如何使用自签名证书创建密钥库和信任库?
[英]How to create keystore and truststore using self-signed certificate?
问题描述
We have JAVA server and client communicate over network using SSL. 
我们有JAVA服务器和客户端使用SSL通过网络进行通信。 The server and client mutually authenticate each other using certificates. 服务器和客户端使用证书相互进行身份验证。 The keystore type used by server and client is JKS. 服务器和客户端使用的密钥库类型是JKS。 The keystore and truststore file names for the server and client are: server.keystore, server.truststore, client.keystore, and client.truststore. 服务器和客户端的密钥库和信任库文件名是:server.keystore,server.truststore,client.keystore和client.truststore。
I am using Self-Signed certificates for testing only. 我使用自签名证书进行测试。
Questions: 问题:
Q1. Q1。 I would like to know why I need to add server's and client's own certificates into their respective truststores, in step 6. 我想知道为什么我需要在步骤6中将服务器和客户端自己的证书添加到各自的信任库中。
Q2. Q2。 Can I reduce the number steps to achieve the same thing? 我可以减少数量步骤来实现同样的目标吗? If yes, then how? 如果是,那怎么样?
Steps to create RSA key, self-signed certificates, keystore, and truststore for a server 为服务器创建RSA密钥,自签名证书,密钥库和信任库的步骤
1. Generate a private RSA key 1.生成私有RSA密钥
openssl genrsa -out diagserverCA.key 2048 openssl genrsa -out diagserverCA.key 2048
2. Create a x509 certificate 2.创建x509证书
openssl req -x509 -new -nodes -key diagserverCA.key -sha256 -days 1024 -out diagserverCA.pem openssl req -x509 -new -nodes -key diagserverCA.key -sha256 -days 1024 -out diagserverCA.pem
3. Create a PKCS12 keystore from private key and public certificate. 3.从私钥和公共证书创建PKCS12密钥库。
openssl pkcs12 -export -name server-cert -in diagserverCA.pem -inkey diagserverCA.key -out serverkeystore.p12 openssl pkcs12 -export -name server-cert -in diagserverCA.pem -inkey diagserverCA.key -out serverkeystore.p12
4. Convert PKCS12 keystore into a JKS keystore 4.将PKCS12密钥库转换为JKS密钥库
keytool -importkeystore -destkeystore server.keystore -srckeystore serverkeystore.p12 -srcstoretype pkcs12 -alias server-cert keytool -importkeystore -destkeystore server.keystore -srckeystore serverkeystore.p12 -srcstoretype pkcs12 -alias server-cert
5. Import a client's certificate to the server's trust store. 5.将客户端证书导入服务器的信任库。
keytool -import -alias client-cert -file diagclientCA.pem -keystore server.truststore keytool -import -alias client-cert -file diagclientCA.pem -keystore server.truststore
6. Import a server's certificate to the server's trust store. 6.将服务器的证书导入服务器的信任库。
keytool -import -alias server-cert -file diagserverCA.pem -keystore server.truststore keytool -import -alias server-cert -file diagserverCA.pem -keystore server.truststore
Steps to create RSA private key, self-signed certificate, keystore, and truststore for a client 为客户端创建RSA私钥,自签名证书,密钥库和信任库的步骤
1. Generate a private key 1.生成私钥
openssl genrsa -out diagclientCA.key 2048 openssl genrsa -out diagclientCA.key 2048
2. Create a x509 certificate 2.创建x509证书
openssl req -x509 -new -nodes -key diagclientCA.key -sha256 -days 1024 -out diagclientCA.pem openssl req -x509 -new -nodes -key diagclientCA.key -sha256 -days 1024 -out diagclientCA.pem
3. Create PKCS12 keystore from private key and public certificate. 3.从私钥和公共证书创建PKCS12密钥库。
openssl pkcs12 -export -name client-cert -in diagclientCA.pem -inkey diagclientCA.key -out clientkeystore.p12 openssl pkcs12 -export -name client-cert -in diagclientCA.pem -inkey diagclientCA.key -out clientkeystore.p12
4. Convert a PKCS12 keystore into a JKS keystore 4.将PKCS12密钥库转换为JKS密钥库
keytool -importkeystore -destkeystore client.keystore -srckeystore clientkeystore.p12 -srcstoretype pkcs12 -alias client-cert keytool -importkeystore -destkeystore client.keystore -srckeystore clientkeystore.p12 -srcstoretype pkcs12 -alias client-cert
5. Import a server's certificate to the client's trust store. 5.将服务器的证书导入客户端的信任库。
keytool -import -alias server-cert -file diagserverCA.pem -keystore client.truststore keytool -import -alias server-cert -file diagserverCA.pem -keystore client.truststore
6. Import a client's certificate to the client's trust store. 6.将客户端证书导入客户端的信任存储区。
keytool -import -alias client-cert -file diagclientCA.pem -keystore client.truststore keytool -import -alias client-cert -file diagclientCA.pem -keystore client.truststore
2 个解决方案
解决方案1
4 2017-02-23 18:50:23
Q1.
You don't. 你没有。 You add the server and client certificates into each other's truststores. 您将服务器和客户端证书添加到彼此的信任库中。 The server and client have no need to trust their own certicifates, but they do need to trust each other's. 服务器和客户端不需要信任他们自己的证书,但他们确实需要相互信任。
Q2.
You can do the entire thing with the keytool . 你可以使用keytool完成整个事情。 Plenty of documented examples. 大量记录的例子。 You don't need to use openssl at all. 您根本不需要使用openssl 。
Critique: 批判:
- In the first part, steps 5 and 6 are both wrong. 在第一部分中,步骤5和6都是错误的。 There should be one step: exporting the server's certificate to the client's truststore. 应该有一个步骤:将服务器的证书导出到客户端的信任库。
- Similarly, in the second part, steps 5 and 6 are again wrong, and again there should be only step: exporting the client's certificate to the server's keystore. 类似地,在第二部分中,步骤5和6再次出错,并且应该只有步骤:将客户端的证书导出到服务器的密钥库。
- In other words, the two step 5s should be interchanged, and the two step 6s deleted. 换句话说,两个步骤5s应该互换,并且两个步骤6s被删除。
You will find correct instructions for doing the lot in the JSSE Reference Guide in the JDK documentation. 您可以在JDK文档的JSSE参考指南中找到正确的操作说明。 About three steps each. 每个约三个步骤。 But all it really goes to show is that self-signed certificates really aren't worth the paper they're printed on. 但它真正表明的是,自签名证书真的不值得他们印刷的纸张。 Get CA-signed certificates. 获取CA签名证书。 Much more value and much easier to deploy (no export step). 更多的价值和更容易部署(没有出口步骤)。
Where did you get this rubbish? 你在哪里得到这个垃圾?
解决方案2
-1 2017-10-26 18:39:47
Q1. Q1。 I would like to know why I need to add server's and client's own certificates into their respective truststores, in step 6. 我想知道为什么我需要在步骤6中将服务器和客户端自己的证书添加到各自的信任库中。
A1. A1。 If you're not using a common Certificate Authority to sign your client and server certificates... adding each to the trust store is the only way. 如果您没有使用通用证书颁发机构来签署您的客户端和服务器证书......将每个证书添加到信任存储区是唯一的方法。 However... even in a test environment, you can create your own certificate authority and use it to sign the Client and Server certificates that you create. 但是......即使在测试环境中,您也可以创建自己的证书颁发机构,并使用它来签署您创建的客户端和服务器证书。 Your trust store then would only need to contain the public key for your Certificate Authority. 然后,您的信任存储区只需要包含证书颁发机构的公钥。
Q2. Q2。 Can I reduce the number steps to achieve the same thing? 我可以减少数量步骤来实现同样的目标吗? If yes, then how? 如果是,那怎么样?
A2. A2。 Yes, use a common certificate to sign your client and server certificates. 是的,使用通用证书签署您的客户端和服务器证书。
Check out the script in this post for a step-by-step on how to create your own CA and use it to sign Server and Client certs. 在退房的脚本这篇文章 ,了解如何创建自己的CA,并用它进行注册服务器和客户端证书一步一步的。 It also creates your trust store... 它还创建了您的信任存储......
Hope this helps. 希望这可以帮助。
Best, Ace 最好的,Ace
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.