证书之间的相互转换
# p12 -> crt
openssl pkcs12 -in ./keystore.p12 -nokeys -clcerts -out ./keystore.crt
# p12 -> key
openssl pkcs12 -in ./keystore.p12 -nocerts -nodes -out ./keystore.key
# crt,key -> p12
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name "irving"
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "irivng"
# crt -> cer
openssl x509 -in ca.crt -out ca.cer -outform der
# 查看证书
openssl x509 -text -noout -in server.crt
# 添加根证书到jre
sudo keytool -import -alias matrix -keystore "$JRE/lib/security/cacerts" -storepass changeit -keypass changeit -file ./ca.crt -noprompt
# 从jre中删除根证书
sudo keytool -delete -alias matrix -keystore "$JRE/lib/security/cacerts" -storepass changeit
# jre的位置
# mac: /Library/Java/JavaVirtualMachines/jdk1.8.0_231.jdk/Contents/Home/jre/
# ubuntu: /usr/lib/jvm/java-1.8-openjdk/jre/
生成根证书(ca.crt, ca.key),服务端证书(client.p12, client.crt, client.key),客户端证书(server.p12, server.crt, server.key)的脚本
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the axTLS project nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
# OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# Generate the certificates and keys for testing.
#
PROJECT_NAME="Irving Project"
# Generate the openssl configuration files.
cat > ca_cert.conf << EOF
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
O = $PROJECT_NAME Certificate Authority
EOF
cat > server_cert.conf << EOF
[req]
distinguished_name = req_distinguished_name
prompt = no
req_extensions = v3_req
[req_distinguished_name]
O = $PROJECT_NAME Server
CN = 127.0.0.1
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = irvingServer
EOF
cat > client_cert.conf << EOF
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
O = $PROJECT_NAME Client
CN = 127.0.0.1
EOF
mkdir -p ca
mkdir -p server
mkdir -p client
# private key generation
openssl genrsa -out ca.key 1024
openssl genrsa -out server.key 1024
openssl genrsa -out client.key 1024
# cert requests
openssl req -out ca.req -key ca.key -new \
-config ./ca_cert.conf
openssl req -out server.req -key server.key -new \
-config ./server_cert.conf
openssl req -out client.req -key client.key -new \
-config ./client_cert.conf
# generate the actual certs.
openssl x509 -req -in ca.req -out ca.crt \
-sha1 -days 5000 -signkey ca.key
openssl x509 -req -extfile ./server_cert.conf -extensions v3_req -in server.req -out server.crt \
-sha1 -CAcreateserial -days 5000 -CA ca.crt -CAkey ca.key
openssl x509 -req -in client.req -out client.crt \
-sha1 -CAcreateserial -days 5000 -CA ca.crt -CAkey ca.key
# -> .p12
openssl pkcs12 -export -clcerts -in ./client.crt -inkey ./client.key -out ./client.p12
openssl pkcs12 -export -clcerts -in ./server.crt -inkey ./server.key -out ./server.p12
mv ca.crt ca.key ca/
mv server.crt server.key server.p12 server/
mv client.crt client.key client.p12 client/
rm *.conf
rm *.req
来源:CSDN
作者:irvingYY
链接:https://blog.csdn.net/yaoya_2015/article/details/104801237