(To science, the great God smiled like)
Learning certificate generation process, we will use even a tool: openssl, keytool
Learn more, we know that these two tools alone can generate a certificate.
What is the difference between a certificate that they are generated?
The difference between digital certificate management tool keytool and openssl's
Sentence: the keytool certificate can not be issued, but openssl can be issued and the certificate chain management
Therefore, the so-called keytool certificate issued only a 自签名证书
Self-signed certificate
The so-called self-signed certificate refers only to ensure that they are complete and have not been illegally modified. But can not guarantee that this certificate belongs to whom
Self-signed certificates have a lot of trouble places: For each server to be linked, should save a copy of a certificate of verification. And once the replacement certificate server, all clients need to re-deploy these copies.
In other words, you can use self-signed certificates allow you to admit that you admit. But if you do a little bit of change, you need to acknowledge all before you admit you again.
For relatively large applications, and this is unacceptable.
So we need to be a certificate chain 双向认证
.
The certificate chain, keytool he has no way to do, and need to use openssl
keytool Features
Since keytool only self-signed, it is up to him what purpose?
JDK keytool is actually available to us to get a certificate to recognize some of the JDK.
Therefore, we aim keytool, and more is here: let the program written in Java can be used on the certificate.