自建 https 证书
由 Qiongpan Ke 于 2024-06-04 最后修改
Contents
参考文章:《Nginx自建SSL证书部署HTTPS网站》
1. 生成一个 RSA 私钥
openssl genrsa -aes256 -out ca_rsa_private.key 4096
执行结果如下:
$ openssl genrsa -aes256 -out ca_rsa_private.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.........++++
....................................................................................................................................................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca_rsa_private.key:
Verifying - Enter pass phrase for ca_rsa_private.key:
$ ls -ltr
total 4
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
Generating RSA private key, 4096 bit long modulus (2 primes)
.........++++
....................................................................................................................................................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca_rsa_private.key:
Verifying - Enter pass phrase for ca_rsa_private.key:
$ ls -ltr
total 4
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
2. 创建免密的 RSA 私钥
相比需要输入密码的 RSA 密钥,使用免密的 RSA 密钥,配置在 web 容器中,不需要在每次启动或重新加载配置时手动输入密码(部份 web 容器则直接在配置文件中配置 RSA 密钥的密码)。
openssl rsa -in ca_rsa_private.key -out ca_rsa_private_nopass.key
执行结果如下:
$ openssl rsa -in ca_rsa_private.key -out ca_rsa_private_nopass.key
Enter pass phrase for ca_rsa_private.key:
writing RSA key
$ ls -ltr
total 8
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
Enter pass phrase for ca_rsa_private.key:
writing RSA key
$ ls -ltr
total 8
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
3. 导出 RSA 私钥对应的公钥
openssl rsa -in ca_rsa_private_nopass.key -pubout -out ca_rsa_public.key
执行结果如下:
$ openssl rsa -in ca_rsa_private_nopass.key -pubout -out ca_rsa_public.key
writing RSA key
$ ls -ltr
total 12
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
writing RSA key
$ ls -ltr
total 12
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
4. 生成一个 CA 根证书签名请求
openssl req -new -subj "/C=US/ST=California/L=Los Angeles/O=example.com/OU=IANA/CN=Example.com's Root CA/emailAddress=iana@iana.org" -key ca_rsa_private_nopass.key -out ca.csr
执行结果如下:
$ openssl req -new -subj "/C=US/ST=California/L=Los Angeles/O=example.com/OU=IANA/CN=Example.com's Root CA/emailAddress=iana@iana.org" -key ca_rsa_private_nopass.key -out ca.csr
$ ls -ltr
total 16
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
$ ls -ltr
total 16
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
5. 使用 RSA 私钥对 CA 根证书签名请求进行自签
# openssl x509 -req -days $((365 * 100)) -sha256 -extensions v3_ca -in ca.csr -signkey ca_rsa_private_nopass.key -out ca.crt
#mkdir -p ./demoCA
#touch ./demoCA/index.txt
#openssl ca -days $((365 * 100)) -md sha256 -extensions v3_ca -selfsign -in ca.csr -keyfile ca_rsa_private_nopass.key -out ca.crt -outdir . -create_serial
openssl req -x509 -days $((365 * 100)) -sha256 -nodes -in ca.csr -key ca_rsa_private_nopass.key -out ca.crt
#mkdir -p ./demoCA
#touch ./demoCA/index.txt
#openssl ca -days $((365 * 100)) -md sha256 -extensions v3_ca -selfsign -in ca.csr -keyfile ca_rsa_private_nopass.key -out ca.crt -outdir . -create_serial
openssl req -x509 -days $((365 * 100)) -sha256 -nodes -in ca.csr -key ca_rsa_private_nopass.key -out ca.crt
执行结果如下:
$ openssl req -x509 -days $((365 * 100)) -sha256 -nodes -in ca.csr -key ca_rsa_private_nopass.key -out ca.crt
$ ls -ltr
total 20
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
$ ls -ltr
total 20
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
6. 生成 https 服务器的 RSA 密钥
openssl genrsa -aes256 -out https_rsa_private.key 4096
执行结果如下:
$ openssl genrsa -aes256 -out https_rsa_private.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................++++
.............................++++
e is 65537 (0x010001)
Enter pass phrase for https_rsa_private.key:
Verifying - Enter pass phrase for https_rsa_private.key:
$ ls -ltr
total 24
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................++++
.............................++++
e is 65537 (0x010001)
Enter pass phrase for https_rsa_private.key:
Verifying - Enter pass phrase for https_rsa_private.key:
$ ls -ltr
total 24
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
7. 创建免密的 RSA 私钥
相比需要输入密码的 RSA 密钥,使用免密的 RSA 密钥,配置在 web 容器中,不需要在每次启动或重新加载配置时手动输入密码(部份 web 容器则直接在配置文件中配置 RSA 密钥的密码)。
openssl rsa -in https_rsa_private.key -out https_rsa_private_nopass.key
执行结果如下:
$ openssl rsa -in https_rsa_private.key -out https_rsa_private_nopass.key
Enter pass phrase for https_rsa_private.key:
writing RSA key
$ ls -ltr
total 28
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
Enter pass phrase for https_rsa_private.key:
writing RSA key
$ ls -ltr
total 28
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
8. 导出 RSA 私钥对应的公钥
openssl rsa -in https_rsa_private_nopass.key -pubout -out https_rsa_public.key
执行结果如下:
$ openssl rsa -in https_rsa_private_nopass.key -pubout -out https_rsa_public.key
writing RSA key
$ ls -ltr
total 32
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
writing RSA key
$ ls -ltr
total 32
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
9. 生成一个 https 证书签名请求
openssl req -new -subj "/C=US/ST=California/L=Los Angeles/O=example.com/OU=IANA/CN=*.example.com/emailAddress=iana@iana.org" -key https_rsa_private_nopass.key -out https.csr
执行结果如下:
$ openssl req -new -subj "/C=US/ST=California/L=Los Angeles/O=example.com/OU=IANA/CN=*.example.com/emailAddress=iana@iana.org" -key https_rsa_private_nopass.key -out https.csr
$ ls -ltr
total 36
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
$ ls -ltr
total 36
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
10. 使用 CA 根证书对 https 证书签名请求进行签发
创建的过期时间不要太长,建议不超过2年,否则部份浏览器不会信任该证书,如: iPhone 上的 Safari、Chrome 等。
另外,在 Chrome 58 之后,不再只校验 CommonName 项是否与访问域名或IP匹配,还需要配置 subjectAltName 项。
# 首次使用 CA 根证书签发 https 证书的同时创建 ca.srl 序列号参考文件
# 第二次以后使用 CA 根证书签发 https 证书时直接引用之前创建的 ca.srl 序列号参考文件,并递增其序列号。
openssl x509 -req -days $((356 * 2)) -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(
cat <<EOF
[v3_san]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com
EOF
)) -extensions v3_san -CA ca.crt -CAkey ca_rsa_private_nopass.key -$(if [ -f ca.srl ]; then echo CAserial ca.srl; else echo CAcreateserial; fi) -in https.csr -out https.crt
# 第二次以后使用 CA 根证书签发 https 证书时直接引用之前创建的 ca.srl 序列号参考文件,并递增其序列号。
openssl x509 -req -days $((356 * 2)) -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(
cat <<EOF
[v3_san]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com
EOF
)) -extensions v3_san -CA ca.crt -CAkey ca_rsa_private_nopass.key -$(if [ -f ca.srl ]; then echo CAserial ca.srl; else echo CAcreateserial; fi) -in https.csr -out https.crt
执行结果如下:
$ openssl x509 -req -days $((356 * 2)) -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(
t <<E> cat <<EOF
> [v3_san]
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1 = example.com
> DNS.2 = *.example.com
> EOF
> )) -extensions v3_san -CA ca.crt -CAkey ca_rsa_private_nopass.key -$(if [ -f ca.srl ]; then echo CAserial ca.srl; else echo CAcreateserial; fi) -in https.csr -out https.crt
Signature ok
subject=C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = *.example.com, emailAddress = iana@iana.org
Getting CA Private Key
$ ls -ltr
total 40
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
-rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
-rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
t <<E> cat <<EOF
> [v3_san]
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1 = example.com
> DNS.2 = *.example.com
> EOF
> )) -extensions v3_san -CA ca.crt -CAkey ca_rsa_private_nopass.key -$(if [ -f ca.srl ]; then echo CAserial ca.srl; else echo CAcreateserial; fi) -in https.csr -out https.crt
Signature ok
subject=C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = *.example.com, emailAddress = iana@iana.org
Getting CA Private Key
$ ls -ltr
total 40
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
-rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
-rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
11. 将私钥和证书打包成 p12 文件
openssl pkcs12 -export -inkey https_rsa_private_nopass.key -in https.crt -out https.keystore.p12 -name https
执行结果如下:
$ openssl pkcs12 -export -inkey https_rsa_private_nopass.key -in https.crt -out https.keystore.p12 -name https
Enter Export Password:
Verifying - Enter Export Password:
$ ls -ltr
total 48
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
-rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
-rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
-rwxrwxrwx 1 stduser stduser 4328 Jul 7 05:18 https.keystore.p12
Enter Export Password:
Verifying - Enter Export Password:
$ ls -ltr
total 48
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
-rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
-rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
-rwxrwxrwx 1 stduser stduser 4328 Jul 7 05:18 https.keystore.p12
12. 将 p12 文件转换为 jks 文件
keytool -importkeystore -srckeystore https.keystore.p12 -srcstoretype pkcs12 -destkeystore https.keystore.jks -deststoretype jks -v
执行结果如下:
$ keytool -importkeystore -srckeystore https.keystore.p12 -srcstoretype pkcs12 -destkeystore https.keystore.jks -deststoretype jks -v
Importing keystore https.keystore.p12 to https.keystore.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias https successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing https.keystore.jks]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore https.keystore.jks -destkeystore https.keystore.jks -deststoretype pkcs12".
$ ls -ltr
total 52
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
-rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
-rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
-rwxrwxrwx 1 stduser stduser 4328 Jul 7 05:18 https.keystore.p12
-rwxrwxrwx 1 stduser stduser 4026 Jul 7 05:18 https.keystore.jks
Importing keystore https.keystore.p12 to https.keystore.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias https successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing https.keystore.jks]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore https.keystore.jks -destkeystore https.keystore.jks -deststoretype pkcs12".
$ ls -ltr
total 52
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
-rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
-rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
-rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
-rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
-rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
-rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
-rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
-rwxrwxrwx 1 stduser stduser 4328 Jul 7 05:18 https.keystore.p12
-rwxrwxrwx 1 stduser stduser 4026 Jul 7 05:18 https.keystore.jks
13. 查看 https 证书内容
openssl x509 -in ca.crt -noout -text
openssl x509 -in https.crt -noout -text
keytool -list -v -keystore https.keystore.p12
keytool -list -v -keystore https.keystore.jks
openssl x509 -in https.crt -noout -text
keytool -list -v -keystore https.keystore.p12
keytool -list -v -keystore https.keystore.jks
执行结果如下:
$ openssl x509 -in ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
13:33:c1:cb:4a:05:23:9b:c4:9a:95:68:fc:88:9e:40:12:68:e4:af
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
Validity
Not Before: Jul 6 21:14:41 2023 GMT
Not After : Jun 12 21:14:41 2123 GMT
Subject: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:aa:d9:c7:6d:ec:ba:79:67:c9:69:41:b4:12:30:
eb:05:83:b2:cc:38:a9:76:c6:40:b3:61:28:40:00:
e7:81:18:fb:81:ec:7e:bb:4c:03:95:b4:16:1b:47:
eb:39:66:50:60:fa:d1:ab:25:b4:92:23:36:85:86:
6c:df:9b:ed:d1:fb:5a:4b:3f:79:b7:66:2e:4e:47:
d0:c8:16:1a:2b:d7:db:2a:db:80:55:7a:88:5f:f9:
45:91:87:29:3b:2a:e6:9b:90:d0:c6:58:b9:35:14:
10:2f:5b:42:c6:7b:2e:54:6d:53:7d:97:b8:7e:fb:
48:08:49:2f:e3:67:31:b8:fb:92:0f:63:88:4b:b3:
a4:3a:c5:0f:09:68:a9:bf:96:8c:64:b7:82:5e:88:
2d:4b:08:af:70:92:ec:e4:6b:0a:bb:36:29:6e:13:
55:0d:61:a7:bc:e1:0b:68:91:5e:52:71:b4:a6:b0:
d2:9d:a6:21:8e:b1:49:70:40:ac:32:ec:97:14:35:
a2:1b:43:e6:9c:cb:fa:0e:99:09:da:91:2a:96:9b:
fc:ad:69:f9:46:70:1e:23:74:07:ec:17:b9:09:dc:
55:f3:c0:1b:0e:bf:7c:c9:6b:10:b9:79:89:23:98:
26:63:35:14:09:dd:35:6e:84:a8:db:50:7d:f7:ad:
13:f4:a2:8f:7a:79:d7:e1:62:86:3e:bd:fb:68:d1:
c5:b2:bc:00:80:1b:7a:e9:c5:f8:75:d5:6a:e4:e2:
29:38:f1:7f:42:f6:4e:dd:44:df:04:ec:28:e6:40:
70:ee:85:6d:33:9a:8d:2f:fa:15:d2:21:88:89:86:
45:08:bb:fd:1e:37:6a:d5:07:b0:38:12:df:50:02:
50:53:ea:cc:76:e0:56:22:b8:e8:80:27:23:85:ea:
5d:57:e4:44:22:ed:86:5e:08:8a:6e:d2:55:ea:06:
f2:b5:84:26:de:b9:55:26:1d:15:58:84:5f:41:00:
60:43:3b:56:e2:2c:e0:31:cf:54:f2:dd:44:0c:c8:
62:49:4a:f3:e1:8e:c7:56:8b:cd:da:9e:b8:d7:ef:
1e:63:50:47:c5:59:93:71:76:d0:bc:c3:93:fe:fb:
39:3d:0c:bb:03:6c:2f:4c:0b:7a:ef:32:c8:18:c2:
c9:ad:10:a4:8b:5f:a4:23:ab:80:2f:66:fb:a1:41:
12:bc:15:2d:15:3d:1b:b7:9c:f9:22:cc:a6:11:06:
8b:43:f9:23:05:c7:c8:a6:79:12:c3:10:7f:9e:72:
ef:aa:99:67:7e:fc:e7:06:0d:38:0c:2c:f2:37:45:
1a:5b:e1:cb:7a:87:27:46:c7:44:b1:01:c7:51:8f:
4f:08:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
46:8E:37:91:A4:56:D5:63:C8:25:43:A0:E8:E1:16:66:3C:F0:22:E6
X509v3 Authority Key Identifier:
keyid:46:8E:37:91:A4:56:D5:63:C8:25:43:A0:E8:E1:16:66:3C:F0:22:E6
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
97:e7:45:3f:b7:59:34:e7:c6:22:fc:ba:4c:82:60:0e:8c:73:
b2:c9:31:bf:ea:ad:cc:70:79:eb:3b:31:bb:aa:73:f8:12:e8:
d8:37:8a:d3:b2:77:42:03:47:3f:23:8c:82:74:69:f8:ad:45:
08:60:cf:c3:90:67:9f:55:1f:b5:7a:aa:73:12:d6:73:97:65:
72:45:74:63:e3:23:5f:47:c9:b8:48:e2:d2:58:c7:f8:af:0e:
79:eb:ab:82:7a:17:f7:3b:62:60:82:7a:f9:32:23:f8:3f:1d:
24:80:92:47:80:a7:2f:ef:d2:eb:0b:7f:16:da:d1:7d:0e:6a:
be:28:7c:d2:85:48:83:f6:d8:87:35:3d:72:7c:36:ea:3e:31:
04:81:ae:3a:97:56:c9:95:d6:b6:8f:16:3e:fb:94:35:ee:dc:
7a:c6:85:ef:67:0b:31:bc:c3:e0:d8:2f:d2:93:93:0d:b1:61:
c4:92:0a:c1:f4:13:df:8b:b4:70:e0:74:7c:c5:56:cc:82:1d:
db:02:0c:2b:ca:61:af:3a:51:b1:be:a9:0c:b8:44:22:6d:69:
97:82:01:c9:0f:d8:90:8f:aa:1d:f4:cc:a8:72:0f:03:8d:d7:
e3:32:22:1b:60:99:84:25:b3:10:7a:a8:99:5c:c7:c4:f5:4a:
94:47:37:21:bb:39:f2:ff:f1:f8:c2:59:92:44:58:e4:d5:2e:
df:d4:13:2f:58:9e:87:d5:4f:92:a8:bd:de:11:c1:97:97:0b:
08:04:b2:9d:83:77:19:6f:ee:6a:c2:e3:59:92:d4:3a:c1:f0:
46:06:14:45:e8:eb:de:47:26:4a:e3:54:aa:12:ca:34:63:d2:
ab:ab:3f:b4:c8:84:b9:47:d4:b1:e7:c5:83:37:0f:97:18:42:
29:a6:db:df:97:da:02:8e:01:f1:43:1a:c5:a5:41:b4:4e:a0:
15:ae:08:d7:07:e6:cb:6c:43:a6:9c:0f:9c:0f:f8:ff:07:e3:
15:5e:cf:92:04:f9:9c:cc:9d:c3:ff:62:f2:31:ae:fb:2a:10:
41:70:d7:74:1c:d0:5e:08:5e:12:e8:82:2a:8e:78:51:61:e6:
e7:76:de:37:2a:89:fc:6f:a2:91:13:47:ee:bc:52:7f:2e:e5:
b0:c1:99:4d:52:47:7d:19:74:de:b9:6b:8e:4e:7a:c1:80:e7:
90:0a:d5:fc:e7:2d:fd:d7:76:83:66:0a:d3:a2:08:c5:33:87:
8f:91:ef:cf:70:06:4c:c0:90:b5:9f:84:00:ee:02:c0:06:da:
ff:16:59:d8:0d:cd:fb:8d:6f:41:74:29:02:81:4e:65:86:1e:
64:23:c5:07:84:ee:f1:dd
$ openssl x509 -in https.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:7b:a6:5b:70:e6:ab:18:82:fb:20:5c:50:63:43:e7:dc:fd:b5:ee
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
Validity
Not Before: Jul 6 21:17:44 2023 GMT
Not After : Jun 17 21:17:44 2025 GMT
Subject: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = *.example.com, emailAddress = iana@iana.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:d3:86:0e:43:53:f0:af:db:7b:a6:51:b9:13:0d:
49:ec:b9:a7:da:10:8b:81:38:76:c0:a4:b2:8e:1d:
3e:71:45:8b:97:45:d5:20:40:d6:39:47:2b:14:cc:
f4:d0:c1:82:ea:27:b9:cb:b9:4e:3d:8e:52:74:74:
e1:2b:72:87:1f:a7:7f:ad:37:84:ed:63:8f:31:9d:
19:6a:a9:f4:88:b2:64:d8:39:6e:31:b6:d1:12:fe:
84:95:15:ac:f1:66:11:50:42:9b:fc:c4:fe:10:7c:
b9:c8:a2:80:23:7b:8a:81:8a:65:c2:cd:cf:e1:fe:
e6:84:4f:92:0a:45:65:81:f4:c1:c4:37:29:aa:76:
30:9f:af:38:04:57:95:ca:38:e4:ba:3e:10:c3:e7:
26:63:f7:25:fb:f1:8d:17:4d:80:63:46:b0:bb:da:
e4:ec:3a:70:4d:fe:da:62:27:24:36:bf:9d:19:d7:
cf:85:61:ac:e2:2e:c5:14:36:22:89:06:a5:96:d2:
3b:7c:a4:d2:76:fb:bb:40:09:d5:43:95:1a:1f:58:
63:a1:3a:d7:13:de:80:71:ff:ae:a3:45:fe:76:74:
5a:67:95:c3:ce:20:a5:46:eb:cc:0f:ab:14:54:3e:
16:4f:b1:ea:a3:72:b3:80:9a:da:bf:47:f3:30:a7:
2d:66:40:6f:9a:cd:3a:0b:59:2d:c0:40:8f:1c:f3:
b5:45:63:02:c5:6f:b0:d9:0f:ee:97:a0:ca:60:3b:
de:75:0b:03:91:f3:79:77:57:30:07:d7:de:d6:52:
8e:d5:20:17:00:79:0c:16:37:24:2c:0a:17:5e:b4:
a7:0a:67:7a:82:3e:07:76:0a:30:91:cf:cf:2e:be:
59:cf:a5:85:8e:2a:d2:46:ef:62:97:f2:08:b9:c8:
2a:ce:62:2f:39:67:24:65:6e:fa:9f:3c:4b:76:34:
53:15:87:c4:f0:51:ce:3f:de:47:e2:60:48:17:62:
0f:0e:77:bf:ec:77:c7:e2:26:ae:1e:bc:b1:79:44:
4c:50:81:98:43:9e:18:09:af:5c:41:a3:03:28:f8:
7c:41:82:72:d0:c8:08:2e:29:81:06:10:fd:7c:67:
8d:fa:c1:ce:f8:95:90:32:45:11:32:91:45:66:75:
4e:97:09:6e:fd:82:bc:a9:03:90:ab:12:44:4d:46:
37:61:89:0e:b7:56:4a:f2:91:01:e2:3a:1b:41:48:
07:29:95:e1:4f:d8:0b:57:69:bc:7f:1a:f9:5e:51:
28:83:1e:c3:86:96:69:b1:1b:b3:e9:27:09:fd:46:
ef:5b:32:21:55:0b:c1:49:76:a9:65:02:bd:4a:26:
89:5f:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com
Signature Algorithm: sha256WithRSAEncryption
7c:27:ba:df:25:e0:cf:96:ea:ae:e1:03:d7:f5:19:c2:96:11:
51:c9:ee:df:c9:65:2f:27:22:fd:0c:84:87:ba:a4:f3:32:ac:
29:87:2e:a8:8c:a9:ac:46:a5:2c:fb:60:54:51:b6:b8:8e:9a:
b5:00:b5:7d:ef:86:30:2d:f6:f6:df:50:b4:16:f6:bf:ed:dc:
51:c4:20:80:1f:27:2e:83:72:0b:a6:df:0b:52:7a:62:6e:64:
d1:a0:aa:80:93:ab:4f:ab:06:ed:9a:a4:3f:29:dc:a3:6f:d1:
81:0d:77:81:9d:8f:a3:0b:0f:d0:1b:41:23:e9:fe:64:15:6d:
20:70:5a:50:b8:16:cd:06:e9:ee:c3:9a:9d:ea:77:86:09:e3:
4a:29:2b:42:c6:a8:32:82:1d:80:5e:7f:3d:68:c1:a8:c7:e2:
d5:ab:2d:c9:4c:0a:63:fd:28:31:b8:cb:88:02:37:b7:45:20:
f3:ac:24:15:65:fb:17:6e:82:ce:8b:bc:d9:ef:40:eb:70:fa:
5a:b4:35:e1:8a:6c:7e:33:0b:c1:23:2c:da:be:68:72:b1:a1:
44:43:6c:86:56:d0:9f:a6:cc:7f:d0:0e:b5:69:87:9e:d4:b4:
6a:ac:8a:0a:01:a3:93:17:e4:da:88:7d:0f:e4:b3:5f:2a:fa:
b6:f4:42:94:85:11:49:63:89:90:e8:eb:6a:e1:fa:fd:0d:02:
32:76:03:56:28:b3:b6:12:a5:e3:16:65:bb:56:fe:62:ea:c9:
3c:57:df:a3:c7:a6:bf:34:fb:d1:dd:a2:01:97:8b:ab:bd:eb:
fe:e6:50:cd:6e:14:f6:c8:1c:a0:d4:ba:ae:77:a6:2d:14:af:
53:94:4f:45:9a:23:9c:5e:45:3c:1c:b1:1a:18:9d:45:b5:dc:
31:e2:f8:4b:94:e7:05:cf:9d:d4:50:52:74:bc:96:6c:43:03:
be:d1:77:87:cd:d4:76:fe:0b:bd:a1:33:ed:39:0d:6b:96:2e:
a2:5a:58:36:b4:bf:5a:8b:3f:27:cf:0d:74:69:1a:eb:3b:c9:
63:ea:0a:7a:00:e1:4d:f7:e6:33:9e:f9:88:e1:3b:66:35:54:
c3:39:12:c8:ba:65:97:cc:83:a8:03:c8:1c:24:a3:29:5e:9d:
dd:dc:8d:bf:b1:f8:a2:1a:02:2c:51:b1:64:cb:c9:57:9e:de:
ae:34:bc:2e:ae:86:14:5d:0d:75:f5:04:38:d4:dd:b8:75:7b:
8f:2f:1d:46:11:2a:62:77:d3:d8:d0:0b:d4:2b:6c:10:10:97:
93:a0:da:53:5c:9a:b0:77:b8:a9:ca:7e:ce:6d:a2:72:5e:ee:
39:fc:e2:f7:dd:a1:dc:12
$ keytool -list -v -keystore https.keystore.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: https
Creation date: Jul 7, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=iana@iana.org, CN=*.example.com, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
Issuer: EMAILADDRESS=iana@iana.org, CN=Example.com's Root CA, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
Serial number: c7ba65b70e6ab1882fb205c506343e7dcfdb5ee
Valid from: Fri Jul 07 05:17:44 CST 2023 until: Wed Jun 18 05:17:44 CST 2025
Certificate fingerprints:
SHA1: FA:10:E7:11:4F:47:5E:1A:93:E1:DC:EE:AE:53:DF:4D:91:C4:3B:34
SHA256: 19:41:78:84:25:D3:25:EE:D1:0F:BA:11:34:6A:70:EA:70:A9:CC:1B:CD:A0:96:0C:F0:71:8D:BA:13:3E:59:C6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: example.com
DNSName: *.example.com
]
*******************************************
*******************************************
$ keytool -list -v -keystore https.keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: https
Creation date: Jul 7, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=iana@iana.org, CN=*.example.com, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
Issuer: EMAILADDRESS=iana@iana.org, CN=Example.com's Root CA, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
Serial number: c7ba65b70e6ab1882fb205c506343e7dcfdb5ee
Valid from: Fri Jul 07 05:17:44 CST 2023 until: Wed Jun 18 05:17:44 CST 2025
Certificate fingerprints:
SHA1: FA:10:E7:11:4F:47:5E:1A:93:E1:DC:EE:AE:53:DF:4D:91:C4:3B:34
SHA256: 19:41:78:84:25:D3:25:EE:D1:0F:BA:11:34:6A:70:EA:70:A9:CC:1B:CD:A0:96:0C:F0:71:8D:BA:13:3E:59:C6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: example.com
DNSName: *.example.com
]
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore https.keystore.jks -destkeystore https.keystore.jks -deststoretype pkcs12".
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
13:33:c1:cb:4a:05:23:9b:c4:9a:95:68:fc:88:9e:40:12:68:e4:af
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
Validity
Not Before: Jul 6 21:14:41 2023 GMT
Not After : Jun 12 21:14:41 2123 GMT
Subject: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:aa:d9:c7:6d:ec:ba:79:67:c9:69:41:b4:12:30:
eb:05:83:b2:cc:38:a9:76:c6:40:b3:61:28:40:00:
e7:81:18:fb:81:ec:7e:bb:4c:03:95:b4:16:1b:47:
eb:39:66:50:60:fa:d1:ab:25:b4:92:23:36:85:86:
6c:df:9b:ed:d1:fb:5a:4b:3f:79:b7:66:2e:4e:47:
d0:c8:16:1a:2b:d7:db:2a:db:80:55:7a:88:5f:f9:
45:91:87:29:3b:2a:e6:9b:90:d0:c6:58:b9:35:14:
10:2f:5b:42:c6:7b:2e:54:6d:53:7d:97:b8:7e:fb:
48:08:49:2f:e3:67:31:b8:fb:92:0f:63:88:4b:b3:
a4:3a:c5:0f:09:68:a9:bf:96:8c:64:b7:82:5e:88:
2d:4b:08:af:70:92:ec:e4:6b:0a:bb:36:29:6e:13:
55:0d:61:a7:bc:e1:0b:68:91:5e:52:71:b4:a6:b0:
d2:9d:a6:21:8e:b1:49:70:40:ac:32:ec:97:14:35:
a2:1b:43:e6:9c:cb:fa:0e:99:09:da:91:2a:96:9b:
fc:ad:69:f9:46:70:1e:23:74:07:ec:17:b9:09:dc:
55:f3:c0:1b:0e:bf:7c:c9:6b:10:b9:79:89:23:98:
26:63:35:14:09:dd:35:6e:84:a8:db:50:7d:f7:ad:
13:f4:a2:8f:7a:79:d7:e1:62:86:3e:bd:fb:68:d1:
c5:b2:bc:00:80:1b:7a:e9:c5:f8:75:d5:6a:e4:e2:
29:38:f1:7f:42:f6:4e:dd:44:df:04:ec:28:e6:40:
70:ee:85:6d:33:9a:8d:2f:fa:15:d2:21:88:89:86:
45:08:bb:fd:1e:37:6a:d5:07:b0:38:12:df:50:02:
50:53:ea:cc:76:e0:56:22:b8:e8:80:27:23:85:ea:
5d:57:e4:44:22:ed:86:5e:08:8a:6e:d2:55:ea:06:
f2:b5:84:26:de:b9:55:26:1d:15:58:84:5f:41:00:
60:43:3b:56:e2:2c:e0:31:cf:54:f2:dd:44:0c:c8:
62:49:4a:f3:e1:8e:c7:56:8b:cd:da:9e:b8:d7:ef:
1e:63:50:47:c5:59:93:71:76:d0:bc:c3:93:fe:fb:
39:3d:0c:bb:03:6c:2f:4c:0b:7a:ef:32:c8:18:c2:
c9:ad:10:a4:8b:5f:a4:23:ab:80:2f:66:fb:a1:41:
12:bc:15:2d:15:3d:1b:b7:9c:f9:22:cc:a6:11:06:
8b:43:f9:23:05:c7:c8:a6:79:12:c3:10:7f:9e:72:
ef:aa:99:67:7e:fc:e7:06:0d:38:0c:2c:f2:37:45:
1a:5b:e1:cb:7a:87:27:46:c7:44:b1:01:c7:51:8f:
4f:08:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
46:8E:37:91:A4:56:D5:63:C8:25:43:A0:E8:E1:16:66:3C:F0:22:E6
X509v3 Authority Key Identifier:
keyid:46:8E:37:91:A4:56:D5:63:C8:25:43:A0:E8:E1:16:66:3C:F0:22:E6
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
97:e7:45:3f:b7:59:34:e7:c6:22:fc:ba:4c:82:60:0e:8c:73:
b2:c9:31:bf:ea:ad:cc:70:79:eb:3b:31:bb:aa:73:f8:12:e8:
d8:37:8a:d3:b2:77:42:03:47:3f:23:8c:82:74:69:f8:ad:45:
08:60:cf:c3:90:67:9f:55:1f:b5:7a:aa:73:12:d6:73:97:65:
72:45:74:63:e3:23:5f:47:c9:b8:48:e2:d2:58:c7:f8:af:0e:
79:eb:ab:82:7a:17:f7:3b:62:60:82:7a:f9:32:23:f8:3f:1d:
24:80:92:47:80:a7:2f:ef:d2:eb:0b:7f:16:da:d1:7d:0e:6a:
be:28:7c:d2:85:48:83:f6:d8:87:35:3d:72:7c:36:ea:3e:31:
04:81:ae:3a:97:56:c9:95:d6:b6:8f:16:3e:fb:94:35:ee:dc:
7a:c6:85:ef:67:0b:31:bc:c3:e0:d8:2f:d2:93:93:0d:b1:61:
c4:92:0a:c1:f4:13:df:8b:b4:70:e0:74:7c:c5:56:cc:82:1d:
db:02:0c:2b:ca:61:af:3a:51:b1:be:a9:0c:b8:44:22:6d:69:
97:82:01:c9:0f:d8:90:8f:aa:1d:f4:cc:a8:72:0f:03:8d:d7:
e3:32:22:1b:60:99:84:25:b3:10:7a:a8:99:5c:c7:c4:f5:4a:
94:47:37:21:bb:39:f2:ff:f1:f8:c2:59:92:44:58:e4:d5:2e:
df:d4:13:2f:58:9e:87:d5:4f:92:a8:bd:de:11:c1:97:97:0b:
08:04:b2:9d:83:77:19:6f:ee:6a:c2:e3:59:92:d4:3a:c1:f0:
46:06:14:45:e8:eb:de:47:26:4a:e3:54:aa:12:ca:34:63:d2:
ab:ab:3f:b4:c8:84:b9:47:d4:b1:e7:c5:83:37:0f:97:18:42:
29:a6:db:df:97:da:02:8e:01:f1:43:1a:c5:a5:41:b4:4e:a0:
15:ae:08:d7:07:e6:cb:6c:43:a6:9c:0f:9c:0f:f8:ff:07:e3:
15:5e:cf:92:04:f9:9c:cc:9d:c3:ff:62:f2:31:ae:fb:2a:10:
41:70:d7:74:1c:d0:5e:08:5e:12:e8:82:2a:8e:78:51:61:e6:
e7:76:de:37:2a:89:fc:6f:a2:91:13:47:ee:bc:52:7f:2e:e5:
b0:c1:99:4d:52:47:7d:19:74:de:b9:6b:8e:4e:7a:c1:80:e7:
90:0a:d5:fc:e7:2d:fd:d7:76:83:66:0a:d3:a2:08:c5:33:87:
8f:91:ef:cf:70:06:4c:c0:90:b5:9f:84:00:ee:02:c0:06:da:
ff:16:59:d8:0d:cd:fb:8d:6f:41:74:29:02:81:4e:65:86:1e:
64:23:c5:07:84:ee:f1:dd
$ openssl x509 -in https.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:7b:a6:5b:70:e6:ab:18:82:fb:20:5c:50:63:43:e7:dc:fd:b5:ee
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
Validity
Not Before: Jul 6 21:17:44 2023 GMT
Not After : Jun 17 21:17:44 2025 GMT
Subject: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = *.example.com, emailAddress = iana@iana.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:d3:86:0e:43:53:f0:af:db:7b:a6:51:b9:13:0d:
49:ec:b9:a7:da:10:8b:81:38:76:c0:a4:b2:8e:1d:
3e:71:45:8b:97:45:d5:20:40:d6:39:47:2b:14:cc:
f4:d0:c1:82:ea:27:b9:cb:b9:4e:3d:8e:52:74:74:
e1:2b:72:87:1f:a7:7f:ad:37:84:ed:63:8f:31:9d:
19:6a:a9:f4:88:b2:64:d8:39:6e:31:b6:d1:12:fe:
84:95:15:ac:f1:66:11:50:42:9b:fc:c4:fe:10:7c:
b9:c8:a2:80:23:7b:8a:81:8a:65:c2:cd:cf:e1:fe:
e6:84:4f:92:0a:45:65:81:f4:c1:c4:37:29:aa:76:
30:9f:af:38:04:57:95:ca:38:e4:ba:3e:10:c3:e7:
26:63:f7:25:fb:f1:8d:17:4d:80:63:46:b0:bb:da:
e4:ec:3a:70:4d:fe:da:62:27:24:36:bf:9d:19:d7:
cf:85:61:ac:e2:2e:c5:14:36:22:89:06:a5:96:d2:
3b:7c:a4:d2:76:fb:bb:40:09:d5:43:95:1a:1f:58:
63:a1:3a:d7:13:de:80:71:ff:ae:a3:45:fe:76:74:
5a:67:95:c3:ce:20:a5:46:eb:cc:0f:ab:14:54:3e:
16:4f:b1:ea:a3:72:b3:80:9a:da:bf:47:f3:30:a7:
2d:66:40:6f:9a:cd:3a:0b:59:2d:c0:40:8f:1c:f3:
b5:45:63:02:c5:6f:b0:d9:0f:ee:97:a0:ca:60:3b:
de:75:0b:03:91:f3:79:77:57:30:07:d7:de:d6:52:
8e:d5:20:17:00:79:0c:16:37:24:2c:0a:17:5e:b4:
a7:0a:67:7a:82:3e:07:76:0a:30:91:cf:cf:2e:be:
59:cf:a5:85:8e:2a:d2:46:ef:62:97:f2:08:b9:c8:
2a:ce:62:2f:39:67:24:65:6e:fa:9f:3c:4b:76:34:
53:15:87:c4:f0:51:ce:3f:de:47:e2:60:48:17:62:
0f:0e:77:bf:ec:77:c7:e2:26:ae:1e:bc:b1:79:44:
4c:50:81:98:43:9e:18:09:af:5c:41:a3:03:28:f8:
7c:41:82:72:d0:c8:08:2e:29:81:06:10:fd:7c:67:
8d:fa:c1:ce:f8:95:90:32:45:11:32:91:45:66:75:
4e:97:09:6e:fd:82:bc:a9:03:90:ab:12:44:4d:46:
37:61:89:0e:b7:56:4a:f2:91:01:e2:3a:1b:41:48:
07:29:95:e1:4f:d8:0b:57:69:bc:7f:1a:f9:5e:51:
28:83:1e:c3:86:96:69:b1:1b:b3:e9:27:09:fd:46:
ef:5b:32:21:55:0b:c1:49:76:a9:65:02:bd:4a:26:
89:5f:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com
Signature Algorithm: sha256WithRSAEncryption
7c:27:ba:df:25:e0:cf:96:ea:ae:e1:03:d7:f5:19:c2:96:11:
51:c9:ee:df:c9:65:2f:27:22:fd:0c:84:87:ba:a4:f3:32:ac:
29:87:2e:a8:8c:a9:ac:46:a5:2c:fb:60:54:51:b6:b8:8e:9a:
b5:00:b5:7d:ef:86:30:2d:f6:f6:df:50:b4:16:f6:bf:ed:dc:
51:c4:20:80:1f:27:2e:83:72:0b:a6:df:0b:52:7a:62:6e:64:
d1:a0:aa:80:93:ab:4f:ab:06:ed:9a:a4:3f:29:dc:a3:6f:d1:
81:0d:77:81:9d:8f:a3:0b:0f:d0:1b:41:23:e9:fe:64:15:6d:
20:70:5a:50:b8:16:cd:06:e9:ee:c3:9a:9d:ea:77:86:09:e3:
4a:29:2b:42:c6:a8:32:82:1d:80:5e:7f:3d:68:c1:a8:c7:e2:
d5:ab:2d:c9:4c:0a:63:fd:28:31:b8:cb:88:02:37:b7:45:20:
f3:ac:24:15:65:fb:17:6e:82:ce:8b:bc:d9:ef:40:eb:70:fa:
5a:b4:35:e1:8a:6c:7e:33:0b:c1:23:2c:da:be:68:72:b1:a1:
44:43:6c:86:56:d0:9f:a6:cc:7f:d0:0e:b5:69:87:9e:d4:b4:
6a:ac:8a:0a:01:a3:93:17:e4:da:88:7d:0f:e4:b3:5f:2a:fa:
b6:f4:42:94:85:11:49:63:89:90:e8:eb:6a:e1:fa:fd:0d:02:
32:76:03:56:28:b3:b6:12:a5:e3:16:65:bb:56:fe:62:ea:c9:
3c:57:df:a3:c7:a6:bf:34:fb:d1:dd:a2:01:97:8b:ab:bd:eb:
fe:e6:50:cd:6e:14:f6:c8:1c:a0:d4:ba:ae:77:a6:2d:14:af:
53:94:4f:45:9a:23:9c:5e:45:3c:1c:b1:1a:18:9d:45:b5:dc:
31:e2:f8:4b:94:e7:05:cf:9d:d4:50:52:74:bc:96:6c:43:03:
be:d1:77:87:cd:d4:76:fe:0b:bd:a1:33:ed:39:0d:6b:96:2e:
a2:5a:58:36:b4:bf:5a:8b:3f:27:cf:0d:74:69:1a:eb:3b:c9:
63:ea:0a:7a:00:e1:4d:f7:e6:33:9e:f9:88:e1:3b:66:35:54:
c3:39:12:c8:ba:65:97:cc:83:a8:03:c8:1c:24:a3:29:5e:9d:
dd:dc:8d:bf:b1:f8:a2:1a:02:2c:51:b1:64:cb:c9:57:9e:de:
ae:34:bc:2e:ae:86:14:5d:0d:75:f5:04:38:d4:dd:b8:75:7b:
8f:2f:1d:46:11:2a:62:77:d3:d8:d0:0b:d4:2b:6c:10:10:97:
93:a0:da:53:5c:9a:b0:77:b8:a9:ca:7e:ce:6d:a2:72:5e:ee:
39:fc:e2:f7:dd:a1:dc:12
$ keytool -list -v -keystore https.keystore.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: https
Creation date: Jul 7, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=iana@iana.org, CN=*.example.com, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
Issuer: EMAILADDRESS=iana@iana.org, CN=Example.com's Root CA, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
Serial number: c7ba65b70e6ab1882fb205c506343e7dcfdb5ee
Valid from: Fri Jul 07 05:17:44 CST 2023 until: Wed Jun 18 05:17:44 CST 2025
Certificate fingerprints:
SHA1: FA:10:E7:11:4F:47:5E:1A:93:E1:DC:EE:AE:53:DF:4D:91:C4:3B:34
SHA256: 19:41:78:84:25:D3:25:EE:D1:0F:BA:11:34:6A:70:EA:70:A9:CC:1B:CD:A0:96:0C:F0:71:8D:BA:13:3E:59:C6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: example.com
DNSName: *.example.com
]
*******************************************
*******************************************
$ keytool -list -v -keystore https.keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: https
Creation date: Jul 7, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=iana@iana.org, CN=*.example.com, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
Issuer: EMAILADDRESS=iana@iana.org, CN=Example.com's Root CA, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
Serial number: c7ba65b70e6ab1882fb205c506343e7dcfdb5ee
Valid from: Fri Jul 07 05:17:44 CST 2023 until: Wed Jun 18 05:17:44 CST 2025
Certificate fingerprints:
SHA1: FA:10:E7:11:4F:47:5E:1A:93:E1:DC:EE:AE:53:DF:4D:91:C4:3B:34
SHA256: 19:41:78:84:25:D3:25:EE:D1:0F:BA:11:34:6A:70:EA:70:A9:CC:1B:CD:A0:96:0C:F0:71:8D:BA:13:3E:59:C6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: example.com
DNSName: *.example.com
]
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore https.keystore.jks -destkeystore https.keystore.jks -deststoretype pkcs12".
0
粤公网安备 44011802000481号 粤ICP备2020117634号