储区(truststore.p12)复制到服务器期望的任何位置。
Install the admin (tomcat-admin.p12) cert in your Windows Key Store accepting the Root into your Trusted Root Certification Authorities section. 在Windows密钥库中安装admin(tomcat-admin.p12)证书,以将根接受到“受信任的根证书颁发机构”部分。
<#
This sample Windows PowerShell script will:
1.) Create a Certificate Authority
2.) Create a Server Certificate signed by the Certificate Authority
3.) Create a Client Certificate signed by the Certificate Authority
4.) Create a TrustStore containing the public Certificate Authority key
The first section defines variables
The second section does the work
All Key Stores are PKCS12
The Server Certificate includes a Subject Alternative Name
The command below uses the serverAlias as the serverDNS value, but may be changed to whatever you need
You just have Java 7 (or higher) installed and keytool in your path
#>
<# Your Organizational Information #>
$organizationalUnit="USN"
$organization="NRL"
$locality="Washington"
$state="DC"
$country="USA"
<# Certificate Alias #>
$authorityAlias="tomcat-root"
$serverAlias="tomcat.server.net"
$clientAlias="tomcat-admin"
<# Subject Alternative Name #>
$serverDNS="$serverAlias"
<# Extensions #>
$certAuthExtension="BasicConstraints:critical=ca:true,pathlen:10000"
$altNameExtension="san=dns:$serverDNS"
<# Trust Store #>
$trustCertName="truststore"
<# Key size and effective period #>
$keySize="4096"
$validity="365"
<# Key and Store Password #>
$certPassword="changeit"
<# ------------------------------------------------------------------------------------------ #>
<# ------------------ Use caution if you change anything below this line ------------------ #>
<# ------------------------------------------------------------------------------------------ #>
$authorityDN="CN=$authorityAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$serverDN="CN=$serverAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$clientDN="CN=$clientAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
rm "$authorityAlias.*"
rm "$serverAlias.*"
rm "$clientAlias.*"
rm "$trustCertName.*"
echo ""
echo "Generating the Root Authority Certificate..."
keytool -genkeypair -alias "$authorityAlias" -keyalg RSA -dname "$authorityDN" -ext "$certAuthExtension" `
-validity "$validity" -keysize "$keySize" -keystore "$authorityAlias.p12" -keypass "$certPassword" `
-storepass "$certPassword" -deststoretype pkcs12
echo "- Exporting Root Authority Certificate Public Key..."
keytool -exportcert -rfc -alias "$authorityAlias" -file "$authorityAlias.cer" -keypass "$certPassword" `
-keystore "$authorityAlias.p12" -storepass "$certPassword"
echo ""
echo "Generating the Server Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$serverAlias" -keyalg RSA -dname "$serverDN" `
-ext "$altNameExtension" -keystore "$serverAlias.p12" -keypass "$certPassword" -storepass "$certPassword" `
-deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$serverAlias" -ext "$altNameExtension" -keystore "$serverAlias.p12" -file "$serverAlias.csr" `
-keypass "$certPassword" -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$serverAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -ext "$altNameExtension" -outfile "$serverAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$serverAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$serverAlias.p12" -file "$serverAlias.pem" -alias "$serverAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$serverAlias.csr"
rm "$serverAlias.pem"
echo ""
echo "Generating the Client Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$clientAlias" -keyalg RSA -dname "$clientDN" `
-keystore "$clientAlias.p12" -keypass "$certPassword" -storepass "$certPassword" -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$clientAlias" -keystore "$clientAlias.p12" -file "$clientAlias.csr" -keypass "$certPassword" `
-storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$clientAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
-alias "$authorityAlias" -outfile "$clientAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$clientAlias.p12" `
-storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$clientAlias.p12" -file "$clientAlias.pem" -alias "$clientAlias" -keypass "$certPassword" `
-storepass "$certPassword" -noprompt
rm "$clientAlias.csr"
rm "$clientAlias.pem"
echo ""
echo "Generating the Trust Store and put the Client Certificate in it..."
keytool -importcert -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$trustCertName.p12" `
-storepass "$certPassword" -noprompt
echo ""
echo "Removing Public Key Files..."
rm "$authorityAlias.cer"
Hope this helps. 希望这可以帮助。
Best, Ace 最好,王牌
解决方案2
0 2016-03-11 19:03:39
I did that on a tomcat many years ago, I remember not to get it right at first try. 多年前,我是在雄猫上做的,我记得初次尝试时并没有做好。
Unless you want to spend Money (guess there are no free certificate signing for websites out there), I recommend a Self-Signed Certificate. 除非您想花钱(猜想那里没有免费的网站签名证书),否则我建议您使用自签名证书。
Have you tried this one? 你尝试过这个吗? http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.