发表新帖
发表新帖

How to create a certificate with keytool?

后端 未结
关注
2 614
孤街浪徒
孤街浪徒 2020-12-06 23:35

I\'ve looked in 4 (yes, four) tutorials already and still don\'t get how to get this working.

After setting a second HTTP listener configured for HTTPS in my Glassfi

相关标签:
2条回答
  • 醉酒成梦
    2020-12-06 23:54

    I did that on a tomcat many years ago, I remember not to get it right at first try.

    Unless you want to spend Money (guess there are no free certificate signing for websites out there), I recommend a Self-Signed Certificate.

    Have you tried this one? http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html

    0 讨论(0)
  • 太阳男子
    2020-12-07 00:14

    If all you need to do is create a pair of self-signed certificates... I may be able to help.

    On a Microsoft Windows Machine:

    • Create an empty directory and save the below script there (GenTestCerts.ps1).
    • Edit the script and change the Alias values (and other variables) to whatever you need.
    • Execute the script.

    Copy the server (tomcat.server.net.p12) cert to wherever your server expects it to be.

    Copy the Trust Store (truststore.p12) to wherever your server expects it to be.

    Install the admin (tomcat-admin.p12) cert in your Windows Key Store accepting the Root into your Trusted Root Certification Authorities section.

    <#
    This sample Windows PowerShell script will:
        1.) Create a Certificate Authority
        2.) Create a Server Certificate signed by the Certificate Authority
        3.) Create a Client Certificate signed by the Certificate Authority
        4.) Create a TrustStore containing the public Certificate Authority key

    The first section defines variables
    The second section does the work

    All Key Stores are PKCS12

    The Server Certificate includes a Subject Alternative Name
        The command below uses the serverAlias as the serverDNS value, but may be changed to whatever you need

    You just have Java 7 (or higher) installed and keytool in your path
#>

<# Your Organizational Information #>
$organizationalUnit="USN"
$organization="NRL"
$locality="Washington"
$state="DC"
$country="USA"

<# Certificate Alias #>
$authorityAlias="tomcat-root"
$serverAlias="tomcat.server.net"
$clientAlias="tomcat-admin"

<# Subject Alternative Name #>
$serverDNS="$serverAlias"

<# Extensions #>
$certAuthExtension="BasicConstraints:critical=ca:true,pathlen:10000"
$altNameExtension="san=dns:$serverDNS"

<# Trust Store #>
$trustCertName="truststore"

<# Key size and effective period #>
$keySize="4096"
$validity="365"

<# Key and Store Password #>
$certPassword="changeit"

<# ------------------------------------------------------------------------------------------ #>
<# ------------------  Use caution if you change anything below this line  ------------------ #>
<# ------------------------------------------------------------------------------------------ #>

$authorityDN="CN=$authorityAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$serverDN="CN=$serverAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"
$clientDN="CN=$clientAlias,OU=$organizationalUnit,O=$organization,L=$locality,ST=$state,C=$country"

rm "$authorityAlias.*"
rm "$serverAlias.*"
rm "$clientAlias.*"
rm "$trustCertName.*"

echo ""
echo "Generating the Root Authority Certificate..."
keytool -genkeypair -alias "$authorityAlias" -keyalg RSA -dname "$authorityDN" -ext "$certAuthExtension" `
    -validity "$validity" -keysize "$keySize" -keystore "$authorityAlias.p12" -keypass "$certPassword" `
    -storepass "$certPassword" -deststoretype pkcs12
echo "- Exporting Root Authority Certificate Public Key..."
keytool -exportcert -rfc -alias "$authorityAlias" -file "$authorityAlias.cer" -keypass "$certPassword" `
    -keystore "$authorityAlias.p12" -storepass "$certPassword"

echo ""
echo "Generating the Server Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$serverAlias" -keyalg RSA -dname "$serverDN" `
    -ext "$altNameExtension" -keystore "$serverAlias.p12" -keypass "$certPassword" -storepass "$certPassword" `
    -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$serverAlias" -ext "$altNameExtension" -keystore "$serverAlias.p12" -file "$serverAlias.csr" `
    -keypass "$certPassword" -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$serverAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
    -alias "$authorityAlias" -ext "$altNameExtension" -outfile "$serverAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$serverAlias.p12" `
    -storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$serverAlias.p12" -file "$serverAlias.pem" -alias "$serverAlias" -keypass "$certPassword" `
    -storepass "$certPassword" -noprompt
rm "$serverAlias.csr"
rm "$serverAlias.pem"

echo ""
echo "Generating the Client Certificate..."
echo "- Creating Key Pair"
keytool -genkey -validity "$validity" -keysize "$keySize" -alias "$clientAlias" -keyalg RSA -dname "$clientDN" `
    -keystore "$clientAlias.p12" -keypass "$certPassword" -storepass "$certPassword" -deststoretype pkcs12
echo "- Creating Certificate Signing Request"
keytool -certreq -alias "$clientAlias" -keystore "$clientAlias.p12" -file "$clientAlias.csr" -keypass "$certPassword" `
    -storepass "$certPassword"
echo "- Signing Certificate"
keytool -gencert -infile "$clientAlias.csr" -keystore "$authorityAlias.p12" -storepass "$certPassword" `
    -alias "$authorityAlias" -outfile "$clientAlias.pem"
echo "- Adding Certificate Authority Certificate to Keystore"
keytool -import -trustcacerts -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$clientAlias.p12" `
    -storepass "$certPassword" -noprompt
echo "- Adding Certificate to Keystore"
keytool -import -keystore "$clientAlias.p12" -file "$clientAlias.pem" -alias "$clientAlias" -keypass "$certPassword" `
    -storepass "$certPassword" -noprompt
rm "$clientAlias.csr"
rm "$clientAlias.pem"

echo ""
echo "Generating the Trust Store and put the Client Certificate in it..."
keytool -importcert -alias "$authorityAlias" -file "$authorityAlias.cer" -keystore "$trustCertName.p12" `
    -storepass "$certPassword" -noprompt

echo ""
echo "Removing Public Key Files..."
rm "$authorityAlias.cer"

    Hope this helps.

    Best, Ace

    0 讨论(0)
 看不清?
提交回复
热议问题