
2016-12-19  本文已影响670人  Jetsly


1. SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
openssl rsa -in original.key -out unencripted.key

1. IIS生成ssl证书

1.1 生成root证书加上私钥

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config openssl.cnf

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mintcode
Organizational Unit Name (eg, section) []:Forstmourne
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:bellliu@mintcode.com

1.2 生成相关文档(openssl.cnf有相关配置)

mkdir demoCA
touch demoCA/index.html
touch demoCA/serial

vim demoCA/serial


1.3 根据证书申请生成证书

openssl ca -in certreq.txt -out server.pem -cert cacert.pem -keyfile cakey.pem

Enter pass phrase for cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
            Not Before: Jul 24 02:07:43 2015 GMT
            Not After : Jul 23 02:07:43 2016 GMT
            countryName               = CN
            stateOrProvinceName       = Zhejiang
            organizationName          = Mintcode
            organizationalUnitName    = Forstmourne
            commonName                =
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

Certificate is to be certified until Jul 23 02:07:43 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

1.4 生成iis需要证书

openssl x509 -in server.pem -out server.cer

1.5 生成java需要的keystore

keytool -import -file server.cer -keystore server.keystore

2. openssl生成ssl证书

2.1 生成root证书加上私钥

openssl req -new -x509 -days 365000 -keyout cakey.key -out cacert.crt -config openssl.cnf

Generating a 2048 bit RSA private key
writing new private key to 'cakey.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mintcode
Organizational Unit Name (eg, section) []:Forstmourne
Common Name (e.g. server FQDN or YOUR name) []:bell
Email Address []:bellliu@mintcode.com

2.2 生成ssl证书加上私钥

openssl req -new -keyout server.key -out server.csr

Generating a 2048 bit RSA private key
writing new private key to 'server.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mintcode
Organizational Unit Name (eg, section) []:Forstmourne
Common Name (e.g. server FQDN or YOUR name) []:bell
Email Address []:bell@mintcode.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mintcode
An optional company name []:mintcode

2.3 准备工作

mkdir demoCA
cd demoCA
mkdir newcerts
touch index.txt
echo '01' > serial
cd ..

2.4 自签名

openssl ca -in server.csr -out server.crt -cert cacert.crt -keyfile cakey.key -config openssl.cnf

2.5 生成java需要的keystore

keytool -import -file server.crt -keystore server.keystore

2.6 crt转换为pem

openssl x509 -in server.crt -out server.pem -outform PEM
上一篇 下一篇

