一、生成签发证书

1. 生成服务端的keystore.jks

2. 用keystore.jks生成证书签名请求文件client.csr

3. 用CA提供的ca.crt 和ca.key签client.csr，生成client.crt

4.将ca.crt 和client.crt  导入到keysore.jks，拷贝至服务相关目录

# cat gen.sh

############################################################
#!/bin/bash

# signing certificates with CA

# ca.crt ca.key is provided by CA

# Use ca.crt ca.key to signe keystore.jks

# nexus listen IP

nexus_ip="xx.xx.xx.xx"

keytool -genkey  \

-alias keystore  \

-keyalg RSA  \

-keysize 2048 \

-keystore keystore.jks \

-storepass Nexus@123 \

-keypass Nexus@456 \

-validity 3650 \

-dname "CN=*.test.com,OU=Test,O=Test,L=ShenZhen,ST=GuangDong,C=CN" \

-ext "SAN=IP:${nexus_ip},DNS:nexus.test.com"  \

-ext "BC=ca:false"

echo "

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName=IP:${nexus_ip},DNS:nexus.test.com

" > v3.ext

keytool -keystore keystore.jks -certreq -alias keystore -keyalg rsa -file client.csr -keypass "Nexus@456" -storepass "Nexus@123"

openssl  x509  -req  -CA  ca.crt -CAkey ca.key  -extfile v3.ext -in client.csr -out client.crt -days 3650 -CAcreateserial

keytool -import -keystore keystore.jks -file ca.crt -alias CARoot -storepass "Nexus@123" -noprompt

keytool -import -keystore keystore.jks -file client.crt -alias keystore -storepass "Nexus@123"

keytool -list -v -keystore keystore.jks -storepass "Nexus@123"

###################################################

二、将ca.crt拷贝给客户端

# cp ca.crt    /etc/pki/ca-trust/source/anchors

# update-ca-trust

三、在客户端测试访问

# curl  https://xx.xx.xx.xx:XX

# curl  -cacert  /path/to/ca.crt  https://xx.xx.xx.xx:XX

四、参考

openssl 生成自签证书及查看证书细节

https://www.cnblogs.com/threegun/p/7130985.html

openssl查看证书细节

http://blog.51cto.com/colinzhouyj/1566250

Signing Certificates With Your Own CA

https://docs.oracle.com/cd/E19509-01/820-3503/ggezy/index.html

Creating an x509 v3 user certificate by signing CSR

https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr

Standard X.509 v3 Certificate Extension Reference

https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Standard_X.509_v3_Certificate_Extensions.html

https://github.com/interledgerjs/ilp-wm-provider/blob/master/cert/v3.ext

How do I display the contents of a SSL certificate?

https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate

keytool - Key and Certificate Management Tool

https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

KeyStores and TrustStores

https://docs.oracle.com/cd/E19509-01/820-3503/ggffo/index.html

Class X509v3CertificateBuilder

http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/cert/X509v3CertificateBuilder.html

x509v3_config.html

https://www.openssl.org/docs/manmaster/man5/x509v3_config.html

http://openssl.cs.utah.edu/docs/apps/x509v3_config.html

Missing X509 extensions with an openssl-generated certificate

https://security.stackexchange.com/questions/150078/missing-x509-extensions-with-an-openssl-generated-certificate

Create X509 certificate with v3 extensions using command line tools

https://unix.stackexchange.com/questions/209861/create-x509-certificate-with-v3-extensions-using-command-line-tools

Certificate Extensions

https://www.dogtagpki.org/wiki/Certificate_Extensions