如何使用keytool創建證書？

Question

我已經看過4個（是的，四個）教程，但仍然不知道如何使它工作。

在我的Glassfish 4.1.1服務器中設置為HTTPS配置的第二個HTTP偵聽器之后，我嘗試創建證書，因此在瀏覽器中沒有出現安全錯誤。 問題是，我只是無法使keytool正常工作。 無論我做什么，它都會弄亂並拋出奇怪的錯誤。 例如，它找不到許多指南推薦的某些命令。

我可以猜測，該工具在Java 8或其他方面已更改，我真的不知道。

問題是：我想創建一個證書，將其導出到我的Glassfish服務器，並正確實施HTTPS並用於測試目的。 我該怎么辦？

編輯：嚴重的是，因此我陷入了麻煩。 我只是無能為力：cacerts密碼不是典型的“ changeit”，我無法將密鑰保存在密鑰庫之外，因此我無法對證書進行任何操作。

Answer 1

如果您需要做的就是創建一對自簽名證書，我可能會幫助您。

在Microsoft Windows計算機上：

• 創建一個空目錄，並將以下腳本保存在那里（GenTestCerts.ps1）。
• 編輯腳本，並將Alias值（和其他變量）更改為所需的值。
• 執行腳本。

將服務器（tomcat.server.net.p12）證書復制到服務器期望的位置。

將信任存儲區（truststore.p12）復制到服務器期望的任何位置。

在Windows密鑰庫中安裝admin（tomcat-admin.p12）證書，以將根接受到“受信任的根證書頒發機構”部分。

<#
    This sample Windows PowerShell script will:
        1.) Create a Certificate Authority
        2.) Create a Server Certificate signed by the Certificate Authority
        3.) Create a Client Certificate signed by the Certificate Authority
        4.) Create a TrustStore containing the public Certificate Authority key

    The first section defines variables
    The second section does the work

    All Key Stores are PKCS12

    The Server Certificate includes a Subject Alternative Name
        The command below uses the serverAlias as the serverDNS value, but may be changed to whatever you need

    You just have Java 7 (or higher) installed and keytool in your path
#>

<# Your Organizational Information #>
$organizationalUnit="USN"
$organization="NRL"
$locality="Washington"
$state="DC"
$country="USA"

<# Certificate Alias #>
$authorityAlias="tomcat-root"
$serverAlias="tomcat.server.net"
$clientAlias="tomcat-admin"

<# Subject Alternative Name #>
$serverDNS="$serverAlias"

<# Extensions #>
$certAuthExtension="BasicConstraints:critical=ca:true,pathlen:10000"
$altNameExtension="san=dns:$serverDNS"

<# Trust Store #>
$trustCertName="truststore"

<# Key size and effective period #>
$keySize="4096"
$validity="365"

<# Key and Store Password #>
$certPassword="changeit"

<# ------------------------------------------------------------------------------------------ #>
<# ------------------  Use caution if you change anything below this line  ------------------ #>
<# ------------------------------------------------------------------------------------------ #>

$authorityDN="CN=$authorityAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$serverDN="CN=$serverAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$clientDN="CN=$clientAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"

rm "$authorityAlias.*"
rm "$serverAlias.*"
rm "$clientAlias.*"
rm "$trustCertName.*"

echo ""
echo "Generating the Root Authority Certificate..."
keytool -genkeypair -alias "$authorityAlias" -keyalg RSA -dname "$authorityDN" -ext "$certAuthExtension" `
    -validity "$validity" -keysize "$keySize" -keystore "$authorityAlias.p12" -keypass "$certPassword" `
    -storepass "$certPassword" -deststoretype pkcs12
echo "- Exporting Root Authority Certificate Public Key..."
keytool -exportcert -rfc -alias "$authorityAlias" -file "$authorityAlias.cer" -keypass "$certPassword" `
    -keystore "$authorityAlias.p12" -storepass "$certPassword"

echo ""
echo "Generating the Server Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$serverAlias" -keyalg RSA -dname "$serverDN" `
    -ext "$altNameExtension" -keystore "$serverAlias.p12" -keypass "$certPassword" -storepass "$certPassword" `
    -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$serverAlias" -ext "$altNameExtension" -keystore "$serverAlias.p12" -file "$serverAlias.csr" `
    -keypass "$certPassword" -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$serverAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
    -alias "$authorityAlias" -ext "$altNameExtension" -outfile "$serverAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$serverAlias.p12" `
    -storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$serverAlias.p12" -file "$serverAlias.pem" -alias "$serverAlias" -keypass "$certPassword" `
    -storepass "$certPassword" -noprompt
rm "$serverAlias.csr"
rm "$serverAlias.pem"

echo ""
echo "Generating the Client Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$clientAlias" -keyalg RSA -dname "$clientDN" `
    -keystore "$clientAlias.p12" -keypass "$certPassword" -storepass "$certPassword" -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$clientAlias" -keystore "$clientAlias.p12" -file "$clientAlias.csr" -keypass "$certPassword" `
    -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$clientAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
    -alias "$authorityAlias" -outfile "$clientAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$clientAlias.p12" `
    -storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$clientAlias.p12" -file "$clientAlias.pem" -alias "$clientAlias" -keypass "$certPassword" `
    -storepass "$certPassword" -noprompt
rm "$clientAlias.csr"
rm "$clientAlias.pem"

echo ""
echo "Generating the Trust Store and put the Client Certificate in it..."
keytool -importcert -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$trustCertName.p12" `
    -storepass "$certPassword" -noprompt

echo ""
echo "Removing Public Key Files..."
rm "$authorityAlias.cer"

希望這可以幫助。

最好，王牌

Answer 2

多年前，我是在雄貓上做的，我記得初次嘗試時並沒有做好。

除非您想花錢（猜想那里沒有免費的網站簽名證書），否則我建議您使用自簽名證書。

你嘗試過這個嗎？ http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html