自签名证书HTTPS

1、生成自签名的CA私钥及自签名证书,并导出为der、p12、jks格式

set OPENSSL_CONF=C:\ProgramerTools\OpenSSL-Win64\bin\openssl.cfg

#生成私钥
openssl genrsa 1024 > NMyCA1024.key

#生成自签名证书
openssl req -new -x509 -nodes -key NMyCA1024.key -days 1095 -subj "/C=CN/ST=ShangHai/L=ShangHai/O=NEOHOPE/OU=Development/CN=NMyCA1024" > NMyCA1024.pem

#转der格式,生成trust store
openssl x509 -outform der -in NMyCA1024.pem -out NMyCA1024.crt
keytool -import -trustcacerts -file NMyCA1024.crt -keystore NMyCA1024_trust.jks -storepass 123456

#转p12格式,生成key sotre
openssl pkcs12 -export -out NMyCA1024.p12 -in NMyCA1024.pem -inkey NMyCA1024.key
keytool -importkeystore -srckeystore NMyCA1024.p12 -srcstoretype PKCS12 -deststoretype  JKS -destkeystore NMyCA1024_key.jks

2、生成网站私钥,并生成CA签名的证书,并导出为der、p12、jks格式

#生成私钥
openssl genrsa 1024 > server.key

#从CA请求证书
openssl req -new -key server.key -subj "/C=CN/ST=ShangHai/L=ShangHai/O=NEOHOPE/OU=Development/CN=127.0.0.1" > server.csr

#生成CA签名的证书
openssl x509 -req -in server.csr -CA NMyCA1024.pem -CAkey NMyCA1024.key -CAcreateserial -days 365 > serversigned.crt

#生成trust store
keytool -import -trustcacerts -file serversigned.crt -keystore serversigned_trust.jks -storepass 123456

#转p12格式,生成key sotre
openssl pkcs12 -export -out serversigned.p12 -in serversigned.crt -inkey server.key
keytool -importkeystore -srckeystore serversigned.p12 -srcstoretype PKCS12 -deststoretype  JKS -destkeystore serversigned_key.jks

3、在server端使用serversigned.p12或serversigned_key.jks

4、在浏览器端,导入NMyCA1024.crt为CA根证书,浏览器就可以正常打开HTTPS网站了

5、如果是要用Java Client端进行认证,则需要将CA证书导入到对应JDK或JRE的CA列表中,用serversigned_trust.jks就可以正常访问了

keytool -import -trustcacerts -file NMyCA1024.crt -alias NMyCA1024 -keystore %JRE_HOME%\lib\security\cacerts -storepass changeit

Comments are closed.