Wiki源代码自建 https 证书

由用户 Qiongpan Ke 在 2023-07-07 保存的版本 3.1
显示最后作者
1 {{box cssClass="floatinginfobox" title="**Contents**"}}
2 {{toc/}}
3 {{/box}}
4
5 参考文章:《[Nginx自建SSL证书部署HTTPS网站](https://www.cnblogs.com/panwenbin-logs/p/11850737.html)》
6
7 # 1. 生成一个 RSA 私钥
8
9 ```sh
10 openssl genrsa -aes256 -out ca_rsa_private.key 4096
11 ```
12
13 执行结果如下:
14
15 ```
16 $ openssl genrsa -aes256 -out ca_rsa_private.key 4096
17 Generating RSA private key, 4096 bit long modulus (2 primes)
18 .........++++
19 ....................................................................................................................................................................................................................................++++
20 e is 65537 (0x010001)
21 Enter pass phrase for ca_rsa_private.key:
22 Verifying - Enter pass phrase for ca_rsa_private.key:
23 $ ls -ltr
24 total 4
25 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
26 ```
27
28 # 2. 创建免密的 RSA 私钥
29
30 相比需要输入密码的 RSA 密钥,使用免密的 RSA 密钥,配置在 web 容器中,不需要在每次启动或重新加载配置时手动输入密码(部份 web 容器则直接在配置文件中配置 RSA 密钥的密码)。
31
32 ```sh
33 openssl rsa -in ca_rsa_private.key -out ca_rsa_private_nopass.key
34 ```
35
36 执行结果如下:
37
38 ```
39 $ openssl rsa -in ca_rsa_private.key -out ca_rsa_private_nopass.key
40 Enter pass phrase for ca_rsa_private.key:
41 writing RSA key
42 $ ls -ltr
43 total 8
44 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
45 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
46 ```
47
48 # 3. 导出 RSA 私钥对应的公钥
49
50 ```sh
51 openssl rsa -in ca_rsa_private_nopass.key -pubout -out ca_rsa_public.key
52 ```
53
54 执行结果如下:
55
56 ```
57 $ openssl rsa -in ca_rsa_private_nopass.key -pubout -out ca_rsa_public.key
58 writing RSA key
59 $ ls -ltr
60 total 12
61 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
62 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
63 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
64 ```
65
66 # 4. 生成一个 CA 根证书签名请求
67
68 ```sh
69 openssl req -new -subj "/C=US/ST=California/L=Los Angeles/O=example.com/OU=IANA/CN=Example.com's Root CA/emailAddress=iana@iana.org" -key ca_rsa_private_nopass.key -out ca.csr
70 ```
71
72 执行结果如下:
73
74 ```
75 $ openssl req -new -subj "/C=US/ST=California/L=Los Angeles/O=example.com/OU=IANA/CN=Example.com's Root CA/emailAddress=iana@iana.org" -key ca_rsa_private_nopass.key -out ca.csr
76 $ ls -ltr
77 total 16
78 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
79 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
80 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
81 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
82 ```
83
84 # 5. 使用 RSA 私钥对 CA 根证书签名请求进行自签
85
86 ```sh
87 # openssl x509 -req -days $((365 * 100)) -sha256 -extensions v3_ca -in ca.csr -signkey ca_rsa_private_nopass.key -out ca.crt
88
89 #mkdir -p ./demoCA
90 #touch ./demoCA/index.txt
91 #openssl ca -days $((365 * 100)) -md sha256 -extensions v3_ca -selfsign -in ca.csr -keyfile ca_rsa_private_nopass.key -out ca.crt -outdir . -create_serial
92
93 openssl req -x509 -days $((365 * 100)) -sha256 -nodes -in ca.csr -key ca_rsa_private_nopass.key -out ca.crt
94 ```
95
96 执行结果如下:
97
98 ```
99 $ openssl req -x509 -days $((365 * 100)) -sha256 -nodes -in ca.csr -key ca_rsa_private_nopass.key -out ca.crt
100 $ ls -ltr
101 total 20
102 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
103 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
104 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
105 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
106 -rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
107 ```
108
109 # 6. 生成 https 服务器的 RSA 密钥
110
111 ```sh
112 openssl genrsa -aes256 -out https_rsa_private.key 4096
113 ```
114
115 执行结果如下:
116
117 ```
118 $ openssl genrsa -aes256 -out https_rsa_private.key 4096
119 Generating RSA private key, 4096 bit long modulus (2 primes)
120 ......................................++++
121 .............................++++
122 e is 65537 (0x010001)
123 Enter pass phrase for https_rsa_private.key:
124 Verifying - Enter pass phrase for https_rsa_private.key:
125 $ ls -ltr
126 total 24
127 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
128 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
129 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
130 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
131 -rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
132 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
133 ```
134
135 # 7. 创建免密的 RSA 私钥
136
137 相比需要输入密码的 RSA 密钥,使用免密的 RSA 密钥,配置在 web 容器中,不需要在每次启动或重新加载配置时手动输入密码(部份 web 容器则直接在配置文件中配置 RSA 密钥的密码)。
138
139 ```sh
140 openssl rsa -in https_rsa_private.key -out https_rsa_private_nopass.key
141 ```
142
143 执行结果如下:
144
145 ```
146 $ openssl rsa -in https_rsa_private.key -out https_rsa_private_nopass.key
147 Enter pass phrase for https_rsa_private.key:
148 writing RSA key
149 $ ls -ltr
150 total 28
151 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
152 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
153 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
154 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
155 -rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
156 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
157 -rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
158 ```
159
160 # 8. 导出 RSA 私钥对应的公钥
161
162 ```sh
163 openssl rsa -in https_rsa_private_nopass.key -pubout -out https_rsa_public.key
164 ```
165
166 执行结果如下:
167
168 ```
169 $ openssl rsa -in https_rsa_private_nopass.key -pubout -out https_rsa_public.key
170 writing RSA key
171 $ ls -ltr
172 total 32
173 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
174 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
175 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
176 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
177 -rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
178 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
179 -rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
180 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
181 ```
182
183 # 9. 生成一个 https 证书签名请求
184
185 ```sh
186 openssl req -new -subj "/C=US/ST=California/L=Los Angeles/O=example.com/OU=IANA/CN=*.example.com/emailAddress=iana@iana.org" -key https_rsa_private_nopass.key -out https.csr
187 ```
188
189 执行结果如下:
190
191 ```
192 $ openssl req -new -subj "/C=US/ST=California/L=Los Angeles/O=example.com/OU=IANA/CN=*.example.com/emailAddress=iana@iana.org" -key https_rsa_private_nopass.key -out https.csr
193 $ ls -ltr
194 total 36
195 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
196 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
197 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
198 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
199 -rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
200 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
201 -rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
202 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
203 -rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
204 ```
205
206 # 10. 使用 CA 根证书对 https 证书签名请求进行签发
207
208 创建的过期时间不要太长,建议不超过2年,否则部份浏览器不会信任该证书,如: iPhone 上的 Safari、Chrome 等。
209
210 另外,在 Chrome 58 之后,不再只校验 CommonName 项是否与访问域名或IP匹配,还需要配置 subjectAltName 项。
211
212 ```sh
213 # 首次使用 CA 根证书签发 https 证书的同时创建 ca.srl 序列号参考文件
214 # 第二次以后使用 CA 根证书签发 https 证书时直接引用之前创建的 ca.srl 序列号参考文件,并递增其序列号。
215 openssl x509 -req -days $((356 * 2)) -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(
216 cat <<EOF
217 [v3_san]
218 subjectAltName = @alt_names
219
220 [alt_names]
221 DNS.1 = example.com
222 DNS.2 = *.example.com
223 EOF
224 )) -extensions v3_san -CA ca.crt -CAkey ca_rsa_private_nopass.key -$(if [ -f ca.srl ]; then echo CAserial ca.srl; else echo CAcreateserial; fi) -in https.csr -out https.crt
225 ```
226
227 执行结果如下:
228
229 ```
230 $ openssl x509 -req -days $((356 * 2)) -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(
231 t <<E> cat <<EOF
232 > [v3_san]
233 > subjectAltName = @alt_names
234 >
235 > [alt_names]
236 > DNS.1 = example.com
237 > DNS.2 = *.example.com
238 > EOF
239 > )) -extensions v3_san -CA ca.crt -CAkey ca_rsa_private_nopass.key -$(if [ -f ca.srl ]; then echo CAserial ca.srl; else echo CAcreateserial; fi) -in https.csr -out https.crt
240 Signature ok
241 subject=C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = *.example.com, emailAddress = iana@iana.org
242 Getting CA Private Key
243 $ ls -ltr
244 total 40
245 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
246 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
247 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
248 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
249 -rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
250 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
251 -rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
252 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
253 -rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
254 -rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
255 -rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
256 ```
257
258 # 11. 将私钥和证书打包成 p12 文件
259
260 ```sh
261 openssl pkcs12 -export -inkey https_rsa_private_nopass.key -in https.crt -out https.keystore.p12 -name https
262 ```
263
264 执行结果如下:
265
266 ```
267 $ openssl pkcs12 -export -inkey https_rsa_private_nopass.key -in https.crt -out https.keystore.p12 -name https
268 Enter Export Password:
269 Verifying - Enter Export Password:
270 $ ls -ltr
271 total 48
272 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
273 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
274 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
275 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
276 -rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
277 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
278 -rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
279 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
280 -rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
281 -rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
282 -rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
283 -rwxrwxrwx 1 stduser stduser 4328 Jul 7 05:18 https.keystore.p12
284 ```
285
286 # 12. 将 p12 文件转换为 jks 文件
287
288 ```sh
289 keytool -importkeystore -srckeystore https.keystore.p12 -srcstoretype pkcs12 -destkeystore https.keystore.jks -deststoretype jks -v
290 ```
291
292 执行结果如下:
293
294 ```
295 $ keytool -importkeystore -srckeystore https.keystore.p12 -srcstoretype pkcs12 -destkeystore https.keystore.jks -deststoretype jks -v
296 Importing keystore https.keystore.p12 to https.keystore.jks...
297 Enter destination keystore password:
298 Re-enter new password:
299 Enter source keystore password:
300 Entry for alias https successfully imported.
301 Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
302 [Storing https.keystore.jks]
303
304 Warning:
305 The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore https.keystore.jks -destkeystore https.keystore.jks -deststoretype pkcs12".
306 $ ls -ltr
307 total 52
308 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:05 ca_rsa_private.key
309 -rwxrwxrwx 1 stduser stduser 3243 Jul 7 05:06 ca_rsa_private_nopass.key
310 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:07 ca_rsa_public.key
311 -rwxrwxrwx 1 stduser stduser 1769 Jul 7 05:13 ca.csr
312 -rwxrwxrwx 1 stduser stduser 2179 Jul 7 05:14 ca.crt
313 -rwxrwxrwx 1 stduser stduser 3326 Jul 7 05:15 https_rsa_private.key
314 -rwxrwxrwx 1 stduser stduser 3247 Jul 7 05:15 https_rsa_private_nopass.key
315 -rwxrwxrwx 1 stduser stduser 800 Jul 7 05:16 https_rsa_public.key
316 -rwxrwxrwx 1 stduser stduser 1756 Jul 7 05:16 https.csr
317 -rwxrwxrwx 1 stduser stduser 41 Jul 7 05:17 ca.srl
318 -rwxrwxrwx 1 stduser stduser 2106 Jul 7 05:17 https.crt
319 -rwxrwxrwx 1 stduser stduser 4328 Jul 7 05:18 https.keystore.p12
320 -rwxrwxrwx 1 stduser stduser 4026 Jul 7 05:18 https.keystore.jks
321 ```
322
323 # 13. 查看 https 证书内容
324
325 ```sh
326 openssl x509 -in ca.crt -noout -text
327 openssl x509 -in https.crt -noout -text
328 keytool -list -v -keystore https.keystore.p12
329 keytool -list -v -keystore https.keystore.jks
330 ```
331
332 执行结果如下:
333
334 ```
335 $ openssl x509 -in ca.crt -noout -text
336 Certificate:
337 Data:
338 Version: 3 (0x2)
339 Serial Number:
340 13:33:c1:cb:4a:05:23:9b:c4:9a:95:68:fc:88:9e:40:12:68:e4:af
341 Signature Algorithm: sha256WithRSAEncryption
342 Issuer: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
343 Validity
344 Not Before: Jul 6 21:14:41 2023 GMT
345 Not After : Jun 12 21:14:41 2123 GMT
346 Subject: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
347 Subject Public Key Info:
348 Public Key Algorithm: rsaEncryption
349 RSA Public-Key: (4096 bit)
350 Modulus:
351 00:aa:d9:c7:6d:ec:ba:79:67:c9:69:41:b4:12:30:
352 eb:05:83:b2:cc:38:a9:76:c6:40:b3:61:28:40:00:
353 e7:81:18:fb:81:ec:7e:bb:4c:03:95:b4:16:1b:47:
354 eb:39:66:50:60:fa:d1:ab:25:b4:92:23:36:85:86:
355 6c:df:9b:ed:d1:fb:5a:4b:3f:79:b7:66:2e:4e:47:
356 d0:c8:16:1a:2b:d7:db:2a:db:80:55:7a:88:5f:f9:
357 45:91:87:29:3b:2a:e6:9b:90:d0:c6:58:b9:35:14:
358 10:2f:5b:42:c6:7b:2e:54:6d:53:7d:97:b8:7e:fb:
359 48:08:49:2f:e3:67:31:b8:fb:92:0f:63:88:4b:b3:
360 a4:3a:c5:0f:09:68:a9:bf:96:8c:64:b7:82:5e:88:
361 2d:4b:08:af:70:92:ec:e4:6b:0a:bb:36:29:6e:13:
362 55:0d:61:a7:bc:e1:0b:68:91:5e:52:71:b4:a6:b0:
363 d2:9d:a6:21:8e:b1:49:70:40:ac:32:ec:97:14:35:
364 a2:1b:43:e6:9c:cb:fa:0e:99:09:da:91:2a:96:9b:
365 fc:ad:69:f9:46:70:1e:23:74:07:ec:17:b9:09:dc:
366 55:f3:c0:1b:0e:bf:7c:c9:6b:10:b9:79:89:23:98:
367 26:63:35:14:09:dd:35:6e:84:a8:db:50:7d:f7:ad:
368 13:f4:a2:8f:7a:79:d7:e1:62:86:3e:bd:fb:68:d1:
369 c5:b2:bc:00:80:1b:7a:e9:c5:f8:75:d5:6a:e4:e2:
370 29:38:f1:7f:42:f6:4e:dd:44:df:04:ec:28:e6:40:
371 70:ee:85:6d:33:9a:8d:2f:fa:15:d2:21:88:89:86:
372 45:08:bb:fd:1e:37:6a:d5:07:b0:38:12:df:50:02:
373 50:53:ea:cc:76:e0:56:22:b8:e8:80:27:23:85:ea:
374 5d:57:e4:44:22:ed:86:5e:08:8a:6e:d2:55:ea:06:
375 f2:b5:84:26:de:b9:55:26:1d:15:58:84:5f:41:00:
376 60:43:3b:56:e2:2c:e0:31:cf:54:f2:dd:44:0c:c8:
377 62:49:4a:f3:e1:8e:c7:56:8b:cd:da:9e:b8:d7:ef:
378 1e:63:50:47:c5:59:93:71:76:d0:bc:c3:93:fe:fb:
379 39:3d:0c:bb:03:6c:2f:4c:0b:7a:ef:32:c8:18:c2:
380 c9:ad:10:a4:8b:5f:a4:23:ab:80:2f:66:fb:a1:41:
381 12:bc:15:2d:15:3d:1b:b7:9c:f9:22:cc:a6:11:06:
382 8b:43:f9:23:05:c7:c8:a6:79:12:c3:10:7f:9e:72:
383 ef:aa:99:67:7e:fc:e7:06:0d:38:0c:2c:f2:37:45:
384 1a:5b:e1:cb:7a:87:27:46:c7:44:b1:01:c7:51:8f:
385 4f:08:67
386 Exponent: 65537 (0x10001)
387 X509v3 extensions:
388 X509v3 Subject Key Identifier:
389 46:8E:37:91:A4:56:D5:63:C8:25:43:A0:E8:E1:16:66:3C:F0:22:E6
390 X509v3 Authority Key Identifier:
391 keyid:46:8E:37:91:A4:56:D5:63:C8:25:43:A0:E8:E1:16:66:3C:F0:22:E6
392
393 X509v3 Basic Constraints: critical
394 CA:TRUE
395 Signature Algorithm: sha256WithRSAEncryption
396 97:e7:45:3f:b7:59:34:e7:c6:22:fc:ba:4c:82:60:0e:8c:73:
397 b2:c9:31:bf:ea:ad:cc:70:79:eb:3b:31:bb:aa:73:f8:12:e8:
398 d8:37:8a:d3:b2:77:42:03:47:3f:23:8c:82:74:69:f8:ad:45:
399 08:60:cf:c3:90:67:9f:55:1f:b5:7a:aa:73:12:d6:73:97:65:
400 72:45:74:63:e3:23:5f:47:c9:b8:48:e2:d2:58:c7:f8:af:0e:
401 79:eb:ab:82:7a:17:f7:3b:62:60:82:7a:f9:32:23:f8:3f:1d:
402 24:80:92:47:80:a7:2f:ef:d2:eb:0b:7f:16:da:d1:7d:0e:6a:
403 be:28:7c:d2:85:48:83:f6:d8:87:35:3d:72:7c:36:ea:3e:31:
404 04:81:ae:3a:97:56:c9:95:d6:b6:8f:16:3e:fb:94:35:ee:dc:
405 7a:c6:85:ef:67:0b:31:bc:c3:e0:d8:2f:d2:93:93:0d:b1:61:
406 c4:92:0a:c1:f4:13:df:8b:b4:70:e0:74:7c:c5:56:cc:82:1d:
407 db:02:0c:2b:ca:61:af:3a:51:b1:be:a9:0c:b8:44:22:6d:69:
408 97:82:01:c9:0f:d8:90:8f:aa:1d:f4:cc:a8:72:0f:03:8d:d7:
409 e3:32:22:1b:60:99:84:25:b3:10:7a:a8:99:5c:c7:c4:f5:4a:
410 94:47:37:21:bb:39:f2:ff:f1:f8:c2:59:92:44:58:e4:d5:2e:
411 df:d4:13:2f:58:9e:87:d5:4f:92:a8:bd:de:11:c1:97:97:0b:
412 08:04:b2:9d:83:77:19:6f:ee:6a:c2:e3:59:92:d4:3a:c1:f0:
413 46:06:14:45:e8:eb:de:47:26:4a:e3:54:aa:12:ca:34:63:d2:
414 ab:ab:3f:b4:c8:84:b9:47:d4:b1:e7:c5:83:37:0f:97:18:42:
415 29:a6:db:df:97:da:02:8e:01:f1:43:1a:c5:a5:41:b4:4e:a0:
416 15:ae:08:d7:07:e6:cb:6c:43:a6:9c:0f:9c:0f:f8:ff:07:e3:
417 15:5e:cf:92:04:f9:9c:cc:9d:c3:ff:62:f2:31:ae:fb:2a:10:
418 41:70:d7:74:1c:d0:5e:08:5e:12:e8:82:2a:8e:78:51:61:e6:
419 e7:76:de:37:2a:89:fc:6f:a2:91:13:47:ee:bc:52:7f:2e:e5:
420 b0:c1:99:4d:52:47:7d:19:74:de:b9:6b:8e:4e:7a:c1:80:e7:
421 90:0a:d5:fc:e7:2d:fd:d7:76:83:66:0a:d3:a2:08:c5:33:87:
422 8f:91:ef:cf:70:06:4c:c0:90:b5:9f:84:00:ee:02:c0:06:da:
423 ff:16:59:d8:0d:cd:fb:8d:6f:41:74:29:02:81:4e:65:86:1e:
424 64:23:c5:07:84:ee:f1:dd
425 $ openssl x509 -in https.crt -noout -text
426 Certificate:
427 Data:
428 Version: 3 (0x2)
429 Serial Number:
430 0c:7b:a6:5b:70:e6:ab:18:82:fb:20:5c:50:63:43:e7:dc:fd:b5:ee
431 Signature Algorithm: sha256WithRSAEncryption
432 Issuer: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = Example.com's Root CA, emailAddress = iana@iana.org
433 Validity
434 Not Before: Jul 6 21:17:44 2023 GMT
435 Not After : Jun 17 21:17:44 2025 GMT
436 Subject: C = US, ST = California, L = Los Angeles, O = example.com, OU = IANA, CN = *.example.com, emailAddress = iana@iana.org
437 Subject Public Key Info:
438 Public Key Algorithm: rsaEncryption
439 RSA Public-Key: (4096 bit)
440 Modulus:
441 00:d3:86:0e:43:53:f0:af:db:7b:a6:51:b9:13:0d:
442 49:ec:b9:a7:da:10:8b:81:38:76:c0:a4:b2:8e:1d:
443 3e:71:45:8b:97:45:d5:20:40:d6:39:47:2b:14:cc:
444 f4:d0:c1:82:ea:27:b9:cb:b9:4e:3d:8e:52:74:74:
445 e1:2b:72:87:1f:a7:7f:ad:37:84:ed:63:8f:31:9d:
446 19:6a:a9:f4:88:b2:64:d8:39:6e:31:b6:d1:12:fe:
447 84:95:15:ac:f1:66:11:50:42:9b:fc:c4:fe:10:7c:
448 b9:c8:a2:80:23:7b:8a:81:8a:65:c2:cd:cf:e1:fe:
449 e6:84:4f:92:0a:45:65:81:f4:c1:c4:37:29:aa:76:
450 30:9f:af:38:04:57:95:ca:38:e4:ba:3e:10:c3:e7:
451 26:63:f7:25:fb:f1:8d:17:4d:80:63:46:b0:bb:da:
452 e4:ec:3a:70:4d:fe:da:62:27:24:36:bf:9d:19:d7:
453 cf:85:61:ac:e2:2e:c5:14:36:22:89:06:a5:96:d2:
454 3b:7c:a4:d2:76:fb:bb:40:09:d5:43:95:1a:1f:58:
455 63:a1:3a:d7:13:de:80:71:ff:ae:a3:45:fe:76:74:
456 5a:67:95:c3:ce:20:a5:46:eb:cc:0f:ab:14:54:3e:
457 16:4f:b1:ea:a3:72:b3:80:9a:da:bf:47:f3:30:a7:
458 2d:66:40:6f:9a:cd:3a:0b:59:2d:c0:40:8f:1c:f3:
459 b5:45:63:02:c5:6f:b0:d9:0f:ee:97:a0:ca:60:3b:
460 de:75:0b:03:91:f3:79:77:57:30:07:d7:de:d6:52:
461 8e:d5:20:17:00:79:0c:16:37:24:2c:0a:17:5e:b4:
462 a7:0a:67:7a:82:3e:07:76:0a:30:91:cf:cf:2e:be:
463 59:cf:a5:85:8e:2a:d2:46:ef:62:97:f2:08:b9:c8:
464 2a:ce:62:2f:39:67:24:65:6e:fa:9f:3c:4b:76:34:
465 53:15:87:c4:f0:51:ce:3f:de:47:e2:60:48:17:62:
466 0f:0e:77:bf:ec:77:c7:e2:26:ae:1e:bc:b1:79:44:
467 4c:50:81:98:43:9e:18:09:af:5c:41:a3:03:28:f8:
468 7c:41:82:72:d0:c8:08:2e:29:81:06:10:fd:7c:67:
469 8d:fa:c1:ce:f8:95:90:32:45:11:32:91:45:66:75:
470 4e:97:09:6e:fd:82:bc:a9:03:90:ab:12:44:4d:46:
471 37:61:89:0e:b7:56:4a:f2:91:01:e2:3a:1b:41:48:
472 07:29:95:e1:4f:d8:0b:57:69:bc:7f:1a:f9:5e:51:
473 28:83:1e:c3:86:96:69:b1:1b:b3:e9:27:09:fd:46:
474 ef:5b:32:21:55:0b:c1:49:76:a9:65:02:bd:4a:26:
475 89:5f:f9
476 Exponent: 65537 (0x10001)
477 X509v3 extensions:
478 X509v3 Subject Alternative Name:
479 DNS:example.com, DNS:*.example.com
480 Signature Algorithm: sha256WithRSAEncryption
481 7c:27:ba:df:25:e0:cf:96:ea:ae:e1:03:d7:f5:19:c2:96:11:
482 51:c9:ee:df:c9:65:2f:27:22:fd:0c:84:87:ba:a4:f3:32:ac:
483 29:87:2e:a8:8c:a9:ac:46:a5:2c:fb:60:54:51:b6:b8:8e:9a:
484 b5:00:b5:7d:ef:86:30:2d:f6:f6:df:50:b4:16:f6:bf:ed:dc:
485 51:c4:20:80:1f:27:2e:83:72:0b:a6:df:0b:52:7a:62:6e:64:
486 d1:a0:aa:80:93:ab:4f:ab:06:ed:9a:a4:3f:29:dc:a3:6f:d1:
487 81:0d:77:81:9d:8f:a3:0b:0f:d0:1b:41:23:e9:fe:64:15:6d:
488 20:70:5a:50:b8:16:cd:06:e9:ee:c3:9a:9d:ea:77:86:09:e3:
489 4a:29:2b:42:c6:a8:32:82:1d:80:5e:7f:3d:68:c1:a8:c7:e2:
490 d5:ab:2d:c9:4c:0a:63:fd:28:31:b8:cb:88:02:37:b7:45:20:
491 f3:ac:24:15:65:fb:17:6e:82:ce:8b:bc:d9:ef:40:eb:70:fa:
492 5a:b4:35:e1:8a:6c:7e:33:0b:c1:23:2c:da:be:68:72:b1:a1:
493 44:43:6c:86:56:d0:9f:a6:cc:7f:d0:0e:b5:69:87:9e:d4:b4:
494 6a:ac:8a:0a:01:a3:93:17:e4:da:88:7d:0f:e4:b3:5f:2a:fa:
495 b6:f4:42:94:85:11:49:63:89:90:e8:eb:6a:e1:fa:fd:0d:02:
496 32:76:03:56:28:b3:b6:12:a5:e3:16:65:bb:56:fe:62:ea:c9:
497 3c:57:df:a3:c7:a6:bf:34:fb:d1:dd:a2:01:97:8b:ab:bd:eb:
498 fe:e6:50:cd:6e:14:f6:c8:1c:a0:d4:ba:ae:77:a6:2d:14:af:
499 53:94:4f:45:9a:23:9c:5e:45:3c:1c:b1:1a:18:9d:45:b5:dc:
500 31:e2:f8:4b:94:e7:05:cf:9d:d4:50:52:74:bc:96:6c:43:03:
501 be:d1:77:87:cd:d4:76:fe:0b:bd:a1:33:ed:39:0d:6b:96:2e:
502 a2:5a:58:36:b4:bf:5a:8b:3f:27:cf:0d:74:69:1a:eb:3b:c9:
503 63:ea:0a:7a:00:e1:4d:f7:e6:33:9e:f9:88:e1:3b:66:35:54:
504 c3:39:12:c8:ba:65:97:cc:83:a8:03:c8:1c:24:a3:29:5e:9d:
505 dd:dc:8d:bf:b1:f8:a2:1a:02:2c:51:b1:64:cb:c9:57:9e:de:
506 ae:34:bc:2e:ae:86:14:5d:0d:75:f5:04:38:d4:dd:b8:75:7b:
507 8f:2f:1d:46:11:2a:62:77:d3:d8:d0:0b:d4:2b:6c:10:10:97:
508 93:a0:da:53:5c:9a:b0:77:b8:a9:ca:7e:ce:6d:a2:72:5e:ee:
509 39:fc:e2:f7:dd:a1:dc:12
510 $ keytool -list -v -keystore https.keystore.p12
511 Enter keystore password:
512 Keystore type: PKCS12
513 Keystore provider: SUN
514
515 Your keystore contains 1 entry
516
517 Alias name: https
518 Creation date: Jul 7, 2023
519 Entry type: PrivateKeyEntry
520 Certificate chain length: 1
521 Certificate[1]:
522 Owner: EMAILADDRESS=iana@iana.org, CN=*.example.com, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
523 Issuer: EMAILADDRESS=iana@iana.org, CN=Example.com's Root CA, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
524 Serial number: c7ba65b70e6ab1882fb205c506343e7dcfdb5ee
525 Valid from: Fri Jul 07 05:17:44 CST 2023 until: Wed Jun 18 05:17:44 CST 2025
526 Certificate fingerprints:
527 SHA1: FA:10:E7:11:4F:47:5E:1A:93:E1:DC:EE:AE:53:DF:4D:91:C4:3B:34
528 SHA256: 19:41:78:84:25:D3:25:EE:D1:0F:BA:11:34:6A:70:EA:70:A9:CC:1B:CD:A0:96:0C:F0:71:8D:BA:13:3E:59:C6
529 Signature algorithm name: SHA256withRSA
530 Subject Public Key Algorithm: 4096-bit RSA key
531 Version: 3
532
533 Extensions:
534
535 #1: ObjectId: 2.5.29.17 Criticality=false
536 SubjectAlternativeName [
537 DNSName: example.com
538 DNSName: *.example.com
539 ]
540
541
542
543 *******************************************
544 *******************************************
545
546 $ keytool -list -v -keystore https.keystore.jks
547 Enter keystore password:
548 Keystore type: JKS
549 Keystore provider: SUN
550
551 Your keystore contains 1 entry
552
553 Alias name: https
554 Creation date: Jul 7, 2023
555 Entry type: PrivateKeyEntry
556 Certificate chain length: 1
557 Certificate[1]:
558 Owner: EMAILADDRESS=iana@iana.org, CN=*.example.com, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
559 Issuer: EMAILADDRESS=iana@iana.org, CN=Example.com's Root CA, OU=IANA, O=example.com, L=Los Angeles, ST=California, C=US
560 Serial number: c7ba65b70e6ab1882fb205c506343e7dcfdb5ee
561 Valid from: Fri Jul 07 05:17:44 CST 2023 until: Wed Jun 18 05:17:44 CST 2025
562 Certificate fingerprints:
563 SHA1: FA:10:E7:11:4F:47:5E:1A:93:E1:DC:EE:AE:53:DF:4D:91:C4:3B:34
564 SHA256: 19:41:78:84:25:D3:25:EE:D1:0F:BA:11:34:6A:70:EA:70:A9:CC:1B:CD:A0:96:0C:F0:71:8D:BA:13:3E:59:C6
565 Signature algorithm name: SHA256withRSA
566 Subject Public Key Algorithm: 4096-bit RSA key
567 Version: 3
568
569 Extensions:
570
571 #1: ObjectId: 2.5.29.17 Criticality=false
572 SubjectAlternativeName [
573 DNSName: example.com
574 DNSName: *.example.com
575 ]
576
577
578
579 *******************************************
580 *******************************************
581
582
583
584 Warning:
585 The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore https.keystore.jks -destkeystore https.keystore.jks -deststoretype pkcs12".
586 ```
版权所有,如发现盗用模仿必追诉法律责任!
CopyRight © 2020-2023 keqiongpan.cn. All Right Reserved.