# SSL/TLS工具 ## OPENSSL #### 以下都是我自己常用的指令,詳細資訊可以將關鍵字餵Google大神 ``` 測試連線: openssl s_client -showcerts -connect localhost:9092 產生證書及私鑰 openssl req -x509 -new -nodes -sha256 -utf8 -days 356 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.cnf openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf 產生PKCS12金鑰儲存庫 openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt ``` ``` // ssl.cnf [req] prompt = no default_md = sha256 default_bits = 2048 distinguished_name = dn x509_extensions = v3_req [dn] C = TW ST = Taiwan L = Taipei O = Caster Inc. OU = IT Department emailAddress = admin@example.com CN = localhost [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = *.localhost DNS.2 = localhost IP.1 = 127.0.0.1f ``` ## Keytool #### 以下都是我自己常用的指令,詳細資訊可以將關鍵字餵Google大神 {% code overflow="wrap" %} ``` 查看keystore所有資訊: keytool -list -v -keystore localSocketio.jks -storepass 123456 刪除項目: keytool -delete -alias c1 -keystore localSocketio.jks -storepass 123456 導出證書: keytool -export -alias localcertpem -keystore localSocketio.jks -file c1.crt -rfc -storepass 123456 查看證書內容: keytool -printcert -file c1.crt 導入證書 keytool -importcert -trustcacerts -alias c1 -file c1.crt -keystore localSocketio.jks -storepass 123456 導入PKCS12金鑰儲存庫 to JKS keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore localSocketio.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass 123456 macOS: 將自簽憑證加入本機信任庫 sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain c1.crt ``` {% endcode %} ## Create Self signed certificate 流程 #### init keystore 1. 建立一個keystore ```shell keytool -keystore testtls.jks -genkey -alias local -storepass 123456 ``` 2\. 清空keystore ```shell keytool -delete -alias local -keystore testtls.jks -storepass 123456 ``` 3\. 確認keystore 內容 ```shell keytool -list -v -keystore testtls.jks -storepass 123456 #out put: # 金鑰儲存庫類型: PKCS12 # 金鑰儲存庫提供者: SUN # 您的金鑰儲存庫包含 0 項目 ``` #### Create certificate 1. init key config (ssl.cnf) 利用上述說的 ssl.cnf 去設置 2. 生成一對密鑰及證書 {% code overflow="wrap" %} ```shell openssl req -x509 -new -nodes -sha256 -utf8 -days 356 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.cnf ``` {% endcode %} 3\. 產生PKCS12金鑰儲存庫 ```shell openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt ``` 4\. 導入PKCS12金鑰儲存庫 to JKS {% code overflow="wrap" %} ```shell keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore tlslocaltest.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass 123456 ``` {% endcode %} 5\. 導入證書進入keystore 信任庫 {% code overflow="wrap" %} ```shell keytool -importcert -trustcacerts -alias localtest -file server.crt -keystore tlslocaltest.jks -storepass 123456 ``` {% endcode %} 6\. 將自簽憑證加入本機信任庫(mac OS版本) - 此動作會跳出電腦密碼驗證 {% code overflow="wrap" %} ```shell sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain server.crt ``` {% endcode %} ### Bug 參考網址 #### JKS無法透過keytool放入私鑰 Believe or not, keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore: ``` keytool -importkeystore \ -deststorepass storepassword \ -destkeypass keypassword \ -destkeystore my-keystore.jks \ -srckeystore cert-and-key.p12 \ -srcstoretype PKCS12 \ -srcstorepass p12password \ -alias 1 ``` Or just use more user-friendly [KeyMan](https://www.ibm.com/docs/en/zvse/6.2?topic=SSB27H_6.2.0/fa2ti_openssl_create_key_store.html) from IBM for keystore handling instead of keytool. [參考網址](https://stackoverflow.com/questions/906402/how-to-import-an-existing-x-509-certificate-and-private-key-in-java-keystore-to) ### 轉換 PKCS12 to PEM 2023/12/19 - 追加轉換 PKCS12 to PEM 範例 1. **生成測試用的 SSL key** * 使用 OpenSSL 工具生成一對包含私鑰和公鑰的測試 SSL 金鑰 (`server.key`) 和憑證 (`server.crt`)。 * `-x509` 表示生成自簽名的憑證,`-newkey rsa:2048` 表示生成一個包含 RSA 2048 位金鑰的新憑證。 ```bash openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt ``` 2. **SSL key to PKCS12 檔案** * 使用 OpenSSL 工具將產生的 SSL 金鑰和憑證轉換成 PKCS12 格式的檔案 (`server.p12`)。 * `-export` 表示執行匯出操作,`-inkey` 和 `-in` 分別指定私鑰和憑證的輸入檔案。 ```bash openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt ``` 3. **轉換 PKCS12 to PEM** * 使用 OpenSSL 工具將 PKCS12 格式的檔案轉換為 PEM 格式的檔案 (`server.pem`)。 * `-nocerts` 表示不包含憑證部分,`-nodes` 表示不加密私鑰,`-out` 指定輸出檔案。 ```bash openssl pkcs12 -in server.p12 -nocerts -nodes -out server.pem ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://xu-min-chang.gitbook.io/caster-develop-note/java/ssltls-gong-ju.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.