生成根证书
openssl genrsa -out ca.key 4096
openssl req -new -x509 -key ca.key -sha256 -subj "/C=CN/ST=Beijing/O=Test CA, INC." -days 3650 -out ca.crt
定义服务端证书配置文件server-cert.conf
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = CN
ST = Beijing
O = Test CA, INC.
CN = tls-sample
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = tls-sample
DNS.2 = ...
IP.1 = 127.0.0.1
IP.2 = ::1
生成服务端证书
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -config server-cert.conf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile server-cert.conf -extensions req_ext
查看服务端证书是否多域名
openssl x509 -text -in server.crt -noout
定义客户端证书配置文件server-cert.conf
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = CN
ST = Beijing
O = Test Client, Inc.
CN = localhost
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = ...
IP.1 = ::1
IP.2 = 127.0.0.1
生成客户端证书
openssl req -newkey rsa:4096 -nodes -keyout client.key -out client.csr -config client-cert.conf
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650 -sha256 -extfile client-cert.conf -extensions req_ext
查看客户端证书是否多域名
openssl x509 -text -in client.crt -noout
JAVA 导入证书
keytool -import -alias casserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit -noprompt
