Windows下自签jks格式证书
一、前述
1、OS:Windows10 64
2、安装openssl,下载地址:https://slproweb.com/products/Win32OpenSSL.html
二、准本自签证书的配置文件【openssl.cnf】,配置文件主要内容如下:
[req] distinguished_name = req_distinguished_name #与下方[req_distinguished_name]一致 encrypt_key = no req_extensions = req_ext #与下方[req_ext]一致 [req_distinguished_name] countryName = CN countryName_default = CN stateOrProvinceName = ZheJiang stateOrProvinceName_default = ZheJiang localityName = HangZhou localityName_default = HangZhou organizationalUnitName = HangZhou organizationalUnitName_default = HangZhou commonName_max = 64 [req_ext] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names #与下方[alt_names]一致 [alt_names] IP = 自己服务器IP DNS = 自己服务器域名
三、【cmd】切换到和配置文件【openssl.cnf】同一目录下(方便后面的操作)。
四、生成.crt格式证书。
1、生成私钥key文件,采用RSA算法,2048位。
命令:openssl genrsa -out cert.key 2048
输出:
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................+++++
............................................................................+++++
e is 65537 (0x010001)
2、使用私钥【cert.key】生成.csr文件,使用配置文件【openssl.cnf】,扩展项为【req_ext】。
命令:openssl req -new -key cert.key -out cert.csr -config openssl.cnf -extensions req_ext 输出:You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- CN [CN]: ZheJiang [ZheJiang]: HangZhou [HangZhou]: HangZhou [HangZhou]:
3、签发.crt格式证书。
命令:openssl x509 -req -in cert.csr -signkey cert.key -out cert.crt -extfile openssl.cnf -extensions req_ext 输出:Signature ok subject=C = CN, ST = ZheJiang, L = HangZhou, OU = HangZhou Getting Private key
4、执行以上3步后,生成如下文件:
五、生成.jks格式证书
1、将.crt文件先转换成.p12文件格式。先命令行输入【openssl】命令,然后回车,进入openssl命令行,然后执行如下命令:
OpenSSL> pkcs12 -export -in cert.crt -inkey cert.key -out cert.p12 Enter Export Password: Verifying - Enter Export Password: OpenSSL>
2、将.p12格式文件转换成.jks文件,先openssl命令行输入【quit】,退出openssl命令行,然后执行如下命令:
命令:keytool -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore cert.jks 输出:输入目标密钥库口令: 再次输入新口令: 输入源密钥库口令: 已成功导入别名 1 的条目。 已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
3、执行以上两步后,生成如下文件:
