lilongen · February 20, 2019 01:43
diff --git a/x509.openssl.keytool.usage b/x509.openssl.keytool.usage
 https://www.jianshu.com/p/e5f46dcf4664
 https://blog.csdn.net/sayyy/article/details/78351512

 openssl pkcs12 -export -in uydc-101.crt -inkey uydc-101.key -out uydc-101.p12 \
  -name uydc-101 -CAfile yxt-ca.crt -caname yxtca -passout pass:123456

 openssl pkcs12 -in ydc.p12 -password file:pass -passin file:pass -nokeys
 openssl pkcs12 -in ydc.p12 -password file:pass -passin file:pass -nokeys -

 keytool -importkeystore -deststorepass 123456 -destkeypass 123456 \ 
  -destkeystore uydc-101.jks -srckeystore uydc-101.pkcs12 \
  -srcstoretype PKCS12 -srcstorepass 123456 -alias uydc-101

 openssl pkcs12 -info -in uydc-101.pkcs12 -passin pass:123456
 
 keytool example
 Create keystore and certificate
 keytool \
 -genkeypair \
 -alias uydc-102.hbase.thrift \
 -keyalg RSA \
 -keysize 2048 \
 -keypass 123456 \
 -sigalg SHA256withRSA \
 -dname "CN=uydc-102,OU=data,O=yxt,L=SuZhou,ST=JiangSu,C=CN" \
 -validity 3650 \
 -keystore uydc-102_keystore.jks \
 -storetype JKS \
 -storepass 123456


 Generate CSR - Certificate Signing Request
 keytool \
 -certreq \
 -alias uydc-102.hbase.thrift \
 -keyalg RSA \
 -keypass 123456 \
 -keystore uydc-102_keystore.jks \
 -storetype JKS \
 -storepass 123456 \
 -file uydc-102.hbase.thrift.csr


 Import Certificate Sign Authority ROOT Certificate
 keytool \
 -import \
 -trustcacerts \
 -alias ca_root_GlobalSign \
 -keypass 123456 \
 -keystore uydc-102_keystore.jks \
 -storepass 123456 \
 -file GlobalSign_cert.cer

 Import Signed Certificate base on above CSR
 keytool \
 -import \
 -trustcacerts \
 -alias uydc-102.hbase.thrift \
 -keypass 123456 \
 -keystore uydc-102_keystore.jks \
 -storepass 123456 \
 -file uydc-102.hbase.thrift.cer

 openssl example
 自签名：
 # 1.生成私钥
 $ openssl genrsa -out server.key 2048

 # 2.生成 CSR (Certificate Signing Request)
 $ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=test1.sslpoc.com/[email protected]" -new -key server.key -out server.csr

 # 3.生成自签名证书
 $ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

 私有 CA 签名：
 # 1.创建 CA 私钥
 $ openssl genrsa -out ca.key 2048

 # 2.生成 CA 的自签名证书
 $ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=Server CA/[email protected]" -new -x509 -days 3650 -key ca.key -out ca.crt

 # 3.生成需要颁发证书的私钥
 $ openssl genrsa -out server.key 2048

 # 4.生成要颁发证书的证书签名请求，证书签名请求当中的 Common Name 必须区别于 CA 的证书里面的 Common Name
 $ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=test2.sslpoc.com/[email protected]" -new -key server.key -out server.csr

 # 5.用 2 创建的 CA 证书给 4 生成的 签名请求 进行签名
 $ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt


 指定证书 distinguish name 
 -subj /C=CN/ST=Guangdong/L=Shenzhen/O=PAX/OU=Common Software/CN=Server CA/[email protected]
	https://www.jianshu.com/p/e5f46dcf4664
	https://blog.csdn.net/sayyy/article/details/78351512

	openssl pkcs12 -export -in uydc-101.crt -inkey uydc-101.key -out uydc-101.p12 \
	-name uydc-101 -CAfile yxt-ca.crt -caname yxtca -passout pass:123456

	openssl pkcs12 -in ydc.p12 -password file:pass -passin file:pass -nokeys
	openssl pkcs12 -in ydc.p12 -password file:pass -passin file:pass -nokeys -

	keytool -importkeystore -deststorepass 123456 -destkeypass 123456 \
	-destkeystore uydc-101.jks -srckeystore uydc-101.pkcs12 \
	-srcstoretype PKCS12 -srcstorepass 123456 -alias uydc-101

	openssl pkcs12 -info -in uydc-101.pkcs12 -passin pass:123456

	keytool example
	Create keystore and certificate
	keytool \
	-genkeypair \
	-alias uydc-102.hbase.thrift \
	-keyalg RSA \
	-keysize 2048 \
	-keypass 123456 \
	-sigalg SHA256withRSA \
	-dname "CN=uydc-102,OU=data,O=yxt,L=SuZhou,ST=JiangSu,C=CN" \
	-validity 3650 \
	-keystore uydc-102_keystore.jks \
	-storetype JKS \
	-storepass 123456


	Generate CSR - Certificate Signing Request
	keytool \
	-certreq \
	-alias uydc-102.hbase.thrift \
	-keyalg RSA \
	-keypass 123456 \
	-keystore uydc-102_keystore.jks \
	-storetype JKS \
	-storepass 123456 \
	-file uydc-102.hbase.thrift.csr


	Import Certificate Sign Authority ROOT Certificate
	keytool \
	-import \
	-trustcacerts \
	-alias ca_root_GlobalSign \
	-keypass 123456 \
	-keystore uydc-102_keystore.jks \
	-storepass 123456 \
	-file GlobalSign_cert.cer

	Import Signed Certificate base on above CSR
	keytool \
	-import \
	-trustcacerts \
	-alias uydc-102.hbase.thrift \
	-keypass 123456 \
	-keystore uydc-102_keystore.jks \
	-storepass 123456 \
	-file uydc-102.hbase.thrift.cer

	openssl example
	自签名：
	# 1.生成私钥
	$ openssl genrsa -out server.key 2048

	# 2.生成 CSR (Certificate Signing Request)
	$ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=test1.sslpoc.com/[email protected]" -new -key server.key -out server.csr

	# 3.生成自签名证书
	$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

	私有 CA 签名：
	# 1.创建 CA 私钥
	$ openssl genrsa -out ca.key 2048

	# 2.生成 CA 的自签名证书
	$ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=Server CA/[email protected]" -new -x509 -days 3650 -key ca.key -out ca.crt

	# 3.生成需要颁发证书的私钥
	$ openssl genrsa -out server.key 2048

	# 4.生成要颁发证书的证书签名请求，证书签名请求当中的 Common Name 必须区别于 CA 的证书里面的 Common Name
	$ openssl req -subj "/C=CN/ST=Tianjin/L=Tianjin/O=Mocha/OU=Mocha Software/CN=test2.sslpoc.com/[email protected]" -new -key server.key -out server.csr

	# 5.用 2 创建的 CA 证书给 4 生成的签名请求进行签名
	$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt


	指定证书 distinguish name
	-subj /C=CN/ST=Guangdong/L=Shenzhen/O=PAX/OU=Common Software/CN=Server CA/[email protected]