SSL证书
cd /usr/local/jdk/bin
./keytool -list -keystore /home/pingan/stg.jks? -storepass 12345678
cd
openssl pkcs12 -info -in stg.pfx
JKS(JavaKeysotre)格式和PFX(PKCS12)格式,是最常见的SSL证书格
式文件,可以包含完整的证书密钥对,证书链和信任证书信息。PFX常
用于Windows IIS服务器,JKS常用于JAVA类的WEB服务器,
如TOMCAT,WEBLOGIC,JBOSS,RESIGN。虽然近年来,这些服务器新
的版本,都是可以同时支持PFX,JKS文件格式了,但是老的版本和
免费版本,往往都只支持JKS格式,所以当我们在不同WEB平台切换的
时候,就要转换现有的SSL证书格式。
1. PFX文件转换为JKS文件
使用JWSDP工具包中的工具
安装J2SE 1.5,下载并运行jdk-1_5_0_09-windows-i586-p.exe
下载并安装jave web service develop pack, jwsdp-2_0-windows-i586.exe
创建一个新的keystore文件,里面的别名取做TEMP
keytool -genkey -alias temp -keyalg RSA -keystore server.jks
准备好要导入的PFX文件,server.pfx,运行:
C:\Sun\jwsdp-2.0\xws-security\bin\pkcs12import.bat pkcs12import -file server.p12 -alias server -keystore server.jks
查看server.jks 里面的证书记录:
keytool -list -v -keystore server.jks
2. JKS文件转换为PFX文件
通过jks2pfx工具
请下载:JKS2PFX转换工具。
将压缩包解开到 c:\jks2pfx 目录下,
运行以下命令:
JKS2PFX <导出文件名> [Java Runtime的目录]
备注:
KeyStore文件:指Tomcat保存SSL证书的文件
KeyStore密码:KeyStore文件对应的密码
Alias别名: 生成证书CSR时,所起的Alias别名
导出文件名: 准备导出的文件名称 (不要带扩展名)
Java Runtime的目录(可选): 指包含Java.exe和keytool.exe的目录,如:c:\progra~1\Java\jre1.5.0_06\bin
例如:
JKS2PFX server.jks 123456 tomcat exportfile c:\progra~1\Java\jre1.5.0_06\bin
该命令将server.jks中别名为tomcat的SSL证书导出,运行后将产生3个文件 exportfile.key、exportfile.crt、exportfile.pfx,exportfile.pfx可以导入到微软的IIS中,exportfile.key和exportfile.crt 可用于Apache或者OpenSSL兼容的系统。
可以用下面命令查看PFX文件内容:
openssl pkcs12 -info -in exportfile.pfx
3.PFX文件转换为X509证书文件和RSA密钥文件
通过Openssl命令行
openssl pkcs12 -in myssl.pfx -nodes -out server.pem
openssl rsa -in server.pem -out server.key
openssl x509 -in server.pem -out server.crt
openssl pkcs12 -in pkcs-12-certificate-file -out pem-certificate-file
openssl pkcs12 -in pkcs-12-certificate-and-key-file -out pem-certificate-and-key-file
===============================================================
ruby Net::HTTP
cd /usr/local/jdk/bin
./keytool -list -keystore /home/simon/abc.jks? -storepass 12345678
openssl pkcs12 -info -in abc.pfx
PEM file: *.pem
Keystore file: *.jks
PKCS12 file: *.pfx
pfx => pem
openssl pkcs12 -in abc.pfx -nodes -out client.pem
Enter Import Password:
jks => pem
./keytool -exportcert -keystore /home/simon/javapro/TestPost/abc.jks? -file /home/simon/mycert.crt? -alias mykey
openssl x509 -out /home/simon/cert/key/key.pem -outform pem -in /home/simon/mycert.crt -inform der
jks => pem
cd to /usr/local/jdk/bin
./keytool -importkeystore -srckeystore /home/simon/javapro/TestPost/abc.jks -destkeystore /home/simon/javapro/TestPost/key.pfx -srcstoretype JKS? -deststoretype PKCS12
./keytool -importkeystore -srckeystore /home/simon/javapro/TestPost/abc.jks -destkeystore /home/simon/javapro/TestPost/key.pfx -srcalias mykey -srcstoretype jks -deststoretype pkcs12
./keytool -importkeystore -srckeystore /home/simon/javapro/TestPost/abc.jks -destkeystore /home/simon/javapro/TestPost/key.pfx -srcstoretype jks -deststoretype pkcs12
=========================================
bash$ keytool -keystore foo.jks -genkeypair -alias foo \
??????? -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'???????
?
???????
???????
bash$ keytool -keystore foo.jks -exportcert -alias foo | \
?????? openssl x509 -inform der -text
bash$ keytool -importkeystore -srckeystore foo.jks \
?????? -destkeystore foo.p12 \
?????? -srcstoretype jks \
?????? -deststoretype pkcs12
bash$ openssl pkcs12 -in foo.p12 -out foo.pem
bash$ openssl x509 -text -in foo.pem
bash$ openssl dsa -text -in foo.pem
???
???
You end up with:
foo.jks - keystore in java format.
foo.p12 - keystore in PKCS#12 format.
foo.pem - all keys and certs from keystore, in PEM format.
(This last file can be split up into keys and certificates if you like.)
Command summary - to create JKS keystore:
keytool -keystore foo.jks -genkeypair -alias foo \
??? -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'
Command summary - to convert JKS keystore into PKCS#12 keystore, then into PEM file:
keytool -importkeystore -srckeystore foo.jks \
?? -destkeystore foo.p12 \
?? -srcstoretype jks \
?? -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
if you have more than one certificate in your JKS keystore, and you want to only export the certificate and key associated with one of the aliases, you can use the following variation:
keytool -importkeystore -srckeystore foo.jks \
?? -destkeystore foo.p12 \
?? -srcalias foo \
?? -srcstoretype jks \
?? -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
Command summary - to compare JKS keystore to PEM file:
keytool -keystore foo.jks -exportcert -alias foo | \
?? openssl x509 -inform der -text
openssl x509 -text -in foo.pem
openssl dsa -text -in foo.pem
openssl pkcs12 -in myapp.p12 -nodes -out key.pem
Enter Import Password:
pfx => pem
openssl pkcs12 -in /home/simon/javapro/TestPost/abc.pfx -nodes -out /home/simon/key.pem
Enter Import Password:
extract rsa:
openssl rsa -in /home/simon/javapro/TestPost/key.pem -outform pem -out /home/simon/cert/key/key.pem
jks => pem
./keytool -exportcert -keystore /home/simon/javapro/TestPost/abc.jks? -file /home/simon/mycert.crt? -alias mykey
pwd:
openssl x509 -out /home/simon/cert/key/client.pem -outform pem -in /home/simon/mycert.crt -inform der
========================================
jks(java key store):
java用的存储密钥的容器。可以同时容纳n个公钥或私钥,后缀一般是.jks或者.keystore或.truststore等,千奇百怪。
不管什么后缀,它就是一个容器,各个公司或机构叫法不同而已。比如把只包含"受信任的公钥"的容器存成.truststore文件等。
用jdk\bin目录下的keytool.exe对其进行查看,导入,导出,删除,修改密码等各种操作。
可以对jks容器加密码,输入正确才可以操作此容器中密钥。
还有一个密码的概念与上者不同,是jks中存储着的私钥的密码,通常是绝密的。
pfx:
和jks功能相同但文件格式不同,pfx是浏览器用的。
可以用一些工具程序把pfx转化成jks格式供java程序使用(如银行只提供了pfx,但是我们想用httpclient模拟浏览器自动访问时)。
据说IE导出的pfx格式不标准,转化jks时往往报错,可以尝试用Netscape Navigator导入再导出,然后再转化。碰到过这样的情况。
常见的几种https系统的访问
经https协议的数据经过加密传输,防止第三方监听,冒充和篡改。
1.不需要用户做任何操作,比如https://www.verisign.com/
这是因为此公钥是合法的(公钥是可信任的机构颁发,和实际域名吻合,而且没有到期)。用IE访问时空白处点右键可以查看公钥信息。
2.https的页面会弹出公钥确认提示
公钥不合法(不是可信任的机构颁发,和实际域名不吻合,已到期),但用户点“是”即表示忽略危险,继续访问。
3.需要往浏览器倒入一个文件才可访问的
一般是银行在线交易等特别需要安全的场合,站方(银行)需要验证访客身份(如要确认必须是已注册的网银商户),需要在浏览器中导入含有访客私钥的pfx文件。
生成jks:
在银行没有提供jks文件的情况下对帐,需要自己生成jks
对于1,2类https网站,如果java程序访问此地址时在jre默认的信任库中找不到对方证书的颁发机构,则会抛出安全方面的异常。
所以要将站方公钥存进一个jks,并在环境变量中设定,表明信任此库中的公钥,才可以正常访问。
我是用现成的make_jks的工具类在程序中读取https://xxxx地址,程序自动抓取出银行公钥并存进一个jks文件。
在浏览器中查看站方公钥时,把公钥导出(一般是cer后缀),然后用keytool.exe手工将此cer导入一个jks或许也可以?没试过。
以上1,2类https网站,仅仅是用到了公钥的“验证对方身份”功能。
对于第3种https网站,也可以找到现成的程序把pfx直接转成jks。
既然动用了pfx,一般是把公钥的两个用途和私钥的两个用途都用起来。
========================================
In a TLS/SSL connection, a public key is supplied as part of a certificate that is used to authenticate one party - the certificate ties an identity to a particular public key. The server side always supplies a certificate (public key), because the server side must always prove its identity to the client.
It is also possible for the client to supply a certificate, if it wants to prove its identity (and it has a suitable certificate) - in your web browser example, it's usually the case that a client certificate isn't supplied, but it is possible. Some web sites do use client certificates for authentication.
If a public key is used, the corresponding private key must be used too - the keys come as a pair. The corresponding function to supply the public key is SSL_CTX_use_certificate() - the public key is part of the certificate. Supplying one without the other is pointless - in your client example, you could have omitted the call to SSL_CTX_use_PrivateKey_file() entirely.
===================================
=>Using Net::HTTP to proxy HTTPS
As far as I can tell from my experimenting, there is no way to proxy HTTPS requests using the Net::HTTP classes. My question is: can it be done? And if so, how?I've tried numerous variations, but the main gist of what I've tried is this code fragment: httpobj = Net::HTTP.new( host, port )
=>Using Net::HTTP to prod google adwords api
Hi,I've been trying to use Net::HTTP with a SOAP (xml) document to query google adwords api. The reason for wanting to do this, is that I'v estumbled across a problem with one of the methods when using adwords4r. I wanted to eliminate adwords4r and soap4r from the equation, hence trying to