零壹

01

「证书」笔记

发表于 更新于 分类于
本文字数: 2.8k 阅读时长 ≈ 3 分钟

理解 Keystore & Truststore

Keystore 用于存储私钥和身份证书,特定程序应该向双方(服务器或客户机)提供这些证书以进行验证。顾名思义,Key 是证书,Store 是存储库,Keystore 便是存放证书的存储库;在 SSL 连接期间提供认证。

Truststore 用于存储来自认证机构(CA)的证书,这些证书验证在 SSL 连接中由服务器提供的证书。顾名思义,Trust 是信任,Store 是存储库,Truststore 便是存放受信任的证书库。

自签证书示例

  1. Generate ca.key & ca.crt
1
2
openssl genrsa -aes256 -passout pass:shankai@ca -out ca.key 4096
openssl req -new -x509 -days 3650 -subj "/C=CN/ST=SHAANXI/L=XI'AN/O=shankai/OU=dev/CN=shankai.city" -passin pass:shankai@ca -key ca.key -out ca.crt
  1. Generate server.key & server.crt

以 keycloak 服务为例

  • extfile: keycloak.ext
1
2
3
4
5
6
7
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = sso.shankai.city
  • generate
1
2
3
4
openssl genrsa -out keycloak.key 2048
openssl req -new -key keycloak.key -subj "/C=CN/ST=SHAANXI/L=XI'AN/O=shankai/OU=dev/CN=sso.shankai.city" -out keycloak.csr

openssl x509 -req -in keycloak.csr -passin pass:shankai@ca -CA ca.crt -CAkey ca.key -CAcreateserial -out keycloak.crt -days 1825 -sha256 -extfile keycloak.ext
  1. Format Convert [optional]
  • crt -> p12, p12 -> jks
1
2
3
4
5
openssl pkcs12 -export -out keycloak.p12 -in keycloak.crt -inkey keycloak.key -password pass:shankai@2021
keytool -importkeystore -srcstorepass shankai@2021 -deststorepass shankai@2021 -destkeypass shankai@2021 -srckeystore keycloak.p12 -srcstoretype PKCS12 -destkeystore keycloak.jks -deststoretype JKS

openssl pkcs12 -export -out ca.p12 -in ca.crt -inkey ca.key -passin pass:shankai@ca -password pass:shankai@2021
keytool -importkeystore -srcstorepass shankai@2021 -deststorepass shankai@2021 -destkeypass shankai@2021 -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore truststore.jks -deststoretype JKS

证书工具

  • openssl
  • keytool

证书格式

常见格式

证书生成与格式转换

Openssl

pfx -> pem

1
2
3
4
5
openssl pkcs12 -clcerts -nokeys -out one123456.pem -in one123456.pfx
openssl pkcs12 -nocerts -out one123456.key.pem -in one123456.pfx

openssl pkcs12 -clcerts -nokeys -out two123456.pem -in two123456.pfx
openssl pkcs12 -nocerts -out two123456.key.pem -in two123456.pfx

crt + key -> p12

1
2
openssl pkcs12 -export -in dop.crt -inkey dop.key -out dop.p12 -name dop -password pass:abcdef
openssl pkcs12 -export -in wiki.crt -inkey wiki.key -out wiki.p12 -name wiki -password pass:abcdef

Keytool

cer -> jks

1
2
3
4
5
keytool -importcert -file CFCA_RSA_TEST_OCA21.cer -keystore cfca.jks -alias cfca

keytool -importcert -file ca.cer -keystore cfca.jks -alias cfca

keytool -import -alias cfcaalias -file cfca.cer -keystore trusted.keystore

crt -> jks

keytool -import -alias alias -file ca.crt -keypass keypass -keystore ca.jks -storepass 123456 -noprompt

p12 -> jks

1
keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore ca.jks -deststoretype JKS

客户端认证

curl

1
2
3
curl -k -v --cert ./tls.crt --key ./tls.key https://qmsauthn.paas.service.sd/login

curl -k -v --cert ./authn.crt --key ./authn.key https://qmsauthn.pditdop:6443/login