Linux添加keytool环境变量,用keytool制作多域名证书

keytool来生成用于tomcat的多域名ssl自签名证书&＃xff0c;方法很简答&＃xff1a;

安装好jdk&＃xff0c;配置好环境变量后&＃xff0c;执行以下命令来生成自签名的多域名证书&＃xff1a;

keytool -genkey -alias server  -keyalg RSA -keysize 1024 -keypass econfpass -keystore D:\keystore\server.jks -storepass econfpass -validity 36500 -dname "CN&＃61;域名1,CN&＃61;域名2,CN&＃61;域名3,OU&＃61;test,O&＃61;test,L&＃61;test,ST&＃61;test,C&＃61;test"

这样得到的server.jks就可以同时支持“域名1&＃xff0c;域名2&＃xff0c;域名3”。

在配置tomcat的server.xml文件时要注意&＃xff0c;对于采用keystore方式的配置&＃xff0c;不能启用apr connector&＃xff0c;也即需要将

注释掉&＃xff0c;因为APR connector需要的证书格式是apache支持的证书格式。

NOTE: (xp: %JAVA_HOME%/jre/lib/security/cacerts,  linux: $JAVA_HOME/jre/lib/security/cacerts)

验证是否已创建过同名的证书keytool -list -v -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts " -storepass changeit

删除已创建的证书keytool -delete -alias tomcat -keystore "%%JAVA_HOME%/jre/lib/security/cacerts " -storepass changeit

Keytool是一个Java数据证书的管理工具。keystore

Keytool将密钥(key)和证书(certificates)存在一个称为keystore的文件中在keystore里&＃xff0c;包含两种数据&＃xff1a; 密钥实体(Key entity)——密钥(secret key)又或者是私钥和配对公钥(采用非对称加密)                                               可信任的证书实体(trusted certificate entries)——只包含公钥Alias(别名)每个keystore都关联这一个独一无二的alias&＃xff0c;这个alias通常不区分大小写keystore的存储位置在没有制定生成位置的情况下&＃xff0c;keystore会存在与用户的系统默认目录&＃xff0c;如&＃xff1a;对于window xp系统&＃xff0c;会生成在系统的C:\Documents and Settings\UserName\文件名为“.keystore”keystore的生成

引用

keytool -genkey -alias tomcat -keyalg RSA   -keystore d:\mykeystore -dname "CN&＃61;localhost, OU&＃61;localhost, O&＃61;localhost, L&＃61;SH, ST&＃61;SH, C&＃61;CN" -keypass changeit -storepass -validity 180参数说明&＃xff1a;-genkey表示要创建一个新的密钥-dname表示密钥的Distinguished Names&＃xff0c;CN&＃61;commonNameOU&＃61;organizationUnitO&＃61;organizationNameL&＃61;localityNameS&＃61;stateNameC&＃61;countryDistinguished Names表明了密钥的发行者身份-keyalg使用加密的算法&＃xff0c;这里是RSA-alias密钥的别名-keypass私有密钥的密码&＃xff0c;这里设置为changeit-keystore 密钥保存在D:盘目录下的mykeystore文件中-storepass 存取密码&＃xff0c;这里设置为changeit&＃xff0c;这个密码提供系统从mykeystore文件中将信息取出-validity该密钥的有效期为 180天 (默认为90天)cacerts证书文件(The cacerts Certificates File)该证书文件存在于java.home\jre\lib\security目录下&＃xff0c;是Java系统的CA证书仓库创建证书1.服务器中生成证书&＃xff1a;(注&＃xff1a;生成证书时&＃xff0c;CN要和服务器的域名相同&＃xff0c;如果在本地测试&＃xff0c;则使用localhost)keytool -genkey -alias tomcat -keyalg RSA -keystore d:\mykeystore -dname "CN&＃61;localhost, OU&＃61;localhost, O&＃61;localhost, L&＃61;SH, ST&＃61;SH, C&＃61;CN" -keypass changeit -storepass changeit2.导出证书&＃xff0c;由客户端安装&＃xff1a;keytool -export -alias tomcat -keystore d:\mykeystore -file d:\mycerts.cer -storepass changeit3.客户端配置&＃xff1a;为客户端的JVM导入密钥(将服务器下发的证书导入到JVM中)keytool -import -trustcacerts -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts " -file d:\mycerts.cer -storepass changeit生成的证书可以交付客户端用户使用&＃xff0c;用以进行SSL通讯&＃xff0c;或者伴随电子签名的jar包进行发布者的身份认证。

常出现的异常&＃xff1a;“未找到可信任的证书”--主要原因为在客户端未将服务器下发的证书导入到JVM中&＃xff0c;可以用keytool -list -alias tomcat -keystore "%JAVA_HOME%/JRE/LIB/SECURITY/CACERTS" -storepass changeit

linux: #keytool -list -alias tomcat -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit来查看证书是否真的导入到JVM中。

keytool生成根证书时出现如下错误&＃xff1a;

keytool错误:java.io.IOException:keystore was tampered with,or password was incorrect

原因是在你的home目录下是否还有.keystore存在。如果存在那么把他删除掉&＃xff0c;然后再执行

或者删除"%JAVA_HOME%/jre/lib/security/cacerts 再执行

keytool 用法&＃xff1a;

-certreq     [-v] [-protected]

[-alias ] [-sigalg ]

[-file ] [-keypass ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-changealias [-v] [-protected] -alias -destalias

[-keypass ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-delete      [-v] [-protected] -alias

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-exportcert  [-v] [-rfc] [-protected]

[-alias ] [-file ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-genkeypair  [-v] [-protected]

[-alias ]

[-keyalg ] [-keysize ]

[-sigalg ] [-dname ]

[-validity ] [-keypass ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-genseckey   [-v] [-protected]

[-alias ] [-keypass ]

[-keyalg ] [-keysize ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-importcert  [-v] [-noprompt] [-trustcacerts] [-protected]

[-alias ]

[-file ] [-keypass ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-importkeystore [-v]

[-srckeystore ] [-destkeystore ]

[-srcstoretype ] [-deststoretype ]

[-srcstorepass ] [-deststorepass ]

[-srcprotected] [-destprotected]

[-srcprovidername ]

[-destprovidername ]

[-srcalias [-destalias ]

[-srckeypass ] [-destkeypass ]]

[-noprompt]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-keypasswd   [-v] [-alias ]

[-keypass ] [-new ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-list        [-v | -rfc] [-protected]

[-alias ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]

-printcert   [-v] [-file ]

-storepasswd [-v] [-new ]

[-keystore ] [-storepass ]

[-storetype ] [-providername ]

[-providerclass [-providerarg ]] ...

[-providerpath ]