zoukankan      html  css  js  c++  java
  • tibco server keystore怎样使用多域名证书

    Create a Subject Alternative Name certificate with Active Directory Certificate Services

    https://knowledge.zomers.eu/misc/Pages/Create-a-Subject-Alternative-Name-certificate-with-Active-Directory-Certificate-Services.aspx
    1.mmc.msc
    File->Add/Remove Snap-in
    select         Certificates and click on the   Add > button
    choose        Computer accountand click on        Next
    In the next screen, leave        Local computer selected and click        Finish

    2.Certification->Personal->Cerfification
    All Tasks->Request New Certificate
    leave        Active Directory Enrollment Policy selected and click        Next
    check the box in front of        Web Server and click on the        More information is required link under it
    In the Certificate Properties popup under Type, select        Common name,DNS , input Values and add them
    Switch to the        General tab and enter a name that you find identifyable for the certificate that you're creating
    go to the        Private Key tab and expand the        Key options section. Under it, check        Make private key exportable
    On the        Certification Authority tab, make sure the right certification authority is selected which you want to sign your certificate request
    Click        OK to close the        Certificate Properties window and click        Enroll in the        Certificate Enrollment window to file the request
     

    Install a Root Certification Authority

    https://technet.microsoft.com/en-us/library/cc731183(v=ws.11).aspx
    1.nltest /dsgetdc:alex.com

    2.Certification Authority(certsrv)

    openssl 生成私钥、申请文件,证书导入jks说明
    http://www.cnblogs.com/liaier/p/4137383.html
    openssl pkcs12 -export -in server.pem -inkey serverkey.key -out server.pfx  -CAfile chain.pem
    由于keytool没有直接导入private key的命令,又没有办法生成SAN证书请求,所以只能通过openssl生成CSR,然后再将签过的证书跟私钥生成PFX,再利用keytool将PFX转成JKS来使用。server端的keystore需要有private key的证书,client端的keystore不需要有private key的证书就可以使用,两者都不需要CA的证书。

    1.创建私钥
    openssl genrsa -out c:/server/server-key.pem 1024

    2.创建证书请求 (subject alternative name (SAN) certificates):
    openssl req -new -config CONFsan.conf -out server-req.csr -key server-key.pem
    san.conf

    [req]
    distinguished_name  = req_distinguished_name
    req_extensions = v3_req
    
    [ req_distinguished_name ]
    countryName_default   = CN
    stateOrProvinceName_default = Test
    localityName_default  = Test
    organizationName_default  = Test
    commonName            = Test (eg, YOUR name)
    commonName_max        = 64
    
    [ v3_req ]
    
    # Extensions to add to a certificate request
    
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1   = IPaddress1
    DNS.2   = IPaddress2
    

     3.CA收到证书申请后签发证书
    openssl x509 -req -in c:/server/server-req.csr -out c:/server/server-cert.pem -signkey c:/server/server-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650

    4.收到证书server-cert.pem(-----BEGIN CERTIFICATE-----),已有ca-cert.pem(-----BEGIN CERTIFICATE-----),server-key.pem(-----BEGIN RSA PRIVATE KEY-----)

    利用这三者生成PFX文件
    openssl pkcs12 -export -in server-cert.pem -inkey server-key.key -out server.pfx  -CAfile ca-cert.pem

    5.利用keytool将PFX转成JKS
    keytool -importkeystore -srckeystore D:Tempserver.pfx -srcstoretype pkcs12 -destkeystore D:Tempserver.jks -deststoretype JKS -storepass testpwd2

    6.查看JKS里面key alias为1
    keytool -list -v -keystore D:Tempserver.jks -storepass testpwd2

  • 相关阅读:
    一点点
    第四章:检查产品说明书
    这是一个动画效果,一个圆在桌面上动
    border-image的拉伸和平铺
    用js实现左右阴影的切换
    伪样式:hover ,:active,:focus
    画一个DIV并给它的四个角变成圆形,且加上阴影
    【转】asp.net 项目在 IE 11 下出现 “__doPostBack”未定义 的解决办法
    Full postback triggered by LinkButton inside GridView inside UpdatePanel
    苹果IOS开发者账号的区别,企业账号,个人账号,公司团队账号,教育账号
  • 原文地址:https://www.cnblogs.com/sui84/p/6829996.html
Copyright © 2011-2022 走看看