Windows下自签jks格式证书

一、前述

1、OS:Windows10 64

2、安装openssl,下载地址:https://slproweb.com/products/Win32OpenSSL.html

 

 

 

二、准本自签证书的配置文件【openssl.cnf】,配置文件主要内容如下:

[req]
distinguished_name = req_distinguished_name #与下方[req_distinguished_name]一致
encrypt_key = no
req_extensions = req_ext #与下方[req_ext]一致

[req_distinguished_name]
countryName = CN
countryName_default = CN
stateOrProvinceName = ZheJiang
stateOrProvinceName_default = ZheJiang
localityName = HangZhou
localityName_default = HangZhou
organizationalUnitName  = HangZhou
organizationalUnitName_default  = HangZhou
commonName_max  = 64

[req_ext]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names #与下方[alt_names]一致

[alt_names]
IP = 自己服务器IP
DNS = 自己服务器域名

 

三、【cmd】切换到和配置文件【openssl.cnf】同一目录下(方便后面的操作)。

 

四、生成.crt格式证书。

1、生成私钥key文件,采用RSA算法,2048位。

命令:openssl genrsa -out cert.key 2048
输出:

Generating RSA private key, 2048 bit long modulus (2 primes)
....................................+++++
............................................................................+++++
e is 65537 (0x010001)


2、使用私钥【cert.key】生成.csr文件,使用配置文件【openssl.cnf】,扩展项为【req_ext】。

命令:openssl req -new -key cert.key -out cert.csr -config openssl.cnf -extensions req_ext

输出:You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
CN [CN]:
ZheJiang [ZheJiang]:
HangZhou [HangZhou]:
HangZhou [HangZhou]:

3、签发.crt格式证书。

命令:openssl x509 -req -in cert.csr -signkey cert.key -out cert.crt -extfile openssl.cnf -extensions req_ext
输出:Signature ok
subject=C = CN, ST = ZheJiang, L = HangZhou, OU = HangZhou
Getting Private key

4、执行以上3步后,生成如下文件:

 

 

 

五、生成.jks格式证书

1、将.crt文件先转换成.p12文件格式。先命令行输入【openssl】命令,然后回车,进入openssl命令行,然后执行如下命令:

OpenSSL> pkcs12 -export -in cert.crt -inkey cert.key -out cert.p12
Enter Export Password: 
Verifying - Enter Export Password:
OpenSSL>

2、将.p12格式文件转换成.jks文件,先openssl命令行输入【quit】,退出openssl命令行,然后执行如下命令:

命令:keytool -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore cert.jks


输出:输入目标密钥库口令:
再次输入新口令:
输入源密钥库口令:
已成功导入别名 1 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消

3、执行以上两步后,生成如下文件:

posted @ 2022-10-27 21:44  lightbc  阅读(925)  评论(0编辑  收藏  举报