为了成为自由自在的人而奋斗!
分类: 网络与安全
2013-09-02 23:20:30
C++和java间进行SSL通信遇到了些问题,下面是解决方案。使用了Keytoo和OpenSSL两个工具。TARGETNAME改成要生成的文件名,PASSPHRASE就是密码。
基础的OpenSSL操作可以参考前文:
安装:
生成证书:
代码:
生成私钥
Keytool –certreq –alias client –sigalg SHA1withRSA –file TARGETNAME.csr -keypass PASSPHRASE –storepass PASSPHRASE –keystore TARGETNAME.jks
生成证书
Openssl ca –in TARGETNAME.csr –out TARGETNAME.crt –cert demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -notext
转换证书格式
Openssl x509 –in TARGETNAME.crt –out TARGETNAME.der –outform DER
转换根帧数格式
Openssl x509 –in demoCA/cacert.pem –out demoCA/cacert.der –outform DER
将根证书加入私钥
Keytool –import –v –trustcacerts –alias ca_root –file demoCA/cacert.der –storepass PASSPHRASE –keystore TARGETNAME.jks
将证书加入私钥
Keytool –import –v –alias client –file TARGETNAME.der –storepass PASSPHRASE –keystore TARGETNAME.jks
创建jks文件并加入根证书
Keytool –import –alias ca_root –file demoCA/cacert.der –keystore TARGETNAMETrust.jks
更详细的可以参考下文,来源;http://blog.csdn.net/platformlib/archive/2007/03/09/1525119.aspx
工作中需要配置使用SSL来双向认证并通信的FTP服务器,以OpenSSL和Java的keytool为例,来完成证书的制作:
d:\openssl\mkcerts>openssl genrsa -out ca.key 1024
创建CA私钥
Loading ‘screen’ into random state – done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
………………………………………………………….++++++
………….++++++
e is 65537 (0×10001)
d:\openssl\mkcerts>openssl req -new -days 3650 -x509 -key ca.key -out cacert.pem -config openssl.cnf
创建CA自签名证书(使用上一步创建的CA私钥来签名)
Using configuration from openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []:FTPTest
Common Name (eg, YOUR name) []:CHELSEA
Email Address []:chelsea@chelseafc.com
d:\openssl\mkcerts>openssl genrsa -des3 -out server.key 1024
创建服务器私钥
Loading ‘screen’ into random state – done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
…………..++++++
.++++++
e is 65537 (0×10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:
d:\openssl\mkcerts>openssl rsa -in server.key -out serverkey.pem
加密服务器私钥(保护私钥信息)
read RSA key
Enter PEM pass phrase:
writing RSA key
d:\openssl\mkcerts>openssl req -new -days 3650 -key server.key -out server.csr-config openssl.cnf
创建申请服务器所需证书的请求
Using configuration from openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) [] :BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []: FTPTest
Common Name (eg, YOUR name) []: CHELSEA
Email Address []: chelsea@chelseafc.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
d:\openssl\mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in server.csr -out server.pem -config openssl.cnf
CA签署服务器证书(需要CA私钥和序列号文件demoCA/serial, demoCA/index.txt)
Using configuration from openssl.cnf
Loading ‘screen’ into random state – done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName : PRINTABLE:’CN’
stateOrProvinceName : PRINTABLE:’BEIJING’
localityName : PRINTABLE:’BEIJING’
organizationName : PRINTABLE:’Chelseafc’
organizationalUnitName: PRINTABLE:’FTPTest’
commonName : PRINTABLE:’CHELSEA’
emailAddress : IA5STRING:’chelsea@chelseafc.com’
Certificate is to be certified until Oct 26 03:01:33 2006 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
d:\openssl\mkcerts>openssl x509 -in server.pem -out server.crt
转换格式
d:\openssl\mkcerts>openssl x509 -in demoCA/cacert.pem -out demoCA/cacert.crt
转换格式
d:\openssl\mkcerts>keytool -genkey -keyalg RSA -alias ftpsconnector -keystore ftps.jks -storepass changeit -storetype jks
产生Java客户端私钥文件
您的名字与姓氏是什么?
[Unknown]: CHELSEA
您的组织单位名称是什么?
[Unknown]: FTPTest
您的组织名称是什么?
[Unknown]: Chelseafc
您所在的城市或区域名称是什么?
[Unknown]: BEIJING
您所在的州或省份名称是什么?
[Unknown]: BEIJING
该单位的两字母国家代码是什么
[Unknown]: CN
CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, ST=BEIJING, C=CN 正确吗?
[否]: Y
输入
(如果和 keystore 密码相同,按回车):
d:\openssl\mkcerts>keytool -certreq -alias ftpsconnector -keyalg RSA -file ftpsconnector.csr -keystore ftps.jks
产生Java客户端证书请求
输入keystore密码: changeit
d:\openssl\mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in ftpsconnector.csr -out ftpsconnector.pem -config openssl.cnf
CA签署Java客户端证书
Using configuration from openssl.cnf
Loading ‘screen’ into random state – done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName : PRINTABLE:’CN’
stateOrProvinceName : PRINTABLE:’BEIJING’
localityName : PRINTABLE:’BEIJING’
organizationName : PRINTABLE:’Chelseafc’
organizationalUnitName: PRINTABLE:’FTPTest’
commonName : PRINTABLE:’CHELSEA’
Certificate is to be certified until Oct 26 03:05:08 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
d:\openssl\mkcerts>openssl x509 -in ftpsconnector.pem -out ftpsconnector.cer
转换格式
d:\openssl\mkcerts>keytool -import -alias root -trustcacerts -file demoCA/cacert.crt -keystore ftps.jks
导入CA证书到jks文件并信任之(由此CA所签署的所有证书也因此在信任之列)
输入keystore密码: changeit
Owner: EMAILADDRESS=chelsea@chelseafc.com, CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, S
T=BEIJING, C=CN
发照者: EMAILADDRESS=chelsea@chelseafc.com, CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING,
ST=BEIJING, C=CN
序号: 0
有效期间: Wed Oct 26 10:55:43 CST 2005 至: Sat Oct 24 10:55:43 CST 2015
认证指纹:
MD5: 85:21:11:10:26:4A:CD:01:55:B7:47:DF:0D:58:AA:A3
SHA1: 91:74:88:03:B7:5C:E4:BD:27:1F:27:BF:10:23:0A:BA:2C:42:13:2B
信任这个认证? [否]: y
认证已添加至keystore中
d:\openssl\mkcerts>keytool -import -alias ftpsconnector -trustcacerts -file ftpsconnector.cer -keystore ftps.jks
导入自己的证书到jks文件(至此,此jks文件包括了建立SSL连接所需所有信息)
输入keystore密码: changeit
认证回复已安装在 keystore中
其它OpenSSL命令举例
openssl pkcs12 -export -clcerts -in client.pem -inkey clientkey.pem -out client.p12
openssl pkcs8 -inform PEM -nocrypt -in abcwebnet-pkcs8.key -out abcwebnet.key
openssl pkcs12 -export -out abcwebnet.pfx -inkey abcwebnet.key -in abcwebnet-pem.crt
… …
keystore这个名字其实有点误导,应该是CertStore,可以同时包含两种信息:自己的keyEntry,和trusted cert entry.(自然包括自己的私钥公钥和信任的公钥了)(有时会分开,信任的证书存储在单独的文件中)
keystore可以有两类密码,一个是保护这个文件的(storepass),一种是保护文件里每一个key的(keypass)
可以为每个key指定alias,然后使用alias来引用或访问对应的key
Example:
rem 创建客户端keystore
keytool -genkey -keyalg RSA -keystore client.jks -storetype jks -storepass client -alias client_rsa -keypass client_rsa -dname “CN=Client, OU=IBM, C=US” -keysize 1024 -validity 1460
rem 创建服务端keystore
keytool -genkey -keyalg RSA -keystore server.jks -storetype jks -storepass server -alias server_rsa -keypass server_rsa -dname “CN=Server, OU=IBM, C=US” -keysize 1024 -validity 1460
rem 从客户端keystore中导出通用格式的证书,以备导入到服务端keystore
keytool -export -keystore client.jks -storetype jks -storepass client -alias client_rsa -file client_rsa.cer
rem 从服务端keystore中导出通用格式的证书,以备导入到客户端keystore
keytool -export -keystore server.jks -storetype jks -storepass server -alias server_rsa -file server_rsa.cer
rem 导入客户端证书到服务端keystore(此动作的后果是使服务端信任客户端)
keytool -import -noprompt -keystore server.jks -storetype jks -storepass server -alias client_rsa -file client_rsa.cer
rem 导入服务端证书到客户端keystore(此动作的后果是使客户端信任服务端)
keytool -import -noprompt -keystore client.jks -storetype jks -storepass client -alias server_rsa -file server_rsa.cer
rem 列出客户端keystore包含的信息供查看
keytool -list -keystore client.jks -storepass client -v
rem 列出服务端keystore包含的信息供查看
keytool -list -keystore server.jks -storepass server -v
