如何使用 X509 证书生成 Java 证书(密钥库和信任库),以实现双向 SSL。

huangapple go评论65阅读模式
英文:

How to generate Java certificates (keystore and truststore) for two way SSL starting from X509 certificates

问题

以下是翻译好的部分:

我已使用OpenSSL生成了自签名证书:

根证书颁发机构:cacert.crt(根证书),和root_key.pem(根私钥)。

客户端:client_cert.crt(客户端证书),和client_key.pem(私钥)。

服务器:server_cert.crt(服务器证书),和server_key.pem(私钥)。

客户端和服务器证书都由根密钥签名。

据我了解,双向SSL需要服务器信任存储库包含客户端证书,而客户端信任存储库需要包含服务器证书。

我的问题是如何使用keytool从这些证书/密钥生成两对客户端/服务器信任存储库/密钥库。

英文:

I have generated with OpenSSL self signed certificates:

> Root CA: cacert.crt (the root CA certificate), and root_key.pem (for
> root private key).
>
> Client: client_cert.crt (the client certificate), and client_key.pem (for private key).
>
> Server: server_cert.crt (the server certificate), and server_key.pem (for private key).

Both client and server certificates are signed with the root key.

As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.

My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys

答案1

得分: 1

以下是翻译好的部分,不包括代码:

For client keystore:
对于客户端密钥库:

openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt

For client truststore:
对于客户端信任库:

keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore

For server keystore:
对于服务器密钥库:

openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% 
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%

For server truststore:
对于服务器信任库:

keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore

I tested it with a very simple SSL Client/Server by running the program:
我使用一个非常简单的SSL客户端/服务器程序进行了测试,运行如下:

java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar

It is working fine.
它正常工作。
Any suggestions of improvements are welcomed.
欢迎提出改进建议。

英文:

After some research, I found the following steps:

For client keystore:

openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt

For client truststore:

keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore

For server keystore:

openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% 
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%

For server truststore:

keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore

I tested it with a very simple SSL Client/Server by running the program:

java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar

It is working fine.
Any suggestions of improvements are welcomed.

huangapple
  • 本文由 发表于 2023年2月8日 23:20:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/75387930.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定