Generate a digital certificate with a certificate chain

2011-09-22  来源:本站原创  分类:Industry  人气:377 

Secure SSL communication if both sides use self-signed certificate, you'll need to join each other's certificate to your trusted certificate store, if it is a common C / S structure, you need to trust the certificate on the server side by adding all of the client certificate, the management very inconvenient. You can use the certificate chain to achieve, to simplify management and increase new client trust the server certificate store without modification.

1. Http://sourceforge.net/projects/xca, download the certificate generation tool, the latest version is 0.6.3, many of the methods described are using openssl, I feel xca the GUI is more co-operation of our tastes:)

2 Root CA private key and certificate generation:
2.1 Mr. Cheng RootCA private key - "using the private key to generate CSR -" generated self-signed root certificate. Two CA certificate used to sign.

3 generates two CA's private key and certificate: (if there are two secondary CA, are responsible for the management server and client certificates)
3.1 Mr. Cheng ServerCA private key - "using the private key to generate CSR -" generated using the root certificate signed Certificate II. Server certificate used to sign.
3.2 Mr. Cheng ClientCA private key - "using the private key to generate CSR -" generated using the root certificate signed Certificate II. Client certificate used to sign.

4 to generate the server side and client's private key and certificate:
4.1 President into ServerA private - "using the private key to generate CSR -" generated using ServerCA Certificate Signing Certificate III.
4.2 Mr. Cheng ClientA private key - "using the private key to generate CSR -" generated using ClientCA Certificate Signing Certificate III.
4.3 Mr. Cheng ClientB private key - "using the private key to generate CSR -" generated using ClientCA Certificate Signing Certificate III. . . . Can generate a client certificate of N

Certificate structure:
RootCA
|
|------- ServerCA
| |
| |-------- ServerA
|
|------- ClientCA
|
|-------- ClientA
|
|-------- ClientB
|
|--------...
|

5 Export RootCA root certificate, the server and client's private key and certificate.
Pem format to use when they export.
RootCA.pem------- root certificate (PEM)
ServerA.pem------ server certificate (PEM with Certificate chain)
ClientA.pem------ a client certificate (PEM with Certificate chain)
ClientB.pem------ a client certificate (PEM with Certificate chain)
ServerAKey.pem------ server private key (PEM)
ClientAKey.pem------ client private key (PEM)
ClientBKey.pem------ client private key (PEM)

6 The following is the most important step: to use the JKS file generated. keytool utility can not import the private key, you need to use the weblogic provides a tool that needs to weblogic.jar added to the CLASSPATH.
6.1 to generate server and client's trust certificate store:
keytool-import-alias rootca-file RootCA.pem-keystore trust.jks
6.2 generate server-side identity keystore:
java utils.ImportPrivateKey-keystore servera.jks-storepass 123456-storetype JKS-keypass 123456-alias servera-certfile ServerA.pem-keyfile ServerAKey.pem
6.3 generate a client identification key database:
java utils.ImportPrivateKey-keystore clienta.jks-storepass 123456-storetype JKS-keypass 123456-alias clienta-certfile ClientA.pem-keyfile ClientAKey.pem ... generating capacity of other key client library

7. Keytool-list-v-keystore clienta.jks (servera.jks) which you can view the certificate chain relationships.

This completes all the steps that can be applied to SSL SOCKET connection or JKS https connection in WebLogic.

相关文章
  • Generate a digital certificate with a certificate chain 2011-09-22

    Secure SSL communication if both sides use self-signed certificate, you'll need to join each other's certificate to your trusted certificate store, if it is a common C / S structure, you need to trust the certificate on the server side by adding all

  • Clever selection of a server certificate: SSL server certificate encryption strength 2010-07-12

    SSL technology overview Worldwide, Secure Socket Layer Secure Sockets Layer (referred to as SSL) is the most basic network security, the safety standards. SSL protocol for encrypting sensitive data makes the true message recipients to read the releva

  • [Transfer] error "Unable to find manifest signing certificate in the certificate store" solution 2011-04-21

    Today import a VS2008 project, reported an error, suggesting that: Unable to find manifest signing certificate in the certificate store, which I can big head, thinking hard both on their own written procedures will not sacrifice it to so glorious , f

  • [Your] country by most of the USBKey B / S mode (CAPICOM) generate a digital signature of serious security vulnerabilities 2011-05-08

    Many people prefer to use a digital signature generated UsbKey be submitted to the server, I recently did a project several ministries and agencies were the case, provided by USBKey ActiveX plug-in (more often CAPICOM interface) provided by the manuf

  • How to use JDK (keytool.exe) to generate your own digital certificate 2010-03-29

    How to use JDK (keytool.exe) to generate your own digital certificate Using the JDK comes with keytool.exe can generate the certificate repository. The certificate contains the creator of a number of information and public key. Official documents: (E

  • Certificate chain (The Certificate Chains) 2010-01-07

    Glossary writes DN (Distinguished Name) identification name, and contains a number of designated entity status of the field, such as the common name, organization, etc. CSR (Certificate Signing Request) digital certificate signing request that contai

  • Generate a certificate using the keytool 2011-07-19

    Details see: Tomcat help documentation,: https://localhost:8080/tomcat-docs/ssl-howto.html. 1, with keytool to generate certificate: keytool-genkey-alias tomcat-keyalg RSA-keystore c: / tomcat / mykey Description: Here-alias tomcat is that generated

  • X.509 digital certificate standard 2010-11-07

    Wikipedia card format follows the X.509 digital certificate standard. X.509 is the International Telecommunication Union (ITU-T) to develop the digital certificate standard. Introduction to the history and purpose of the directory structure of a digi

  • JAVA common operations on the digital certificate 2011-05-20

    A: The package needs to include import java.security .*; import java.io. *; import java.util .*; import java.security .*; import java.security.cert .*; import sun.security.x509 .* import java.security.cert.Certificate; import java.security.cert.Certi

  • CAS digital certificate issue 2010-03-05

    In practice, built environment, found that many students will encounter SSO environment, integration, in fact, in many cases is the SSO of the digital certificate issue. Details of today to talk about the relevant content. As the "Application" a

  • Introduction to digital certificate - Technical Overview 2010-10-02

    Not long ago, Shanghai 33-year-old Mr Choy in the Construction Bank online banking card suddenly disappeared 16 million yuan, the case finally the efforts of the bank's cracked the case after a suspect stole Cho Choi's user name password, posing as M

  • Digital certificate and its role 2011-05-20

    1.1 The concept of digital certificates and the role of digital certificates, also known as digital identity, user identity information is a sign of a series of network data. It provides a on the Internet authentication method is used to both sign an

  • Security certificate is generated using KeyTool 2010-03-29

    Details see: Tomcat with the help documentation,: https: / / localhost: 8080/tomcat-docs/ssl-howto.html. 1, using keytool generated certificate: keytool-genkey-alias tomcat-keyalg RSA-keystore c: / tomcat / mykey Description: Here-alias tomcat to ind

  • keytool - key and certificate management tool 2010-08-15

    keytool - key and certificate management tool Management by the private key and public key of the X.509 certificate authentication-related key chains warehouse (database). Also manages certificates from trusted entities. Structure keytool [ Command ]

  • SSL Certificate installation procedure for SAP J2EE engine 6.30 - steps in visua 2011-08-01

    http://simonlesflex.wordpress.com/2011/03/08/sap-xi-ssl-certificate-installation-procedure-for-sap-j2ee-engine-6-30-% E2% 80% 93-steps-in -visual-administrator / Pre-requisite (refer installation guide for detailed procedure of pre-requisites): 1. Yo

  • SSL Certificate security purchase Ten Questions 2010-07-12

    1, counter fraud, what is the meaning phishing sites SSL certificate As of June 2009, the scale of China's Internet users reached 338 million, representing growth of 13.4% by the end of 2008. Over the same period, China's Internet users use online sh

  • Internet banking security certificate works 2010-07-30

    Internet banking security certificate works What is digital certificate? Digital certificate is a certificate certified by the Center (CA) digital signature contains the public key holder information, and public key of the data file. Certification Ce

  • [Reprinted] validity of the certificate management and validation-CRL and OCSP for the same purpose 2010-08-19

    How to validate digital certificates <br /> digital certificate known as an online identity card. Online transactions are by their trading partners to trust the digital certificate and be able to use the public key and certificate binding and transa

  • Certificate. Private key. Key library operations 2010-09-08

    A: need to include in the package import java.security .*; import java.io. *; import java.util .*; import java.security .*; import java.security.cert .*; import sun.security.x509 .* import java.security.cert.Certificate; import java.security.cert.Cer

  • Import https certificate [Reserved] 2011-08-26

    [Transfer] Certificate import https http://www.blogjava.net/etlan/archive/2006/12/22/55767.html Abstract JSSE SSL and TLS is a pure Java implementation, through JSSE can be easily programmed for HTTPS access to the site. However, if the site certific