Certificate generation
Keytool Introduction
Keytool is a Java data certificate management tool. Keytool stores keys and certificates in a file called keystore.
In the keystore, there are two types of data:
- Key entity - Secret key or private key and paired public key (using asymmetric encryption)
- Trusted certificate entries - only contains public keys
What we often call a certificate is the public key above, and the public key is publicly used by others
- Certificate suffix explanation
-
jksIt is the certificate private key format supported by Java's keytool certificate tool; -
pfxIt is a private key format supported by Microsoft (p12 is the new format of pfx); -
cer/crtIt is the public key format of the certificate (cer is the Microsoft form of the CRT certificate) -
csrDigital Cerificate Signing Request
Tips:
-
.der.cer: This certificate file is in binary format, only contains certificate information and does not contain private keys. -
.crt: This certificate file is in binary format or text format, generally in text format, function and.derand.cerThe certificate file is the same. -
.pem: This certificate file is generally in text format, and can store certificates or private keys, or both. -
.pemIf the file only contains a private key, it is generally used.keyFile substitute. -
.pfx.p12: This certificate file is in binary format, contains both the certificate and the private key, and is generally password protected. -
.keystore.truststore: Both are essentially keystores, and are containers that store keys: - However, the key owners stored by the two are different. The keystore stores its own public key and private key, while the truststore stores the public key that stores its own trusted object. Contract to distinguish types and uses by file names
-
truststoreIt is necessary. If we do not specify explicitly, then Java will be specified by default as$JAVA_HOME/lib/security/cacertsThis file - Java has preset commonly used certificates in the $JAVA_HOME/lib/security/cacerts file by default in jdk
- The certificate formats required by different languages are not consistent. For example, Java uses jks, .Net uses pfx and cer, and Php uses pem and cer;
- What distinguishes the certificate is not the suffix name, but the format and content of the file.
Keytool command details
- Key and Certificate Management Tools
-certreq Generate a certificate request -changealias Change the alias of an entry -delete Delete an entry -exportcert Export the certificate(Abbreviation export) -genkeypair Generate a key pair(Abbreviation genkey) -genseckey Generate a key -gencert Generate certificates based on certificate request -importcert Import a certificate or certificate chain(Abbreviation import) -importpass Import password -importkeystore Import one or all entries from another keystore -keypasswd Change the key password for an entry -list List entries in the keystore -printcert Print the certificate content -printcertreq Print the content of the certificate request -printcrl Print CRL Contents of the file -storepasswd Change the keystore's storage password
Tips:
- use
ketytool --helpGet all available commands - use
keytool -command_name -helpTo get the usage of command_name - Common parameters
-genkey Generate a key pair(genkeypair Abbreviation);Indicates that you want to create a new key;aliasandkeystoreWhen default,Create a user's home directory”.keystore”document,And the alias ismykey,Contains the user's public key、Private key certificate -alias Generate a certificate alias,andkeystoreThe unique alias for the association,Case insensitive(default `mykey`) -keystore 指定密钥库document的名称(default在用户主目录创建证书库) -keyalg Algorithm for specifying keys(Selectable key algorithm:`RSA`、`DSA`、`EC`,default`DSA`) -keysize Specify the key length(andkeyalgdefault对应关系:`RSA=2048`、`DSA=2048`、`EC=256`) -sigalg Specify the signature algorithm(MD5and SHA1The signature algorithm is no longer safe) -validity Specify the number of days of the certificate validity(default `90`sky) -storepass Specify the keystore password,推荐andkeypassConsistent(GetkeystorePassword required for information) -storetype Specify the type of keystore,Available types are:JKS、PKCS12wait。(jdk9before,default为JKS。sincejdk9start,default为PKCS12) -keypass Specify alias entry password(Password for private key) -dname Specified certificate issuer information(in CN 要and服务器的域名相同,Local tests uselocalhost,Others can be ignored) -list Display certificate information in the keystore -v Detailed output,Show certificate details in the keystore -file 指定导出或导出的document名 -export 将别名指定的证书导出到document(exportcert Abbreviation) -import Import signed digital certificates into the keystore(importcert Abbreviation) -printcert View the exported certificate information -delete Delete an entry in the keystore -keypasswd Modify the specified entry password in the keystore -storepasswd RevisekeystorePassword -ext X.509 Extended
- All password lengths must be greater than or equal to 6 digits
- keyalg specifies the encryption algorithm; the key algorithms that can be selected are: RSA, DSA (default), and EC.
- sigalg specifies the signature algorithm (the signature algorithms of MD5 and SHA1 are no longer safe):
- When keyalg = RSA, the signature algorithms are: MD5withRSA, SHA1withRSA, SHA256withRSA (default), SHA384withRSA, SHA512withRSA
- When keyalg = DSA, the signature algorithms are: SHA1withDSA, SHA256withDSA (default)
- dname indicates the issuer of the key (Distinguished Names)
- CN = Domain name or IP (Common Name) Note: When generating the server certificate, the CN must be the same as the server's domain name. Localhost is used for local testing, and other items can be filled in (there is no requirement for the client certificate)
- OU = Organization Unit
- O = Organization Name
- L = City or region name (Locality Name)
- ST = State Name
- C = abbreviation of the country (Country, CN stands for China)
Create a certificate
Create a keystore. A keystore is a file that stores one or more key entries. Each key entry should be identified with an alias, which contains the key and certificate-related information.
Usage:
keytool -genkey
-alias <alias>
-keyalg RSA
[-sigalg SHA256withRSA]
[-keysize 2048]
-keypass <keypasswd>
-keystore <keystore_file>
-storetype JKS|PKCS12
-storepass <keystore_passwd>
-validity 3650
-dname "CN=,OU=,Inc.,O=Github, Inc.,L=San Francisco,ST=California,C=US"
-ext SAN=dns:,dns:,ip:127.0.0.1
Options:
-genkey Generate a key pair(genkeypair Abbreviation) -alias Certificate alias;andkeystoreThe unique alias for the association,thisaliasUsually case insensitive(default`mykey`) -keyalg Specify encryption algorithm,RSA:Asymmetric encryption(default`DSA`) -sigalg Specify the signature algorithm,Optional; -keysize Specify the key length,Optional; -keypass Specify alias entry password(Password for private key) -storetype Generate certificate type,The available certificate library types are:JKS、PKCS12wait。 -keystore Specify the location of the generated keystore; -storepass Specify the access password for the keystore,Recommended andkeypassConsistent -validity Number of days of certificate validity;(default为 90sky) -dname Indicates the issuer identity of the key(Distinguished Names)When generating a certificate,in CN 要and服务器的域名相同,Local tests uselocalhost,Others can be ignored -ext X.509 Extended
Tips:
- It should be noted here: the signature algorithms of MD5 and SHA1 are no longer safe;
- If the domain name of the server where Tomcat is located is not "localhost", the browser will pop up a warning window, prompting the user's certificate does not match the domain.
- The CN of the server certificate dname should be changed to the corresponding domain name, such as ""; when doing local development and testing, the CN should be filled in "localhost";
- The CN of the client certificate dname can be any value without using the -ext extension.
Creating a certificate
Generate server certificate
keytool -genkey -alias server -keyalg RSA -keypass 123456 -keystore ~/ssl/ [-storetype JKS] -storepass 123456 -validity 3650 -dname "CN=localhost" -ext SAN=ip:127.0.0.1
Generate a client certificate so that the server can verify it. In order to successfully import the certificate to IE and Firefox, the certificate format should be PKCS12 (the CN of the client can be any value)
keytool -genkey -alias client -keyalg RSA -keypass 123456 -keystore ~/ssl/client.p12 -storetype PKCS12 -storepass 123456 -validity 3650 -dname "CN=client"
Export certificate information
This certificate file does not contain a private key; it is divided into self-signed certificates and authentication certificates. The following describes the generation method of the two certificates.
- The authentication certificate is consistent with the exported server self-signed certificate. You can just use one of the certificates when using it. The main difference between the two is whether they are certified by a certificate agency;
- Using a self-signed certificate does not require the creation of a certificate signing request (CSR), and using a certification certificate does not require the export of the server self-signed certificate;
- Most certification certificates are charged;
Export a self-signed certificate
The self-signed certificate has not been certified by the certificate certification authority, but it does not affect the use. We can use the corresponding command to export the certificate;
Usage:
keytool -export
-alias <alias>
-keystore <keystore_file>
-storepass <keystore_passwd>
-file <file_cer>
[-rfc]
Options:
-export Perform the certificate export operation(exportcert Abbreviation) -alias Certificate entry alias in the keystore(jksMultiple pairs of public and private key files can be stored in,Specify the exported public key certificate by alias) -keystore Specify the keystore file -storepass Keystore password -file Export file output path -rfc useBase64Format output(OutputpemCertificate in encoding format,Text format),If not applicable, the exported certificate isDEREncoding format
Export certificate Six sons
Export the server certificate
Here is the server's self-signed certificate export. If you need to use the authentication certificate, a certificate signing request will be generated
keytool -export -alias server -keystore ~/ssl/ -storepass 123456 -file ~/ssl/
Export client certificate
Two-way authentication: The server trusts the client. Since it cannot directly import the certificate library in PKCS12 format, it must first export the client certificate as a separate CER file.
keytool -export -alias client -keystore ~/ssl/client.p12 -storepass 123456 -file ~/ssl/ -rfc
Obtain the authentication certificate (generate a certificate signature request)
If you want to get certified by a certificate certification authority, you do not use the above self-signed certificate. You need to use the steps to export the digital certificate and issue the application (Cerificate Signing Request). After being certified and issued by the certificate certification authority, the certified certificate will be imported into the local keystore and truststore.
Usage:
keytool -certreq
-alias <alias>
-keystore <keystore_file>
-storepass <keystore_passwd>
-file <file_csr>
Options:
-certreq Perform the certificate issuance application export operation -alias Certificate entry alias in the keystore -keystore Keystore file name -storepass Keystore password -file OutputcsrFile path
Generate certificate signature request Ritsuko
Generate a certificate signing request (CSR)
keytool -certreq -alias server -keystore ~/ssl/ -storepass 123456 -file ~/ssl/
View generated CSR certificate requests
keytool -printcertreq -file
Import the certificate library
Two-way authentication: Import each public key certificate into the other party’s trust bank separately, so that the client and the server trust each other.
Usage:
keytool -import
[-trustcacerts]
-alias <alias_cer>
-keystore <keystore_file>
-storepass <keystore_passwd>
-file <file_cer>
Options:
-import Perform the certificate import operation(importcert Abbreviation) -alias Specify the certificate alias in the import keystore(The specified entry alias cannot be duplicated with the entry alias that already exist in the keystore.(Except for importing and issuing certificates)) -trustcacerts Import the certificate into the truststore(Trust comes from cacerts Certificate of) -keystore Keystore name -storepass Keystore password -file Enter a file name
Import certificates
1. Install the server certificate (import the server public key certificate into the client)
Two-way authentication: Client trust server: Double-click the certificate file on the client machine to complete the import operation (import in window)
- Send the server public key certificate to the client machine >> Double-click the certificate to enter the "Certificate Information" page >> Click [Installation Certificate] to enter the "Certificate Import Wizard" homepage >> Click [Next] >> Select [Put all certificates into the following storage], and then click [Browse] >> Select [Trusted Root Certificate Authority] b and click [OK] >> Click [Next] >> Click [Finish]. Then a prompt [Import Completed] pops up.
- Send client certificate client.p12 to the client machine >> Double-click the certificate to enter the homepage of the "Certificate Import Wizard" >> Click [Next] >> Click [Next] >> Enter the certificate password (keystore password) and click [Next] >> Click [Next] >> Click [Finish]. Then a prompt [Import Completed] pops up.
2. Certificate imports into the trust library (imports the client public key certificate into the trust library)
Two-way authentication: The server trusts the client:
keytool -import -alias clientCert -keystore ~/ssl/ -storepass 123456 -file ~/ssl/
This step will generate a trust certificate file, which stores the public key certificates that need to be trusted, such as the client certificate (you can also change the keystore value to the server keystore, that is. At this time, the service keystore and truststore are both the service keystore)
View the certificate
Usage:
# View single certificate (cer | crt)keytool -printcert -file <cert_file> [-v|-rfc] # View certificate entries in the keystorekeytool -list [-alias <alias_name>] -keystore <keystore_file> -storepass <keystore_passwd> [-v|-rfc] # View generated CSR certificate requestskeytool -printcertreq -file <certreq_file>
Options:
-alias Certificate entry alias in the keystore;
-keystore Specify the keystore file;
-storepass Keystore password;
-printcert Execute the certificate printing command;
-list By default,Command to print the certificate MD5 fingerprint。
If specified -v Options,The certificate will be printed in a readable format,
If specified -rfc Options,The certificate will be output in a printable encoding format。
View the chestnut certificate
View certificate information
keytool -printcert -file ~/ssl/ [-v|-rfc]
View the keystore
keytool -list -keystore ~/ssl/ -storepass 123456 -v
View the content of base64 (i.e. PEM encoding)
keytool -list -keystore ~/ssl/ -storepass 123456 -rfc
Other keytool commands
# Delete the specified certificate entry in the keystorekeytool -delete -alias <alias> -keystore <keystore_file> -storepass <keystore_passwd> # Modify the entry aliaskeytool -changealias -keystore <keystore_file> -alias <old_alias> -destalias <new_alias> # Modify the entry passwordkeytool -keypasswd -alias <alias> -keypass <old_keypasswd> -new <new_keypasswd> -keystore <keystore_file> -storepass <keystore_passwd> # Modify the keysore passwordkeytool -storepasswd -new <new_storepasswd> -keystore <keystore_file> -storepass <old_storepasswd> # List trusted CA certificates (see the certificates in the JVM's truststore, storepass defaults to changeit)## This certificate file exists in the JAVA_HOME\jre\lib\security directory. It is the CA certificate repository of the Java system. You can use 'alias' to check whether the certificate is really imported into the JVM.keytool -list -v [-alias clientCer] -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit # Import a new CA to a trust certificate, and import it to the JRE's trust certificate library## Common exception: "No trusted certificate found" -- The main reason is that the client does not import the certificate issued by the server into the JVM.keytool -import -trustcacerts -alias clientCer -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file ~/ssl/
Tomcat service authentication configuration
Open Tomcat_HOME/conf/, find the original comment content as follows, and modify it as follows:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="~/ssl/" keystorePass="123456"
truststoreFile="~/ssl/" truststorePass="123456"
/>
Tips:
- in
clientAuthSpecify whether the client certificate needs to be verified -
false: Indicates one-way SSL verification, that is, server-side authentication; -
true: Indicates that two-way SSL verification is mandatory, and the client certificate must be verified; -
want: Indicates that the client certificate can be verified, but if the client does not have a valid certificate, it will not be mandatory. - If clientAuth="true" is set, you need to force verification of the client certificate. Double-click
p12File imports the certificate to the browser; - The default HTTP port of the browser is
80The default HTTPS port is443; -
keystoreFile/keystorePass: Server certificate file and password; -
truststoreFile/truststorePass: Trust the certificate file and password; used to verify the client.
SSL one-way certificate authentication configuration
Create a server certificate Export a server public key certificate Import the server public key certificate into the client (client trust server) configuration Tomcat
Open Tomcat_HOME/conf/, find the original comment content as follows, and modify it as follows:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="~/ssl/" keystorePass="123456"()
/>SSL two-way certificate authentication configuration
- Create a server certificate, create a client certificate
- Export the server public key certificate and export the client public key certificate
- Import the server public key certificate into the client (the client trusts the server)
- Import the client public key certificate into the truststore (the server trusts the client)
- Configure Tomcat and enable two-way authentication ():
Open Tomcat_HOME/conf/, find the original comment content as follows, and modify it as follows:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="~/ssl/" keystorePass="123456"
truststoreFile="~/ssl/" truststorePass="123456"
/>Configure the Tomcat service HTTP automatically jumps to HTTPS (optional on demand)
Open Tomcat_HOME/conf/ and add the following code in :
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint> test
- Start the Tomcat project
- Access the project address, local configuration such as:https://localhost:8443/
- If you encounter a "unsafe" prompt, it may be that the client does not have the server certificate installed
Frequently Asked Questions
Prompts when accessing the browser:
- This server cannot verify that it is "192.168.." - Your computer's operating system does not trust its security certificate. . .
- --The client did not import the server certificate
- This server cannot confirm that it is "192.168.." - Its security certificate does not specify a topic alternative name. . .
- --The server certificate library is not used -ext parameter
- "192.168.." does not accept your login certificate, or you may not provide a login certificate. . .
- --Tomcat configuration does not specify a truststore
Reference
/molao-doing/articles/
/2020/04/17/security/keytool command detailed explanation/
/qq_26708427/article/details/68491201
This is the article about Keytool configuration Tomcat's HTTPS two-way authentication. For more related Tomcat HTTPS two-way authentication content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!