用keytool和openssl生成和签发数字证书

《用keytool和openssl生成和签发数字证书》由会员上传分享，免费在线阅读，更多相关内容在行业资料-天天文库。

1、4.2.1建立工作目录demoCA4.2.2生成CA私钥以及自签名根证书4.2.2.1生成CA私钥opensslgenrsa-outdemoCAca-key.pem10244.2.2.2生成待签名证书opensslreq-new-outdemoCAca-req.csr-keydemoCAca-key.pem4.2.2.3用CA私钥进行自签名opensslx509-req-indemoCAca-req.csr-outcaca-cert.pem-signkeydemoCAca-key.pem-days

2、3654.3设置Tomcat4.x在本文中用符号"%JDK_HOME%"来表示JDK的安装位置，用符号"%TCAT_HOME%"表示Tomcat的安装位置。4.3.1建立工作目录mkdirserver4.3.2生成server端证书4.3.2.1生成KeyPair%JDK_HOME%binkeytool-genkey-aliastomcat_server-validity365-keyalgRSA-keysize1024-keypass123456-storepass123456-keystoreserv

3、erserver_keystore4.3.2.2生成待签名证书%JDK_HOME%binkeytool-certreq-aliastomcat_server-sigalgMD5withRSA-fileserverserver.csr-keypass123456-keystoreserverserver_keystore-storepasschangeit4.3.2.3用CA私钥进行签名opensslx509-req-inserverserver.csr-outserverserver-cert.

4、pem-CAdemoCAca-cert.pem-CAkeydemoCAca-key.pem-CAserialdemoCA/ca-cert.srl-CAcreateserial-days3654.3.2.4导入信任的CA根证书到JSSE的默认位置(%JDK_ROOT%/jre/security/cacerts)%JDK_HOME%binkeytool-import-v-trustcacerts-storepass123456-aliasmy_ca_root-filedemoCAca-cert.pem-

5、keystore%JDK_HOME%jrelibsecuritycacerts4.3.2.5把CA签名后的server端证书导入keystore%JDK_HOME%binkeytool-import-v-trustcacerts-storepasschangeit-aliastomcat_server-fileserverserver-cert.pem-keystoreserverserver_keystore%JDK_HOME%binkeytool-import-v-aliastomca

6、t_server-fileserverserver-cert.pem-storepass123456-keystoreserver_keystore4.3.2.6查看server端证书keytool-list-keystore%JDK_HOME%jrelibsecuritycacertskeytool-list-keystoreserverserver_keystore4.3.3修改server.xml使Tomcat支持SSL首先找到以下内容，去掉对其的注释。然后参照红色部分修改。如果配置Tomc

7、at不验证客户身份，可以设置clientAuth="false"。

8、ina.net.SSLServerSocketFactory"clientAuth="true"protocol="TLS"keystoreFile="%TCAT_HOME%/conf/server_keystore"keystorePass="changeit"/>然后把文件serverserver_keystore复制到目录%TCAT_HOME%conf下。4.4在IE中安装个人证书4.4