CSDN博客

img yuzhouhenan

用于web服务的加密key 的创建

发表于2008/9/30 10:52:00  396人阅读

用于基于verisign实现加密的key的创建:
set SERVER_DN="CN=Server, OU=ec, O=ec, L=BEIJINGC, S=BEIJING, C=CN"
  set CLIENT_DN="CN=Client, OU=ec, O=ec, L=BEIJING, S=BEIJING, C=CN"
  set KS_PASS=-storepass changeit
  set KEYINFO=-keyalg RSA

  keytool -genkey -alias Server -dname %SERVER_DN% %KS_PASS% -keystore server.keystore %KEYINFO% -keypass changeit
  keytool -export -alias Server -file test_axis.cer %KS_PASS% -keystore server.keystore
  keytool -import -file test_axis.cer %KS_PASS% -keystore client.truststore -alias serverkey -noprompt

  keytool -genkey -alias Client -dname %CLIENT_DN% %KS_PASS% -keystore client.keystore %KEYINFO% -keypass changeit
  keytool -export -alias Client -file test_axis.cer %KS_PASS% -keystore client.keystore
  keytool -import -file test_axis.cer %KS_PASS% -keystore server.truststore -alias clientkey -noprompt

另外的创建key的方啊
generateKeyPair.bat
set SERVER_DN="CN=Server, OU=ec, O=ec, L=BEIJINGC, S=BEIJING, C=CN"
  set CLIENT_DN="CN=Client, OU=ec, O=ec, L=BEIJING, S=BEIJING, C=CN"
  set KS_PASS=-storepass changeit
  set KEYINFO=-keyalg RSA

  keytool -genkey -alias Server -dname %SERVER_DN% %KS_PASS% -keystore server.keystore %KEYINFO% -keypass changeit
  keytool -export -alias Server -file test_axis.cer %KS_PASS% -keystore server.keystore
  keytool -import -file test_axis.cer %KS_PASS% -keystore client.truststore -alias serverkey -noprompt

  keytool -genkey -alias Client -dname %CLIENT_DN% %KS_PASS% -keystore client.keystore %KEYINFO% -keypass changeit
  keytool -export -alias Client -file test_axis.cer %KS_PASS% -keystore client.keystore
  keytool -import -file test_axis.cer %KS_PASS% -keystore server.truststore -alias clientkey -noprompt


generateKey Store.bat
call generateKeyPair.bat server serverpass serverStore.jks storepass serverKey.rsa
call generateKeyPair.bat client clientpass clientStore.jks storepass clientKey.rsa

keytool -import -alias server -file serverKey.rsa -keystore clientStore.jks -storepass storepass
-noprompt

keytool -import -alias client -file clientKey.rsa -keystore serverStore.jks -storepass
storepass
-noprompt
其理论基础:

Keystores and the Java Keytool Utility
Because the WS-Security specification depends on the use of encryption keys and certificates, it's useful to discuss a mechanism to generate and maintain them.

You can use the Java keytool utility, which ships with the JDK, to generate public/private key-pairs and certificates and maintain them in a password-protected keystore so that your Java programs can use them. A keystore is a standard, password-protected repository, also known as PKCS#12, which you can use to store and transport keys and certificates securely.

Creating a Keystore and Key-Pair
The keytool utility can generate a key pair. Typically, you must generate two key-pairs to use one as a certificate/public-key for the other; therefore, execute the keytool with the -genkey option twice, and store each distinct key-pair into a separate keystore.

Here's how to use the keytool utility to generate a key-pair as a private key.

Author's Note: Enter the command lines shown below on a single line.

 

   %JAVA_HOME%/bin/keytool -genkey -alias privkey        -keystore privkeystore -dname "cn=privkey"        -keypass foobar -storepass foobar

To generate a key-pair to use as a certificate/public-key, use this code (again, enter the entire command on a single line).

   %JAVA_HOME%/bin/keytool -genkey -alias pubcert       -keystore pubcertkeystore -dname "cn=pubcert"       -keypass foobar -storepass foobar

The preceding commands

  • generate separate key-pairs
  • store the key-pairs in separate keystores
  • specify passwords for the keys and the keystores
  • specify the alias/name for each key-pair
  • specify the common name (sometimes referred to as the distinguished name) by which each key-pair will be known within each keystore.

To examine the contents of a keystore, execute the keytool utility with the -list option. For example, to examine the first (privkeystore) contents created earlier use:

   %JAVA_HOME%/bin/keytool -list -keystore privkeystore   Enter keystore password:  foobar      Keystore type: jks   Keystore provider: SUN      Your keystore contains 1 entry      privkey, Jul 25, 2005, keyEntry,   Certificate fingerprint (MD5):    A1:FA:99:E2:A7:E8:1A:FB:D8:B7:87:91:D1:0E:9C:F8

Now, look at the pubcert certificate keystore:

   %JAVA_HOME%/bin/keytool -list -keystore pubcertkeystore   Enter keystore password:  foobar      Keystore type: jks   Keystore provider: SUN      Your keystore contains 1 entry      pubcert, Jul 25, 2005, keyEntry,   Certificate fingerprint (MD5):    99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62

To examine a key in detail, you can use the keytool utility to display it to the console in RFC 1421 format using the -rfc option, as follows:

   %JAVA_HOME%/bin/keytool -export -keystore privkeystore       -alias privkey -storepass foobar --rfc

You'll see output on the console similar to the following:

   -----BEGIN CERTIFICATE-----   MIIBlTCB/wIEQuWjhTANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwd0ZXN   0a2V5MB4XDTA1MDcyNjAyNDQyMVoXDTA1MTAyNDAyNDQyMVowEjEQMA4GA1   UEAxMHdGVzdGtleTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAz/HFY   xicr+vonubY3rgnJFdl6OsvbinR2L54U7WKHNz2w7w3cOvTMGqop/xQtePx   k3hXIJFs27OBC28Y8jRKYdgGDYMVU5/V0ddlGQUgfU7Xy9jdIPm61ayu3QH   9LcXYSzVfHNeL3HHRcJV3jSwRs1K/vIVZKLNnBRufe2kORK0CAwEAATANBg   kqhkiG9w0BAQQFAAOBgQBWAoAzG5B54dNUt7t3iU98Dre0EI9JkEn8HYiix   oJxs1SmI/vESDbuAJY9EbjlPnvhHrgZL3rtb8twwzHwbLhnxVeV/LRk2C2e   ghkPPEklp3w+UVv5U3dsvoR6LO4z3fTjnc+YbMG0Iss5gkwxJqYy/6qeyYY   3EGoxl8Ehyu/hOw==   -----END CERTIFICATE-----

 

 

 

Self-Signing Certificates
Keys are unusable unless they are signed, but you can use the keytool to self-sign them (for testing purposes only), as follows:

   %JAVA_HOME%/bin/keytool -selfcert -alias privkey       -keystore privkeystore -keypass foobar -storepass foobar

Now, the certificate can be self-signed, as follows:

   %JAVA_HOME%/bin/keytool -selfcert -alias pubcert       -keystore pubcertkeystore -keypass foobar       -storepass foobar

Exporting Certificates with the Keytool Utility
After generating and self-signing the keys/certificates and storing them in the keystores, import each public key into the other key's keystore. This requires two steps: exporting the public key to a certificate file and importing the certificate to the other keystore. To export the public key to a certificate file, use:

   %JAVA_HOME%/bin/keytool -export -keystore pubcertkeystore       -alias pubcert -storepass foobar -file pubcert

You should see a response that says:

   Certificate stored in file <pubcert>

You can also use the keytool utility to display the contents of the certificate file using the -printcert option, as follows:

   %JAVA_HOME%/bin/keytool -printcert -file pubcert

The output will look like:

   Owner: CN=pubcert   Issuer: CN=pubcert   Serial number: 42e5b3c4   Valid from: Mon Jul 25 21:53:40 MDT 2005 until:       Sun Oct 23 21:53:40 MDT 2005   Certificate fingerprints:   MD5:     99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62      SHA1: EC:59:92:E9:1F:8A:A6:0A:85:54:EC:76:47:DB:5F:3F:D2:15:78:77

The exported certificate contains the public key and distinguished name given to the certificate (in this case, pubcert).

Importing Certificates into Keystores
To import a public certificate into the keystore of the private key, issue the command:

   %JAVA_HOME%/bin/keytool -import -alias pubcert      -file pubcert -keystore privkeystore -storepass foobar

The output looks like:

   Owner: CN=pubcert   Issuer: CN=pubcert   Serial number: 42e5b3c4   Valid from: Mon Jul 25 21:53:40 MDT 2005 until: Sun Oct 23 21:53:40 MDT 2005   Certificate fingerprints:   MD5:     99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62      SHA1: EC:59:92:E9:1F:8A:A6:0A:85:54:EC:76:47:DB:5F:3F:D2:15:78:77

Answer the following question:

   Trust this certificate? [no]:  yes   Certificate was added to keystore

Now that the certificate has been imported into the private key's keystore, you can reexamine the contents of the keystore using the keytool utility with the -list option, as follows:

   %JAVA_HOME%/bin/keytool -list -keystore privkeystore   Enter keystore password:  foobar  

After entering your password you'll see the following output:

   Keystore type: jks   Keystore provider: SUN      Your keystore contains 2 entries      privkey, Jul 25, 2005, keyEntry,   Certificate fingerprint (MD5):      E7:4A:D9:D7:67:A6:6D:E7:A5:C4:28:22:3D:C5:C4:30   pubcert, Jul 25, 2005, trustedCertEntry,   Certificate fingerprint (MD5):      99:8F:14:C5:BB:21:86:77:D2:CF:56:DE:98:DD:74:62

As the preceding examples illustrated, there are now two entries in the private-key's keystore. The first, with the alias testkey, is identified as a key entry. The second entry is the certificate from the certificate file.

At this point you have performed sufficient key management tasks to use the private-key keystore to perform WS-Security tasks using the Apache Web Services Security for Java framework.

0 0

相关博文

我的热门文章

img
取 消
img