英文:
How to generate Java certificates (keystore and truststore) for two way SSL starting from X509 certificates
问题
以下是翻译好的部分:
我已使用OpenSSL生成了自签名证书:
根证书颁发机构:cacert.crt(根证书),和root_key.pem(根私钥)。
客户端:client_cert.crt(客户端证书),和client_key.pem(私钥)。
服务器:server_cert.crt(服务器证书),和server_key.pem(私钥)。
客户端和服务器证书都由根密钥签名。
据我了解,双向SSL需要服务器信任存储库包含客户端证书,而客户端信任存储库需要包含服务器证书。
我的问题是如何使用keytool从这些证书/密钥生成两对客户端/服务器信任存储库/密钥库。
英文:
I have generated with OpenSSL self signed certificates:
> Root CA: cacert.crt (the root CA certificate), and root_key.pem (for
> root private key).
>
> Client: client_cert.crt (the client certificate), and client_key.pem (for private key).
>
> Server: server_cert.crt (the server certificate), and server_key.pem (for private key).
Both client and server certificates are signed with the root key.
As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.
My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys
答案1
得分: 1
以下是翻译好的部分,不包括代码:
For client keystore:
对于客户端密钥库:
openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt
For client truststore:
对于客户端信任库:
keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore
For server keystore:
对于服务器密钥库:
openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD%
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%
For server truststore:
对于服务器信任库:
keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore
I tested it with a very simple SSL Client/Server by running the program:
我使用一个非常简单的SSL客户端/服务器程序进行了测试,运行如下:
java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar
It is working fine.
它正常工作。
Any suggestions of improvements are welcomed.
欢迎提出改进建议。
英文:
After some research, I found the following steps:
For client keystore:
openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt
For client truststore:
keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore
For server keystore:
openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD%
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%
For server truststore:
keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore
I tested it with a very simple SSL Client/Server by running the program:
java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar
It is working fine.
Any suggestions of improvements are welcomed.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论