生成密钥:
openssl genrsa -out privkey.pem 2048
生成csr申请文件:
openssl req -sha256 -new -key privkey.pem -out pubkey.pem
生成自签名证书:
openssl x509 -req -days 365 -in my.csr -signkey my.key -out my.crt
转换为pfx格式:
openssl pkcs12 -export -out my.pfx -inkey my.key -in my.pem
PKCS7 转 PEM:
openssl pkcs7 -print_certs -in my.cer -out my.pem
JKS 转 PKCS12:
keytool -importkeystore -srckeystore my.jks -destkeystore my.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass passwordText -deststorepass passwordText -srcalias aliasText -destalias aliasText -srckeypass passwordText -destkeypass passwordText -noprompt
PKCS12 转 PEM:
openssl pkcs12 -in my.p12 -out my.pem -passin pass:password_of_p12 -passout pass:password_for_pem
PEM 转 DER:
openssl x509 -outform der -in my.pem -out my.der
PEM 转 P7B:
openssl crl2pkcs7 -nocrl -certfile my.pem -out my.p7b -certfile ca.pem
去掉private key密码:
openssl rsa -in my_encrypt.key -out my.key
申请免费证书:
https://www.letsencrypt.com
转换为tomcat所用证书格式:
openssl pkcs12 -export -in my.crt -inkey my.key -out my.pk12 -name sshkey
keytool -importkeystore -deststorepass 123455 -destkeypass 123455 -destkeystore my.keystore -srckeystore my.pk12 -srcstoretype PKCS12 -srcstorepass 123455 -alias sshkey
openssl pkcs12 -export -in my.crt -inkey my.key -certfile bundle.crt -out my.p12 -name sshkey
keytool -importkeystore -srckeystore my.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore my.jks -alias sshkey
列出jks的详细信息:
keytool -list -v -keystore my.jks
检查证书文件是否匹配:
openssl x509 -noout -modulus -in my.crt | openssl md5
openssl rsa -noout -modulus -in my.key | openssl md5
openssl req -noout -modulus -in my.csr | openssl md5
检查证书链是否匹配:
openssl verify -CAfile bundle.crt my.crt
tomcat 配置:
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/usr/share/tomcat/ssl/my.keystore"
keystorePass="123455"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA" />
来源:https://www.cnblogs.com/afxcn/p/4470933.html