1. Download address
2. Installation
The installation directory is: C:\Program Files (x86)\GnuWin32
3. Set environment variables
Add ";C:\Program Files (x86)\GnuWin32\bin" after path
Create a new one: OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf
4. Create relevant directories and files
I am operating under D:/openssl, the structure is as follows:
├─demoCA (the directory name of the configuration file, which stores some information)
│ │ index.txt (text database, the database will be updated after the certificate is issued)
│ │ serial (the serial number file is assigned 1 or other numbers)
│ │
│ └─newcerts (empty directory)
│
├─test (used to store application certificates, etc.)
│
├─testCA (used to store CA, etc.)
5. Command
#Build the root certificate private key
genrsa -des3 -out testCA/ca.key 2048
#
Issue root certificate
req -new -x509 -days 3650 -key testCA/ca.key -out testCA/ca.crt -subj "/C=CN/ST=beijing/L=chaoyang/O=test/OU=test/CN=test-ca"
#root certificate conversion
pkcs12 -export -inkey testCA/ca.key -in testCA/ca.crt -out testCA/ca.p12
#Import the command importkeystore through the keytool keystore to convert the keystore format from PKCS#12 to JKS
keytool -v -importkeystore -srckeystore testCA/ca.p12 -srcstoretype PKCS12 -destkeystore testCA/ca.jks -deststoretype JKS
#build server private key
genrsa -des3 -out test/test.key 2048
#
Generate a server certificate issuance request
req -new -key test/test.key -out test/test.csr -subj "/C=CN/ST=beijing/L=chaoyang/O=test/OU=test/CN=127.0.0.1"
#Sign the server certificate
ca -in test/test.csr -out test/test.crt -cert testCA/ca.crt -keyfile testCA/ca.key
#Server certificate conversion
pkcs12 -export -inkey test/test.key -in test/test.crt -out test/test.p12
#Import the command importkeystore through the keytool keystore to convert the keystore format from PKCS#12 to JKS
keytool -v -importkeystore -srckeystore test/test.p12 -srcstoretype PKCS12 -destkeystore test/test.jks -deststoretype JKS
6. Detailed explanation
genrsa generate RSA key command
req generates a certificate issuance application command
x509 Issue X.509 Format Certificate Command
-days means valid days
-new means a new request
-key key
-in means input file
-out means output file
-subj specifies user information, you can use the generic domain name "*.xxxxxx.com"
pkcs12 PKCS#12 encoded format certificate command.
-export means to export the certificate
-cacerts means to export only CA certificates.
-inkey means input key
Use the keytool keystore import command importkeystore to convert the keystore format from PKCS#12 to JKS.
keytool -v -importkeystore
-srckeystore testCA/ca.p12
-srcstoretype PKCS12
-srcstorepass 123456
-destkeystore testCA / ca.jks
-deststoretype JKS
-deststorepass 123456
-importkeystore imports the keystore, through the format setting, we can convert the PKCS#12 file to JKS format.
-v show details
-srckeystore source keystore
-srcstoretype source keystore format, here is pkcs12
-srcstorepass source keystore password, here is 123456
-destkeystore destination keystore
-deststoretype target keystore format, here is jks, the default is the same
-deststorepass destination keystore password, here is 123456