C++和java間進行SSL通信遇到了些問題,下面是解決方案。使用了Keytoo和OpenSSL兩個工具。TARGETNAME改成要生成的文件名,PASSPHRASE就是密碼。
基礎的OpenSSL操作可以參考前文:
安裝:http://daniex.info/windows-install-openssl.html
生成證書:http://daniex.info/generated-with-the-openssl-command-to-create-self-signed-certificates-and.html
代碼: http://daniex.info/examples-of-procedures-to-establish-ssl-connection-openssl.html
生成私鑰
Keytool –certreq –alias client –sigalg SHA1withRSA –file TARGETNAME.csr -keypass PASSPHRASE –storepass PASSPHRASE –keystore TARGETNAME.jks
生成證書
Openssl ca –in TARGETNAME.csr –out TARGETNAME.crt –cert demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -notext
轉換證書格式
Openssl x509 –in TARGETNAME.crt –out TARGETNAME.der –outform DER
轉換根幀數格式
Openssl x509 –in demoCA/cacert.pem –out demoCA/cacert.der –outform DER
將根證書加入私鑰
Keytool –import –v –trustcacerts –alias ca_root –file demoCA/cacert.der –storepass PASSPHRASE –keystore TARGETNAME.jks
將證書加入私鑰
Keytool –import –v –alias client –file TARGETNAME.der –storepass PASSPHRASE –keystore TARGETNAME.jks
創建jks文件並加入根證書
Keytool –import –alias ca_root –file demoCA/cacert.der –keystore TARGETNAMETrust.jks
更詳細的可以參考下文,來源;http://blog.csdn.net/platformlib/archive/2007/03/09/1525119.aspx
1、OpenSSL實踐
工作中需要配置使用SSL來雙向認證並通信的FTP服務器,以OpenSSL和Java的keytool為例,來完成證書的制作:
d:\openssl\mkcerts>openssl genrsa -out ca.key 1024
創建CA私鑰
Loading ‘screen’ into random state – done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
………………………………………………………….++++++
………….++++++
e is 65537 (0×10001)
d:\openssl\mkcerts>openssl req -new -days 3650 -x509 -key ca.key -out cacert.pem -config openssl.cnf
創建CA自簽名證書(使用上一步創建的CA私鑰來簽名)
Using configuration from openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []:FTPTest
Common Name (eg, YOUR name) []:CHELSEA
Email Address []:[email protected]
d:\openssl\mkcerts>openssl genrsa -des3 -out server.key 1024
創建服務器私鑰
Loading ‘screen’ into random state – done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
…………..++++++
.++++++
e is 65537 (0×10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:
d:\openssl\mkcerts>openssl rsa -in server.key -out serverkey.pem
加密服務器私鑰(保護私鑰信息)
read RSA key
Enter PEM pass phrase:
writing RSA key
d:\openssl\mkcerts>openssl req -new -days 3650 -key server.key -out server.csr-config openssl.cnf
創建申請服務器所需證書的請求
Using configuration from openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) [] :BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Chelseafc
Organizational Unit Name (eg, section) []: FTPTest
Common Name (eg, YOUR name) []: CHELSEA
Email Address []: [email protected]
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
d:\openssl\mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in server.csr -out server.pem -config openssl.cnf
CA簽署服務器證書(需要CA私鑰和序列號文件demoCA/serial, demoCA/index.txt)
Using configuration from openssl.cnf
Loading ‘screen’ into random state – done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName : PRINTABLE:’CN’
stateOrProvinceName : PRINTABLE:’BEIJING’
localityName : PRINTABLE:’BEIJING’
organizationName : PRINTABLE:’Chelseafc’
organizationalUnitName: PRINTABLE:’FTPTest’
commonName : PRINTABLE:’CHELSEA’
emailAddress : IA5STRING:’[email protected]’
Certificate is to be certified until Oct 26 03:01:33 2006 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
d:\openssl\mkcerts>openssl x509 -in server.pem -out server.crt
轉換格式
d:\openssl\mkcerts>openssl x509 -in demoCA/cacert.pem -out demoCA/cacert.crt
轉換格式
d:\openssl\mkcerts>keytool -genkey -keyalg RSA -alias ftpsconnector -keystore ftps.jks -storepass changeit -storetype jks
產生Java客戶端私鑰文件
您的名字與姓氏是什麼?
[Unknown]: CHELSEA
您的組織單位名稱是什麼?
[Unknown]: FTPTest
您的組織名稱是什麼?
[Unknown]: Chelseafc
您所在的城市或區域名稱是什麼?
[Unknown]: BEIJING
您所在的州或省份名稱是什麼?
[Unknown]: BEIJING
該單位的兩字母國家代碼是什麼
[Unknown]: CN
CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, ST=BEIJING, C=CN 正確嗎?
[否]: Y
輸入<ftpsconnector>的主密碼
(如果和 keystore 密碼相同,按回車):
d:\openssl\mkcerts>keytool -certreq -alias ftpsconnector -keyalg RSA -file ftpsconnector.csr -keystore ftps.jks
產生Java客戶端證書請求
輸入keystore密碼: changeit
d:\openssl\mkcerts>openssl ca -days 3650 -keyfile ca.key -cert cacert.pem -outdir . -in ftpsconnector.csr -out ftpsconnector.pem -config openssl.cnf
CA簽署Java客戶端證書
Using configuration from openssl.cnf
Loading ‘screen’ into random state – done
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName : PRINTABLE:’CN’
stateOrProvinceName : PRINTABLE:’BEIJING’
localityName : PRINTABLE:’BEIJING’
organizationName : PRINTABLE:’Chelseafc’
organizationalUnitName: PRINTABLE:’FTPTest’
commonName : PRINTABLE:’CHELSEA’
Certificate is to be certified until Oct 26 03:05:08 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
d:\openssl\mkcerts>openssl x509 -in ftpsconnector.pem -out ftpsconnector.cer
轉換格式
d:\openssl\mkcerts>keytool -import -alias root -trustcacerts -file demoCA/cacert.crt -keystore ftps.jks
導入CA證書到jks文件並信任之(由此CA所簽署的所有證書也因此在信任之列)
輸入keystore密碼: changeit
Owner: [email protected], CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING, S
T=BEIJING, C=CN
發照者: [email protected], CN=CHELSEA, OU=FTPTest, O=Chelseafc, L=BEIJING,
ST=BEIJING, C=CN
序號: 0
有效期間: Wed Oct 26 10:55:43 CST 2005 至: Sat Oct 24 10:55:43 CST 2015
認證指紋:
MD5: 85:21:11:10:26:4A:CD:01:55:B7:47:DF:0D:58:AA:A3
SHA1: 91:74:88:03:B7:5C:E4:BD:27:1F:27:BF:10:23:0A:BA:2C:42:13:2B
信任這個認證? [否]: y
認證已添加至keystore中
d:\openssl\mkcerts>keytool -import -alias ftpsconnector -trustcacerts -file ftpsconnector.cer -keystore ftps.jks
導入自己的證書到jks文件(至此,此jks文件包括了建立SSL連接所需所有信息)
輸入keystore密碼: changeit
認證回復已安裝在 keystore中
其它OpenSSL命令舉例
openssl pkcs12 -export -clcerts -in client.pem -inkey clientkey.pem -out client.p12
openssl pkcs8 -inform PEM -nocrypt -in abcwebnet-pkcs8.key -out abcwebnet.key
openssl pkcs12 -export -out abcwebnet.pfx -inkey abcwebnet.key -in abcwebnet-pem.crt
… …
2、keytool實踐
keystore這個名字其實有點誤導,應該是CertStore,可以同時包含兩種信息:自己的keyEntry,和trusted cert entry.(自然包括自己的私鑰公鑰和信任的公鑰了)(有時會分開,信任的證書存儲在單獨的文件中)
keystore可以有兩類密碼,一個是保護這個文件的(storepass),一種是保護文件裡每一個key的(keypass)
可以為每個key指定alias,然後使用alias來引用或訪問對應的key
Example:
rem 創建客戶端keystore
keytool -genkey -keyalg RSA -keystore client.jks -storetype jks -storepass client -alias client_rsa -keypass client_rsa -dname “CN=Client, OU=IBM, C=US” -keysize 1024 -validity 1460
rem 創建服務端keystore
keytool -genkey -keyalg RSA -keystore server.jks -storetype jks -storepass server -alias server_rsa -keypass server_rsa -dname “CN=Server, OU=IBM, C=US” -keysize 1024 -validity 1460
rem 從客戶端keystore中導出通用格式的證書,以備導入到服務端keystore
keytool -export -keystore client.jks -storetype jks -storepass client -alias client_rsa -file client_rsa.cer
rem 從服務端keystore中導出通用格式的證書,以備導入到客戶端keystore
keytool -export -keystore server.jks -storetype jks -storepass server -alias server_rsa -file server_rsa.cer
rem 導入客戶端證書到服務端keystore(此動作的後果是使服務端信任客戶端)
keytool -import -noprompt -keystore server.jks -storetype jks -storepass server -alias client_rsa -file client_rsa.cer
rem 導入服務端證書到客戶端keystore(此動作的後果是使客戶端信任服務端)
keytool -import -noprompt -keystore client.jks -storetype jks -storepass client -alias server_rsa -file server_rsa.cer
rem 列出客戶端keystore包含的信息供查看
keytool -list -keystore client.jks -storepass client -v
rem 列出服務端keystore包含的信息供查看
keytool -list -keystore server.jks -storepass server -v
