BlogJava-夜来风雨声的盒子-文章分类-Serverhttp://www.blogjava.net/nightlee/category/3965.htmlzh-cnWed, 28 Feb 2007 12:22:42 GMTWed, 28 Feb 2007 12:22:42 GMT60使用CA签发服务器证书的脚本(keystore中)http://www.blogjava.net/Nightlee/articles/16528.html夜来风雨声夜来风雨声Mon, 24 Oct 2005 01:24:00 GMThttp://www.blogjava.net/Nightlee/articles/16528.htmlhttp://www.blogjava.net/Nightlee/comments/16528.htmlhttp://www.blogjava.net/Nightlee/articles/16528.html#Feedback0http://www.blogjava.net/Nightlee/comments/commentRss/16528.htmlhttp://www.blogjava.net/Nightlee/services/trackbacks/16528.htmlset JDK_HOME=D:\j2sdk1.4.2_06

rem 生成KeyPair
%JDK_HOME%\bin\keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn=localhost, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore server_keystore

rem 生成待签名证书
%JDK_HOME%\bin\keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server.csr -keypass changeit -keystore server_keystore -storepass changeit

rem 用CA私钥签名
openssl ca -in %server.csr -config openssl.cnf -policy policy_anything -out server.cer

rem 从JSSE删除同名的CA根证书
%JDK_HOME%\bin\keytool -delete -v -storepass changeit -alias my_ca_root -keystore %JDK_HOME%\jre\lib\security\cacerts

rem 导入信任的CA根证书到JSSE的默认位置
rem 在Windows会有两个JRE,一个在JDK目录下,一个在programe\java中,所以要明确指定使用那个JSSE
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file ca\cacert.cer -keystore %JDK_HOME%\jre\lib\security\cacerts

pause
rem 将server.cer保存为base64编码后继续(server64.cer)

rem 把CA签名后的server端证书导入keystore
%JDK_HOME%\bin\keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server64.cer -keystore server_keystore
pause



夜来风雨声 2005-10-24 09:24 发表评论
]]>使用CA发布新证书的脚本http://www.blogjava.net/Nightlee/articles/16527.html夜来风雨声夜来风雨声Mon, 24 Oct 2005 01:21:00 GMThttp://www.blogjava.net/Nightlee/articles/16527.htmlhttp://www.blogjava.net/Nightlee/comments/16527.htmlhttp://www.blogjava.net/Nightlee/articles/16527.html#Feedback0http://www.blogjava.net/Nightlee/comments/commentRss/16527.htmlhttp://www.blogjava.net/Nightlee/services/trackbacks/16527.htmlrem 设置openssl的路径
set OPENSSL_HOME=I:\workspace\openssl\openssl-0.9.7
path=%path%;%OPENSSL_HOME%\out32dll

rem 产生私钥
openssl genrsa -out %1.pem -rand ca\.rand 512

rem 生成自签名公钥
openssl req -new -x509 -days 3650 -key %1.pem -out %1_self.cer -config openssl.cnf

rem 用CA私钥进行签名
openssl ca -ss_cert %1_self.cer -config openssl.cnf -policy policy_anything -out %1.cer
del %1_self.cer

rem 生成pfx文件
openssl pkcs12 -export -in %1.cer -inkey %1.pem -out %1.pfx

pause



夜来风雨声 2005-10-24 09:21 发表评论
]]>生成CA根证书的脚本http://www.blogjava.net/Nightlee/articles/16526.html夜来风雨声夜来风雨声Mon, 24 Oct 2005 01:20:00 GMThttp://www.blogjava.net/Nightlee/articles/16526.htmlhttp://www.blogjava.net/Nightlee/comments/16526.htmlhttp://www.blogjava.net/Nightlee/articles/16526.html#Feedback0http://www.blogjava.net/Nightlee/comments/commentRss/16526.htmlhttp://www.blogjava.net/Nightlee/services/trackbacks/16526.htmlrem 设置openssl的路径
set OPENSSL_HOME=I:\workspace\openssl\openssl-0.9.7
path=%path%;%OPENSSL_HOME%\out32dll

md ca
cd ca
del/s/q *

rem 建立随机文件
echo 1234567890 > .rand

rem 建立数据库
echo #database > index.txt

rem 建立索引
echo 01 > serial

rem 生成CA私钥
openssl genrsa -out cakey.pem -rand .rand 512

rem 建立CA待签名证书
:openssl req -new -out careq.csr -key cakey.pem

rem 建立CA中心根证书,自签名
openssl req -new -x509 -days 3650 -key cakey.pem -out cacert.cer -config ..\openssl.cnf


cd ..
pause



夜来风雨声 2005-10-24 09:20 发表评论
]]>Tomcat ssl配置补充http://www.blogjava.net/Nightlee/articles/15941.html夜来风雨声夜来风雨声Wed, 19 Oct 2005 08:01:00 GMThttp://www.blogjava.net/Nightlee/articles/15941.htmlhttp://www.blogjava.net/Nightlee/comments/15941.htmlhttp://www.blogjava.net/Nightlee/articles/15941.html#Feedback0http://www.blogjava.net/Nightlee/comments/commentRss/15941.htmlhttp://www.blogjava.net/Nightlee/services/trackbacks/15941.html
keytool错误: java.lang.Exception: 无法从回复中建立链接

最后发现是由于CA server重,根证书被换过了,而我还是用的原来的,换过重来就没问题了

夜来风雨声 2005-10-19 16:01 发表评论
]]>Tomcat ssl 的配置http://www.blogjava.net/Nightlee/articles/15940.html夜来风雨声夜来风雨声Wed, 19 Oct 2005 07:59:00 GMThttp://www.blogjava.net/Nightlee/articles/15940.htmlhttp://www.blogjava.net/Nightlee/comments/15940.htmlhttp://www.blogjava.net/Nightlee/articles/15940.html#Feedback0http://www.blogjava.net/Nightlee/comments/commentRss/15940.htmlhttp://www.blogjava.net/Nightlee/services/trackbacks/15940.html准备

1。ca服务器

2。ca根证书及私钥

步骤

1。申请keystore,使用ca根证书及密码

E:\java\jdk14\bin>keytool -import -file E:\coa\cert\itrusca-win.crt -keypass huatong -keystore E:\coa\cert\huatong_keystore -storepass huatong

2。制造服务器私钥,使用上步生成的keystore及密码

keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass huatong -storepass huatong -dname "cn=NightBox, ou=department, o=company, l=Beijing, st=Beijing, c=CN" -keystore E:\coa\cert\huatong_keystore

3。产生申请文件,然后在ca上申请服务器证书,保存为server_cert.cer

keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file E:\coa\cert\server.csr -keypass huatong -keystore E:\coa\cert\huatong_keystore -storepass huatong

4。导入ca根证书到JRE

keytool -import -v -trustcacerts -storepass changeit -alias itrus_ca_root -file E:\coa\cert\itrusca-win.crt -keystore E:\java\jdk14\jre\lib\security\cacerts

5。导入根证书到keystore

keytool -import -v -trustcacerts -storepass huatong -alias itrus_ca_root -file E:\coa\cert\itrusca-win.crt -keystore E:\coa\cert\huatong_keystore

6。导入服务器证书到keystore

keytool -import -v -trustcacerts -storepass huatong -alias tomcat_server -file E:\coa\cert\server_cert.cer -keystore E:\coa\cert\huatong_keystore

7。修改tomcat的server.xml

<Connector port="8443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
        keystoreFile="E:\coa\cert\huatong_keystore"  keystorePass="huatong"     
/>



夜来风雨声 2005-10-19 15:59 发表评论
]]>