1、生成自签名的CA私钥及自签名证书,并导出为der、p12、jks格式
set OPENSSL_CONF=C:\ProgramerTools\OpenSSL-Win64\bin\openssl.cfg #生成私钥 openssl genrsa 1024 > NMyCA1024.key #生成自签名证书 openssl req -new -x509 -nodes -key NMyCA1024.key -days 1095 -subj "/C=CN/ST=ShangHai/L=ShangHai/O=NEOHOPE/OU=Development/CN=NMyCA1024" > NMyCA1024.pem #转der格式,生成trust store openssl x509 -outform der -in NMyCA1024.pem -out NMyCA1024.crt keytool -import -trustcacerts -file NMyCA1024.crt -keystore NMyCA1024_trust.jks -storepass 123456 #转p12格式,生成key sotre openssl pkcs12 -export -out NMyCA1024.p12 -in NMyCA1024.pem -inkey NMyCA1024.key keytool -importkeystore -srckeystore NMyCA1024.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore NMyCA1024_key.jks
2、生成网站私钥,并生成CA签名的证书,并导出为der、p12、jks格式
#生成私钥 openssl genrsa 1024 > server.key #从CA请求证书 openssl req -new -key server.key -subj "/C=CN/ST=ShangHai/L=ShangHai/O=NEOHOPE/OU=Development/CN=127.0.0.1" > server.csr #生成CA签名的证书 openssl x509 -req -in server.csr -CA NMyCA1024.pem -CAkey NMyCA1024.key -CAcreateserial -days 365 > serversigned.crt #生成trust store keytool -import -trustcacerts -file serversigned.crt -keystore serversigned_trust.jks -storepass 123456 #转p12格式,生成key sotre openssl pkcs12 -export -out serversigned.p12 -in serversigned.crt -inkey server.key keytool -importkeystore -srckeystore serversigned.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore serversigned_key.jks
3、在server端使用serversigned.p12或serversigned_key.jks
4、在浏览器端,导入NMyCA1024.crt为CA根证书,浏览器就可以正常打开HTTPS网站了
5、如果是要用Java Client端进行认证,则需要将CA证书导入到对应JDK或JRE的CA列表中,用serversigned_trust.jks就可以正常访问了
keytool -import -trustcacerts -file NMyCA1024.crt -alias NMyCA1024 -keystore %JRE_HOME%\lib\security\cacerts -storepass changeit