keytool to generate certificate
Verify that a certificate with the same name has been created
keytool -list -v -alias tomcat -keystore "%JAVA_HOME%/JRE/LIB/SECURITY/CACERTS" -storepass changeit
delete the created certificate
keytool -delete -alias tomcat -keystore "%JAVA_HOME %/JRE/LIB/SECURITY/CACERTS" -storepass changeit
Create a certificate
1. Generate a certificate in the server: (Note: When generating a certificate, the CN should be the same as the domain name of the server. If testing locally, use localhost)
keytool -genkey -alias tomcat -keyalg RSA -keystore d:\mykeystore -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass changeit -
storepass changeit
2. Export the certificate, installed by the client:
keytool -export -alias tomcat -keystore d:\mykeystore -file d:\mycerts.cer -storepass changeit
3. Client configuration: Import the key for the client's JVM (put Import the certificate issued by the server into the JVM)
keytool -import -trustcacerts -alias tomcat -keystore "%JAVA_HOME%/JRE/LIB/SECURITY/CACERTS" -file d:\mycerts.cer -storepass changeit
Common exception: "No trusted certificate was found" -- the main reason is that the client did not import the certificate issued by the server into the JVM, you can use
keytool -list -alias tomcat -keystore "%JAVA_HOME%/JRE/ LIB/SECURITY/CACERTS" -storepass changeit
to see if the certificate is actually imported into the JVM.
Keytool is a Java data certificate management tool.
keystore Keytool stores keys and certificates in a file called keystore. In keystore, it contains two kinds of data: Key entity - secret key or private key and paired public key (using asymmetric encryption) trusted certificate entities (trusted certificate entries) - containing only the public key Alias (alias) Each keystore is associated with this unique alias, which is usually case-insensitive to the keystore's Storage location If the generation location is not specified, the keystore will exist in the user's system default directory, such as: for the window xp system, it will be generated in the system's C:\Documents and Settings\UserName\ file name ".keystore" keystore generation
keytool -genkey -alias tomcat -keyalg RSA -keystore d:\mykeystore -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass changeit -storepass -validity 180 Parameter description: -genkey indicates that a new key is to be created -dname indicates the Distinguished Names of the key, CN=commonName OU=organizationUnit O=organizationName L=localityName S=stateName C=country Distinguished Names indicates the identity of the issuer of the key -keyalg uses encryption algorithm, here is the alias of RSA -alias key -keypass private key password, here is set to changeit -keystore key is stored in the mykeystore file in the D: drive directory -storepass access password, here Set to changeit, the password provider system pulls the information from the mykeystore file -validity The key is valid for 180 days (90 days by default) The cacerts Certificates File
The certificate file exists in the java.home\lib\security directory, which is the CA certificate warehouse of the Java system to create the certificate 1. Generate the certificate in the server: (Note: When generating the certificate, the CN must be the same as the domain name of the server. If you test locally , then use localhost) keytool -genkey -alias tomcat -keyalg RSA -keystore d:\mykeystore -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass changeit -storepass changeit 2. Export certificate, installed by client: keytool -export -alias tomcat -keystore d:\mykeystore -file d:\mycerts.cer -storepass changeit 3. Client configuration: Import key for client's JVM ( Import the certificate issued by the server into the JVM) keytool -import -trustcacerts -alias tomcat -keystore "%JAVA_HOME%/JRE/LIB/SECURITY/CACERTS" -file d:\mycerts.cer -storepass The certificate generated by changeit can be delivered Used by client users for SSL communication, or for publisher authentication with electronically signed jar packages.
https site password authentication uses weak passwords:
Symptom: When browsing an HTTPS site configured to use a weak cipher (40-bit/56-bit encryption) on Windows Vista, an error page is displayed.
Reason: In Windows Vista, weak passwords are disabled by default, and only strong passwords are enabled.
Select the encryption method RSA when generating the certificate
Solution: There is no solution for the visitor, but wait for the https site administrator to modify the weak password used for authentication.
The following error occurred when keytool generated the root certificate:
keytool错误:java.io.IOException:keystore was tampered with,or password was incorrect
The reason is whether there is .keystore in your home directory. If it exists, delete it and execute it again
Or delete "%JAVA_HOME%/JRE/LIB/SECURITY/CACERTS and execute