Prerequisite: install openssl. (I installed Win32OpenSSL-1_0_2a.exe)
1. First, the server private key to be generated (key file):
C: \-the OpenSSL the Win32 \ bin \ OpenSSL genrsa--out-des3-server.key- 2048
method for removing the certificate password:
C: \-the OpenSSL the Win32 \ bin \ OpenSSL RSA -in server.key -out server.key
form non-cryptographic certificate key
C: \-the OpenSSL the Win32 \ bin \ OpenSSL genrsa--out server.key- 2048
Note: Microsoft 1024bit certificate key is smaller than the limit, so the key length should be greater than 1024, 2048 recommended
C:\OpenSSL-Win32\bin\openssl req -new -key server.key -out server.csr -config C:\OpenSSL-Win32\bin\openssl.cfg
Note: When specifying Common Name, enter the server machine name or IP
If you want a certificate to bind multiple IP addresses or domain names, you can use subjectAltName
Reference: http: //apetec.com/support/GenerateSAN-CSR.htm
This article has been copied to the last.
3. Generate the document CA
C:\OpenSSL-Win32\bin\openssl req -new -x509 -keyout ca.key -out ca.crt -config C:\OpenSSL-Win32\bin\openssl.cfg
4. Create the following directories and files in the current directory
demoCA -> Folder
demoCA / newcerts / -> Folder
demoCA / index.txt -> Empty file
demoCA / serial -> file contents on two characters: 01
5. CA certificate generated signature file just generated server.csr
C:\OpenSSL-Win32\bin\openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config C:\OpenSSL-Win32\bin\openssl.cfg
Thus generated certificate's serial number is 01, if the above steps are repeated with a different certificate generation server CA certificates that will have the same serial number 01.
This SEC_ERROR_REUSED_ISSUER_AND_SERIAL errors in the Firefox browser.
Ways to improve:
Delete demoCA / serial file, adding a parameter later openssl ca-create_serial,这样就会生成一个随机的128bits的序列号,基本上能避免上述错误。
ca.crt
ca.key
server.crt
server.csr
server.key
which, server.crt, server.csr, server.key can use to create our website https
The following warnings when you do not want the browser to visit our https site, you can double-click ca.crt import it into the "Trusted Root Certification Authorities" button.
Chrome Your connection is not private NET :: ERR_CERT_AUTHORITY_INVALID
IE security certificate problems of this site
Firefox has its own certificate manager, so it is necessary to import Firefox, ca.crt
Options -> Advanced -> Certificates -> View Certificates
Select the "Certificate Authority", click "Import" button
When you import a certificate, check all three trust settings.
6. pkcs12 certificate into keystore
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore tomcat.keystore -deststoretype JKS
View Certificate
keytool -list -keystore tomcat.keystore -v
7.TOMCAT setting:
Generally only need to set: keystoreFile = "conf / tomcat.keystore" keystorePass = "xxx"
But if the keystore password and certificate passwords do not match
The need for additional set: keystoreFile = "conf / tomcat.keystore" keystorePass = "xxx" keyPass = "yyy"
Otherwise, errors occur when tomcat starts: java.security.UnrecoverableKeyException: Can not recover key
keystoreFile: can specify an absolute path can be specified relative path (relative CATALINA_HOME)
keystorePass: keystore password
keyPass: password certificate
Note that the above case property names!
Multiple Names on One Certificate
Configuring ssl requests with SubjectAltName with opensslWith Multiple Domain Certificates you can secure a larger number of domains with only one certificate. Subject Alternative Names are a X509 Version 3 (RFC 2459) extension to allow an SSL certificate to specify multiple names that the certificate should match. SubjectAltName can contain email addresses, IP addresses, regular DNS host names, etc. This uses an SSL feature called SubjectAlternativeName (or SAN, for short). Generate the Certificate Request FileFor a generic SSL certificate request (CSR), openssl doesn't require much fiddling. Since we're going to add a SAN or two to our CSR, we'll need to add a few things to the openssl conf file. You need to tell openssl to create a CSR that includes x509 V3 extensions and you also need to tell openssl to include a list of subject alternative names in your CSR. Create an openssl configuration file which enables subject alternative names (openssl.cnf):In the [req] section. This is the section that tells openssl what to do with certificate requests (CSRs). [req] distinguished_name = req_distinguished_name req_extensions = v3_req This tells openssl to include the v3_req section in CSRs.
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MN
localityName = Locality Name (eg, city)
localityName_default = Minneapolis
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kb.example.com
DNS.2 = helpdesk.example.org
DNS.3 = systems.example.net
IP.1 = 192.168.1.1
IP.2 = 192.168.69.14 Note that whatever we put here will appear on all CSRs generated from this point on: if at a later date you want to generate a CSR with different SANs, you'll need to edit this file and change the DNS.x entries. Generate a private keyYou'll need to make sure your server has a private key created: openssl genrsa -out san_domain_com.key 2048 Where doman is the FQDN of the server you're using. That's not necessary, BTW, but it makes things a lot clearer later on. Create the CSR fileThen the CSR is generated using: openssl req -new -out san_domain_com.csr -key san_domain_com.key -config openssl.cnf You'll be prompted for information about your organization, and it'll ask if you want to include a passphrase (you don't). It'll then finish with nothing much in the way of feedback. But you can see that san_domain_com.csr has been created. It's nice to check our work, so we can take a look at what the csr contains with the following command: openssl req -text -noout -in san_domain_com.csr You should see some output like below. Note the Subject Alternative Name section: Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Texas, L=Fort Worth, O=My Company, OU=My Department, CN=server.example Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): blahblahblah Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:kb.example.com, DNS:helpdesk.example.com Signature Algorithm: sha1WithRSAEncryption blahblahblah So now we've got a shiny new CSR. But, of course, we have to sign it. Self-sign and create the certificate:openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt-extensions v3_req -extfile openssl.cnf Package the key and cert in a PKCS12 file:The easiest way to install this into IIS is to first use openssl’s pkcs12 command to export both the private key and the certificate into a pkcs12 file: openssl pkcs12 -export -in san_domain_com.crt -inkey san_domain_com.key -out san_domiain_com.p12 Import the certificateCopy the file over to the server and import it there. You need to import it into the local computer’s certificate store. Open IIS Manager, select your server on right pane, double click Server Certificates, and click Import under Actions on the right pane. Browse to your *.p12 file and enter the p/w (allow cert to be exported checked). Now you can go to one of your servers, edit the “bindings” and select this certificate for SSL. However, you will probably find the “Host name” box greyed out, which is something IIS routinely does for SSL bindings. The fix is simple: Start mmc, add the Certificates snap-in for the local computer, find your certificate under “Personal”, double click on it, go to Details and click “Edit Properties…”. Now you get to add a “friendly name” to the certificate, and there’s the key. Set the name to “*.domain.com” and go back to the IIS Management Console. Vollalla! Now you can edit the Host name. After this fix, you can change the SSL binding for all those web servers to use the same certificate and IP address, and also to use name-based virtual host selection! Configure SSL SettingsConfigure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. Click the site node in the tree view to go back to the site's home page. Double-click theSSL Settings feature in the middle pane. |