windows下使用openssl生成|CA证书的步骤
一:生成CA证书
目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
网上下载一个openssl软件
1. 创建私钥 :
C:\OpenSSL\bin>openssl genrsa -out ca/ca-key.pem 1024
2.创建证书请求 :
C:\OpenSSL\bin>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem -config d:\openssl\openssl.cnf
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:pudong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:huro
Organizational Unit Name (eg, section) []:www.huro.cn
Common Name (eg, YOUR name) []:huro coporation
Email Address []:zfx_email@huro.cn
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: 100200
3.自签署证书 :
C:\OpenSSL\bin>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
4.将证书导出成浏览器支持的.p12格式 :
C:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
密码:changeit
二.生成server证书。
1.创建私钥 :
C:\OpenSSL\bin>openssl genrsa -out server/server-key.pem 1024
2.创建证书请求 :
C:\OpenSSL\bin>openssl req -new -out server/server-req.csr -key server/server-key.pem -config d:\openssl\openssl.cnf
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:192.168.1.246 注释:一定要写服务器所在的ip地址
Email Address []:sky
3.自签署证书 :
C:\OpenSSL\bin>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式 :
C:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
密码:changeit
三.生成client证书。
1.创建私钥 :
C:\OpenSSL\bin>openssl genrsa -out client/client-key.pem 1024
2 windows下使用openssl生成|CA证书的步骤
2.创建证书请求 :
C:\OpenSSL\bin>openssl req -new -out client/client-req.csr -key client/client-key.pem -config d:\openssl\openssl.cnf
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:sky
Email Address []:sky
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:tsing
3.自签署证书 :
C:\OpenSSL\bin>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式 :
C:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
密码:changeit
四.根据ca证书生成jks文件
C:\Java\jdk1.5.0_09\bin > keytool -keystore jks/truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file ca/ca-cert.pem
五.配置tomcat ssl
修改conf/server.xml。tomcat6中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径
xml 代码
tomcat 5.5的配置:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" />
tomcat6.0的配置:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>
六.导入证书
将ca.p12,client.p12分别导入到IE中去(打开IE->;Internet选项->内容->证书)。
ca.p12导入至受信任的根证书颁发机构,client.p12导入至个人
原文地址:http://9272317.blog.51cto.com/9262317/1792997
