数字证书KeyTool使用(第二篇)
http://my.oschina.net/frankies/blog/344914
?
J2SDK提供了keytool命令行工具,可以根據(jù)指定的參數(shù)來創(chuàng)建數(shù)字證書。生成的證書或證書庫默認(rèn)保存在命令行當(dāng)前目錄下。?
1. 創(chuàng)建數(shù)字證書?
| 1 | keytool?-genkey?-v?-alias?scent?-dname?"CN=John,OU=MNG,O=Corp,L=Hangzhou,ST=Zhejiang,C=CN"?-keyalg?RSA?-keysize?2048?-keypass?123456?-keystore?prospectlib?-storepass?123456?-storetype?JCEKS?-validity?900 |
注:-genkey可以寫成-genkeypair?
dname的值詳解:?
CN(Common Name名字與姓氏)?
OU(Organization Unit組織單位名稱)?
O(Organization組織名稱)?
L(Locality城市或區(qū)域名稱)?
ST(State州或省份名稱)?
C(Country國家名稱)?
2. 查看證書庫中的所有數(shù)字證書?
| 1 | keytool?-list?-rfc?-keystore?prospectlib?-storepass?123456?-storetype?JCEKS |
注:如果證書庫是非默認(rèn)storetype,需要明確指定。(JKS--默認(rèn),JCEKS, PKCS12 and PKCS11)?
JDK 已有的加密算法
JDK中不同的Keystore類型
3. 查看證書詳細(xì)?
| 1 | keytool?-list?-v?-alias?scent?-keystore?prospectlib?-storepass?123456?-storetype?JCEKS |
?
注:如果證書是非默認(rèn)storetype,需要明確指定。?
4. 導(dǎo)入證書?
| 1 | keytool?-import?-v?-trustcacerts?-alias?scent?-file?scent.cer?-keypass?123456?-keystore?prospectlib?-storepass?123456 |
注:?
-import可以寫成-importcert?
-trustcacerts和-v 可以不寫,效果一樣?
5. 導(dǎo)出證書?
| 1 | keytool?-export?-alias?scent?-file?scent.cer?-keystore?prospectlib?-storepass?123456 |
注:-export可以寫成-exportcert?
6. 刪除證書?
| 1 | keytool?-delete?-alias?scent?-keystore?prospectlib?-storepass?123456?-storetype?JCEKS |
注:如果證書是非默認(rèn)storetype,需要明確指定。?
7. 生成證書簽名申請?
| 1 | keytool?-certreq?-alias?scent?-sigalg?"MD5withRSA"?-file?scent.csr?-keypass?123456?-keystore?cacerts.jks?-storepass?123456 |
注:將生成的scent.scr文件發(fā)給CA機構(gòu)來申請簽名。?
8. 顯示證書?
| 1 | keytool?-printcert?-v?-file?scent.cer |
9. 更改證書別名?
| 1 | keytool?-changealias?-v?-alias?scent?-destalias?perfume?-keystore?prospectlib?-storepass?123456 |
?
10. 導(dǎo)入證書庫??
?| 1 | keytool?-importkeystore?-v?-srckeystore?prospectlib?-srcstoretype?JKS?-srcstorepass?123456?-destkeystore?intrinsic?-deststoretype?JKS?-deststorepass?123456??-srcalias?terrific?prospect?-destalias?terrific?prospect |
注:如果不提供-srcalias, -destalias,則會將源庫的所有證書導(dǎo)入到目標(biāo)庫中。?
11. 修改證書密碼?
| 1 | keytool?-keypasswd?-alias?brilliant?-keystore?range?-storepass?123456?-keypass?123456?-new?654321 |
注:如果不提供-keypass,系統(tǒng)會提示你輸入新密碼。?
12. 修改證書庫密碼?
| 1 | keytool?-storepasswd?-v?-new?654321?-keystore?range?-storepass?123456?-storetype?JKS |
參數(shù)詳解:?
-dname?"CN=xx,OU=xx,O=xx,L=xx,ST=xx,C=xx"? dn名為"CN=..."?
-alias?scent??????????????? 別名為scent的一個證書?
-keyalg?
?????DSA RSA??????????????????? DSA或RSA算法(當(dāng)使用-genkeypair參數(shù))?
?????DES DESede AES????? DES或DESede或AES算法(當(dāng)使用-genseckey參數(shù))?
-keysize?
?????512?~?1024???????????? 密鑰的長度為512至1024之間(64的倍數(shù))(當(dāng)使用-genkeypair和-keyalg DSA參數(shù))?
???? >?512?????????????????????? 密鑰的長度大于512 (當(dāng)使用-genkeypair和-keyalg RSA參數(shù))?
?????56??????????????????????????? 密鑰的長度為56 (當(dāng)使用-genseckey和-keyalg DES 參數(shù))?
?????112 168?????????????????? 密鑰長度為112或168(當(dāng)使用-genseckey和-keyalg DESede 參數(shù))?
?????128 192 256???????????? 密鑰長度為128或192或256 (當(dāng)使用-genseckey和-keyalg AES 參數(shù))?
-keypass??123456????????????? 這個證書的私鑰密碼為123456?
-keystore?prospectlib???????? 證書庫的名稱為prospectlib?
-storepass?123456???????????? 證書庫的訪問密碼為123456?
-validity??900??????????? 證書有效期為900天?
-file??scent.cer?????????? 從scent.cer文件導(dǎo)入證書,或者導(dǎo)出證書到scent.cer文件?
-v?????????????????????????????? 顯示詳細(xì)信息?
-rfc??????????????????????????? 以Base64的編碼格式打印證書?
-storetype?JCEKS????????? 密鑰庫的類型為JCEKS。常用的有JKS(默認(rèn)),JCEKS(推薦),PKCS12,BKS,UBER。每個密鑰庫只可以是其中一種類型。
13、導(dǎo)出私鑰的方法(通過Java實現(xiàn))
?| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | import?java.io.FileInputStream;import?java.security.Key; import?java.security.KeyStore;//import?sun.misc.BASE64Encoder;import?org.apache.commons.codec.binary.Base64; public?class?DumpPrivateKey?{ ?????/** ?????*?Provides?the?missing?functionality?of?keytool ?????*?that?Apache?needs?for?SSLCertificateKeyFile. ?????* ?????*?@param?args??<ul> ?????*??????????????<li>?[0]?Keystore?filename. ?????*??????????????<li>?[1]?Keystore?password. ?????*??????????????<li>?[2]?alias ?????*??????????????<li>?[3]?Store?type?(optional) ?????*??????????????</ul> ?????*/ ????static?public?void?main(String[]?args) ????throws?Exception?{ ????????if(args.length?<?3)?{ ??????????throw?new?IllegalArgumentException("expected?args:?Keystore?filename,?Keystore?password,?al???????????????????????????????????ias,?[store?type]?<key?password:?default?same?than?keystore"); ????????} ????????final?String?keystoreName?=?args[0]; ????????final?String?keystorePassword?=?args[1]; ????????final?String?alias?=?args[2]; ????????final?String?storeType?=?(args.length>3)???args[3]?:?"jks";?//Default?type?is?'jks' ????????final?String?keyPassword?=?getKeyPassword(args,keystorePassword); ????????KeyStore?ks?=?KeyStore.getInstance(storeType?); ????????ks.load(new?FileInputStream(keystoreName),?keystorePassword.toCharArray()); ????????Key?key?=?ks.getKey(alias,?keyPassword.toCharArray()); ????????//String?b64?=?new?BASE64Encoder().encode(key.getEncoded()); ????????String?b64?=?new?String(Base64.encodeBase64(key.getEncoded(),true)); ????????System.out.println("-----BEGIN?PRIVATE?KEY-----"); ????????System.out.println(b64); ????????System.out.println("-----END?PRIVATE?KEY-----"); ????} ????private?static?String?getKeyPassword(final?String[]?args,?final?String?keystorePassword) ????{ ???????String?keyPassword?=?keystorePassword;?//?default?case ???????if(args.length?==?4)?{ ?????????keyPassword?=?args[3]; ???????} ???????return?keyPassword; ????}} |
說明:
? (1) 命令運行:
?| 1 | java?-classpath?.:commons-codec-1.4/commons-codec-1.4.jar?DumpPrivateKey?$HOME/.keystore?changeit?tomcat |
? ?(2) ?參數(shù)說明:
? ? ? ? 第一個參數(shù):Key store 文件的存放目錄
? ? ? ? 第二個參數(shù):Key store 的訪問密碼
? ? ? ? ?第三個參數(shù): 導(dǎo)出的私鑰別名。
? ? ? ? ?第四個參數(shù)(可選): 導(dǎo)出的私鑰別名。? ?
總結(jié)
以上是生活随笔為你收集整理的数字证书KeyTool使用(第二篇)的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Oracle的启动机制
- 下一篇: 用Redis实现微博关注关系