weblogic生成和配置SSL证书

采用Linux自带的OPENSSL进行证书的生成工作

以root登录,同时在el01gbcn01上完成

[oracle@el01gbcn01]# which java

/u01/FMW/weblogic/jdk1.7.0/bin/java

[oracle@el01gbcn01]# dir sslcert

[oracle@el01gbcn01]$ cd sslcert

[oracle@el01gbcn01]$ mkdir certs private

[oracle@el01gbcn01]$ echo '100001' >serial

[oracle@el01gbcn01]$ touch certindex.txt

[oracle@el01gbcn01]$ touch openssl.cnf

将以下文本粘贴如openssl.cnf

#

# OpenSSL configuration file

#

# Working directory

dir = .

[ ca ]

default_ca = CA_default

[ CA_default ]

serial = $dir/serial

database = $dir/certindex.txt

new_certs_dir = $dir/certs

certificate = $dir/cacert.pem

private_key = $dir/private/cakey.pem

default_days = 365

default_md = sha1

preserve = no

email_in_dn = no

nameopt = default_ca

certopt = default_ca

policy = policy_match

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

default_bits = 2048 # Size of keys

default_keyfile = key.pem # name of generated keys

default_md = sha1 # message digest algorithm

string_mask = nombstr # permitted characters

distinguished_name = req_distinguished_name

req_extensions = v3_req

[ req_distinguished_name ]

# Variable name Prompt string

#------------------------- ----------------------------------

0.organizationName = Organization Name (company)

organizationalUnitName = Organizational Unit Name (department, division)

emailAddress = Email Address

emailAddress_max = 40

localityName = Locality Name (city, district)

stateOrProvinceName = State or Province Name (full name)

countryName = Country Name (2 letter code)

countryName_min = 2

countryName_max = 2

commonName = Common Name (hostname, IP,or your name)

commonName_max = 64

# Default values for the aboveweblogic, for consistency and less typing.

# Variable name Value

#------------------------ ------------------------------

0.organizationName_default = My Company

organizationalUnitName_default = My Org

emailAddress_default = demo@sample.com

localityName_default = My Town

stateOrProvinceName_default = My Providence

countryName_default = CN

[ v3_ca ]

basicConstraints = CA:TRUE

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

[ my_v3_ext ]

basicConstraints = CA:true

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

有效期10年

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

密码为password1

输入信息如下:

openssl req -new -nodes -out GCSLevel2CA-req.pem -keyout private/GCSLevel2CA-key.pem -pubkey -days 3650 -config ./openssl.cnf

openssl ca -extensions my_v3_ext -out GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -infiles GCSLevel2CA-req.pem

对*.guilinbank.com.cn的主机都有效, 可用于WebLogic, OTD VIP等

keytool -genkey -dname "cn=*.guilinbank.com.cn, ou=it, o=guilinbank, c=CN" -keyalg RSA -keysize 2048 -alias mykey -keypass password1 -keystore mykeystore.jks -storepass password1 -validity 3650

keytool -certreq -alias mykey -file mykey-req.pem -keypass password1 -storetype JKS -keystore mykeystore.jks -storepass password1

用ll察看一下当前目录,已经有的文件比如

total 48

-rw-rw-r-- 1 oracle oracle 954 Sep 27 22:04 mykey-req.pem <-- 应用证书请求文件

-rw-rw-r-- 1 oracle oracle 1606 Sep 27 21:59 cacert.pem <-- 根证书

-rw-rw-r-- 1 oracle oracle 82 Sep 27 22:02 certindex.txt

-rw-rw-r-- 1 oracle oracle 21 Sep 27 22:02 certindex.txt.attr

-rw-rw-r-- 1 oracle oracle 0 Sep 27 21:57 certindex.txt.old

drwxrwxr-x 2 oracle oracle 4096 Sep 27 22:02 certs

-rw-rw-r-- 1 oracle oracle 4055 Sep 27 22:02 GCSLevel2CA-cert.pem <-- 二级证书

-rw-rw-r-- 1 oracle oracle 1582 Sep 27 22:02 GCSLevel2CA-req.pem <-- 二级证书请求文件

-rw-rw-r-- 1 oracle oracle 2117 Sep 27 22:04 mykeystore.jks <-- Java Keystore

-rw-rw-r-- 1 oracle oracle 3057 Sep 27 21:58 openssl.cnf <-- OpenSSL 配置文件

drwxrwxr-x 2 oracle oracle 4096 Sep 27 22:01 private

-rw-rw-r-- 1 oracle oracle 7 Sep 27 22:02 serial

-rw-rw-r-- 1 oracle oracle 7 Sep 27 21:57 serial.old

openssl ca -policy policy_anything -keyfile private/GCSLevel2CA-key.pem -cert GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -out mykey.pem -infiles mykey-req.pem

openssl crl2pkcs7 -nocrl -certfile mykey.pem -certfile GCSLevel2CA-cert.pem -certfile cacert.pem -outform PEM -out mykey.p7b

keytool -import -alias mykey -file mykey.p7b -keystore mykeystore.jks

[root@el01gbcn01 sslcert]# keytool -list -keystore mykeystore.jks -storepass password1 -v

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey

Creation date: Jul 14, 2015

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=*.guilinbank.com.cn, OU=it, O=guilinbank, C=CN

Issuer: CN=guilinbankLevel2CA, OU=it, O=guilinbank, ST=guangxi, C=CN

Serial number: 100002

Valid from: Tue Jul 14 14:44:14 GMT 2015 until: Fri Jul 11 14:44:14 GMT 2025

本文来自电脑杂谈，转载请注明本文网址：
http://www.pc-fly.com/a/jisuanjixue/article-136546-1.html