tibco server keystore使用多域名證書
openssl 生成私鑰、申請文件,證書導入jks說明
http://www.cnblogs.com/liaier/p/4137383.html
openssl pkcs12 -export -in server.pem -inkey serverkey.key -out server.pfx -CAfile chain.pem
由於keytool沒有直接導入private key的命令,又沒有辦法生成SAN證書請求,所以只能通過openssl生成CSR,然後再將簽過的證書跟私鑰生成PFX,再利用keytool將PFX轉成JKS來使用
1.創建私鑰
openssl genrsa -out c:/server/server-key.pem 1024
2.創建證書請求 (subject alternative name (SAN) certificates):
openssl req -new -config CONF\san.conf -out server-req.csr -key server-key.pem
san.conf
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName_default = CN stateOrProvinceName_default = Test localityName_default = Test organizationName_default = Test commonName = Test (eg, YOUR name) commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = IPaddress1 DNS.2 = IPaddress2
3.CA收到證書申請後簽發證書
openssl x509 -req -in c:/server/server-req.csr -out c:/server/server-cert.pem -signkey c:/server/server-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650
4.收到證書server-cert.pem(-----BEGIN CERTIFICATE-----),已有ca-cert.pem(-----BEGIN CERTIFICATE-----),server-key.pem(-----BEGIN RSA PRIVATE KEY-----)
利用這三者生成PFX文件
openssl pkcs12 -export -in server-cert.pem -inkey server-key.key -out server.pfx -CAfile ca-cert.pem
5.利用keytool將PFX轉成JKS
keytool -importkeystore -srckeystore D:\Temp\server.pfx -srcstoretype pkcs12 -destkeystore D:\Temp\server.jks -deststoretype JKS -storepass testpwd2
6.查看JKS裏面key alias為1
keytool -list -v -keystore D:\Temp\server.jks -storepass testpwd2
tibco server keystore使用多域名證書