生成openssl && gnutls keys
😄 @by sizaif
📆 2021-05-17 20:36:00
[TOC]
Openssl
代码
# Generate DH parameters
openssl dhparam -outform PEM -out dhparams.pem -5 2048
# Generate CA key and certificate CA.pl or CA.sh
/usr/lib/ssl/misc/CA.pl -newca
# Generate server key and certificate
openssl req -newkey rsa:1024 -nodes -keyout server.key -out server.req
openssl ca -out server.crt -infiles server.req
# Generate client key and certificate
openssl req -newkey rsa:1024 -nodes -keyout client.key -out client.req
openssl ca -out client.crt -infiles client.req
# Generate client DH key and certificate
openssl genpkey -paramfile dhparams.pem -out client_dh.key
openssl pkey -in client_dh.key -pubout -out client_dh.pub
#~/SSL/openssl/openssl-1.0.2/apps/openssl x509 -req -in client.req -CAkey demoCA/private/cakey.pem -CA demoCA/cacert.pem -force_pubkey client_dh.pub -out client_dh.crt -CAcreateserial -extensions v3_req -extfile ./openssl.cnf
# Get keys in Java keystore
# 这里设置服务端 的名称为 server 密码为 changeit
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name server -CAfile ca.crt -caname root
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias server
# 这里设置客户端 的名称为 client 密码为 changeit
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name client -CAfile ca.crt -caname root
keytool -importkeystore -srckeystore client.p12 -destkeystore keystore -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeypass changeit -alias client
#openssl pkcs12 -export -in client_dh.crt -inkey client_dh.key -out client_dh.p12 -name clientdh -CAfile ca.crt -caname root
#keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore -srckeystore client_dh.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias clientdh
# Get keys in Netscape keystore
certutil -N -d .
certutil -A -n ca -i demoCA/cacert.pem -d . -t TC
certutil -A -n server -i server.crt -d . -t P
pk12util -d . -i server.p12
certutil -A -n client1 -i client.crt -d . -t P
pk12util -d . -i client.p12
GnuTLS
code
#生成CA私钥
certtool --generate-privkey > x509-ca-key.pem
# 创建CA模版
vim ca.tmpl
cn = "GnuTLS test CA"
organization = "TLSTest"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
#生成CA证书
certtool --generate-self-signed --load-privkey x509-ca-key.pem --template ca.tmpl --outfile x509-ca.pem
#生成Server私钥
certtool --generate-privkey > x509-server-key.pem
#创建Server证书模版
vim server.tmpl
cn = "GnuTLS test server"
organization = "TLSTest"
expiration_days = 3650
signing_key
encryption_key
tls_www_server
#生成Server证书
certtool --generate-certificate --load-privkey x509-server-key.pem \
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
--template server.tmpl --outfile x509-server.pem
#生成Client私钥
certtool --generate-privkey > x509-client-key.pem
#创建Client证书模版
vim client.tmpl
cn = GnuTLS test client
tls_www_client
encryption_key
signing_key
tls_www_client
#生成Client证书
certtool --generate-certificate --load-privkey x509-client-key.pem \
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
--template client.tmpl --outfile x509-client.pem
#转换为p12证书 以及java keystore ;Get keys in Java keystore
# 这里设置的名称为 client
# 密码为123456
certtool --to-p12 --load-ca-certificate x509-ca.pem \
--load-privkey x509-client-key.pem --load-certificate x509-client.pem \
--outder --outfile x509-client.p12
keytool -importkeystore -srckeystore x509-client.p12 -destkeystore keystore -srcstoretype PKCS12 -srcstorepass 123456 -deststorepass 123456 -alias client
# 这里设置的名称为 server
# 密码为123456
certtool --to-p12 --load-ca-certificate x509-ca.pem \
--load-privkey x509-server-key.pem --load-certificate x509-server.pem \
--outder --outfile x509-server.p12
keytool -importkeystore -srckeystore x509-server.p12 -destkeystore keystore -srcstoretype PKCS12 -srcstorepass 123456 -deststorepass 123456 -alias server