[英]How to create keystore and truststore using self-signed certificate?
We have JAVA server and client communicate over network using SSL. 我们有JAVA服务器和客户端使用SSL通过网络进行通信。 The server and client mutually authenticate each other using certificates. 服务器和客户端使用证书相互进行身份验证。 The keystore type used by server and client is JKS. 服务器和客户端使用的密钥库类型是JKS。 The keystore and truststore file names for the server and client are: server.keystore, server.truststore, client.keystore, and client.truststore. 服务器和客户端的密钥库和信任库文件名是:server.keystore,server.truststore,client.keystore和client.truststore。
I am using Self-Signed certificates for testing only. 我使用自签名证书进行测试。
Questions: 问题:
Q1. Q1。 I would like to know why I need to add server's and client's own certificates into their respective truststores, in step 6. 我想知道为什么我需要在步骤6中将服务器和客户端自己的证书添加到各自的信任库中。
Q2. Q2。 Can I reduce the number steps to achieve the same thing? 我可以减少数量步骤来实现同样的目标吗? If yes, then how? 如果是,那怎么样?
1. Generate a private RSA key 1.生成私有RSA密钥
openssl genrsa -out diagserverCA.key 2048 openssl genrsa -out diagserverCA.key 2048
2. Create a x509 certificate 2.创建x509证书
openssl req -x509 -new -nodes -key diagserverCA.key -sha256 -days 1024 -out diagserverCA.pem openssl req -x509 -new -nodes -key diagserverCA.key -sha256 -days 1024 -out diagserverCA.pem
3. Create a PKCS12 keystore from private key and public certificate. 3.从私钥和公共证书创建PKCS12密钥库。
openssl pkcs12 -export -name server-cert -in diagserverCA.pem -inkey diagserverCA.key -out serverkeystore.p12 openssl pkcs12 -export -name server-cert -in diagserverCA.pem -inkey diagserverCA.key -out serverkeystore.p12
4. Convert PKCS12 keystore into a JKS keystore 4.将PKCS12密钥库转换为JKS密钥库
keytool -importkeystore -destkeystore server.keystore -srckeystore serverkeystore.p12 -srcstoretype pkcs12 -alias server-cert keytool -importkeystore -destkeystore server.keystore -srckeystore serverkeystore.p12 -srcstoretype pkcs12 -alias server-cert
5. Import a client's certificate to the server's trust store. 5.将客户端证书导入服务器的信任库。
keytool -import -alias client-cert -file diagclientCA.pem -keystore server.truststore keytool -import -alias client-cert -file diagclientCA.pem -keystore server.truststore
6. Import a server's certificate to the server's trust store. 6.将服务器的证书导入服务器的信任库。
keytool -import -alias server-cert -file diagserverCA.pem -keystore server.truststore keytool -import -alias server-cert -file diagserverCA.pem -keystore server.truststore
1. Generate a private key 1.生成私钥
openssl genrsa -out diagclientCA.key 2048 openssl genrsa -out diagclientCA.key 2048
2. Create a x509 certificate 2.创建x509证书
openssl req -x509 -new -nodes -key diagclientCA.key -sha256 -days 1024 -out diagclientCA.pem openssl req -x509 -new -nodes -key diagclientCA.key -sha256 -days 1024 -out diagclientCA.pem
3. Create PKCS12 keystore from private key and public certificate. 3.从私钥和公共证书创建PKCS12密钥库。
openssl pkcs12 -export -name client-cert -in diagclientCA.pem -inkey diagclientCA.key -out clientkeystore.p12 openssl pkcs12 -export -name client-cert -in diagclientCA.pem -inkey diagclientCA.key -out clientkeystore.p12
4. Convert a PKCS12 keystore into a JKS keystore 4.将PKCS12密钥库转换为JKS密钥库
keytool -importkeystore -destkeystore client.keystore -srckeystore clientkeystore.p12 -srcstoretype pkcs12 -alias client-cert keytool -importkeystore -destkeystore client.keystore -srckeystore clientkeystore.p12 -srcstoretype pkcs12 -alias client-cert
5. Import a server's certificate to the client's trust store. 5.将服务器的证书导入客户端的信任库。
keytool -import -alias server-cert -file diagserverCA.pem -keystore client.truststore keytool -import -alias server-cert -file diagserverCA.pem -keystore client.truststore
6. Import a client's certificate to the client's trust store. 6.将客户端证书导入客户端的信任存储区。
keytool -import -alias client-cert -file diagclientCA.pem -keystore client.truststore keytool -import -alias client-cert -file diagclientCA.pem -keystore client.truststore
Q1. Q1。 I would like to know why I need to add server's and client's own certificates into their respective truststores, in step 6. 我想知道为什么我需要在步骤6中将服务器和客户端自己的证书添加到各自的信任库中。
You don't. 你没有。 You add the server and client certificates into each other's truststores. 您将服务器和客户端证书添加到彼此的信任库中。 The server and client have no need to trust their own certicifates, but they do need to trust each other's. 服务器和客户端不需要信任他们自己的证书,但他们确实需要相互信任。
Q2. Q2。 Can I reduce the number steps to achieve the same thing? 我可以减少数量步骤来实现同样的目标吗? If yes, then how? 如果是,那怎么样?
You can do the entire thing with the keytool
. 你可以使用keytool
完成整个事情。 Plenty of documented examples. 大量记录的例子。 You don't need to use openssl
at all. 您根本不需要使用openssl
。
Critique: 批判:
You will find correct instructions for doing the lot in the JSSE Reference Guide in the JDK documentation. 您可以在JDK文档的JSSE参考指南中找到正确的操作说明。 About three steps each. 每个约三个步骤。 But all it really goes to show is that self-signed certificates really aren't worth the paper they're printed on. 但它真正表明的是,自签名证书真的不值得他们印刷的纸张。 Get CA-signed certificates. 获取CA签名证书。 Much more value and much easier to deploy (no export step). 更多的价值和更容易部署(没有出口步骤)。
Where did you get this rubbish? 你在哪里得到这个垃圾?
Q1. Q1。 I would like to know why I need to add server's and client's own certificates into their respective truststores, in step 6. 我想知道为什么我需要在步骤6中将服务器和客户端自己的证书添加到各自的信任库中。
A1. A1。 If you're not using a common Certificate Authority to sign your client and server certificates... adding each to the trust store is the only way. 如果您没有使用通用证书颁发机构来签署您的客户端和服务器证书......将每个证书添加到信任存储区是唯一的方法。 However... even in a test environment, you can create your own certificate authority and use it to sign the Client and Server certificates that you create. 但是......即使在测试环境中,您也可以创建自己的证书颁发机构,并使用它来签署您创建的客户端和服务器证书。 Your trust store then would only need to contain the public key for your Certificate Authority. 然后,您的信任存储区只需要包含证书颁发机构的公钥。
Q2. Q2。 Can I reduce the number steps to achieve the same thing? 我可以减少数量步骤来实现同样的目标吗? If yes, then how? 如果是,那怎么样?
A2. A2。 Yes, use a common certificate to sign your client and server certificates. 是的,使用通用证书签署您的客户端和服务器证书。
Check out the script in this post for a step-by-step on how to create your own CA and use it to sign Server and Client certs. 在退房的脚本这篇文章 ,了解如何创建自己的CA,并用它进行注册服务器和客户端证书一步一步的。 It also creates your trust store... 它还创建了您的信任存储......
Hope this helps. 希望这可以帮助。
Best, Ace 最好的,Ace
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.