openssl 生成私钥、申请文件,证书导入jks说明
http://www.cnblogs.com/liaier/p/4137383.html
openssl pkcs12 -export -in server.pem -inkey serverkey.key -out server.pfx -CAfile chain.pem
由于keytool没有直接导入private key的命令,又没有办法生成SAN证书请求,所以只能通过openssl生成CSR,然后再将签过的证书跟私钥生成PFX,再利用keytool将PFX转成JKS来使用
1.创建私钥
openssl genrsa -out c:/server/server-key.pem 1024
2.创建证书请求 (subject alternative name (SAN) certificates):
openssl req -new -config CONF\san.conf -out server-req.csr -key server-key.pem
san.conf
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName_default = CN stateOrProvinceName_default = Test localityName_default = Test organizationName_default = Test commonName = Test (eg, YOUR name) commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = IPaddress1 DNS.2 = IPaddress2
3.CA收到证书申请后签发证书
openssl x509 -req -in c:/server/server-req.csr -out c:/server/server-cert.pem -signkey c:/server/server-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650
4.收到证书server-cert.pem(-----BEGIN CERTIFICATE-----),已有ca-cert.pem(-----BEGIN CERTIFICATE-----),server-key.pem(-----BEGIN RSA PRIVATE KEY-----)
利用这三者生成PFX文件
openssl pkcs12 -export -in server-cert.pem -inkey server-key.key -out server.pfx -CAfile ca-cert.pem
5.利用keytool将PFX转成JKS
keytool -importkeystore -srckeystore D:\Temp\server.pfx -srcstoretype pkcs12 -destkeystore D:\Temp\server.jks -deststoretype JKS -storepass testpwd2
6.查看JKS里面key alias为1
keytool -list -v -keystore D:\Temp\server.jks -storepass testpwd2