weblogic生成和配置SSL证书

采用Linux自带的OPENSSL进行证书的生成工作

准备阶段

以root登录,同时在el01gbcn01上完成

[oracle@el01gbcn01]# which java

/u01/FMW/weblogic/jdk1.7.0/bin/java

[oracle@el01gbcn01]# dir sslcert

[oracle@el01gbcn01]$ cd sslcert

[oracle@el01gbcn01]$ mkdir certs private

[oracle@el01gbcn01]$ echo '100001' >serial

[oracle@el01gbcn01]$ touch certindex.txt

[oracle@el01gbcn01]$ touch openssl.cnf

将下面文本粘贴如openssl.cnf

# OpenSSL configuration file

# Working directory

dir = .

[ ca ]

default_ca = CA_default

[ CA_default ]

serial = $dir/serial

database = $dir/certindex.txt

new_certs_dir = $dir/certs

certificate = $dir/cacert.pem

private_key = $dir/private/cakey.pem

default_days = 365

default_md = sha1

preserve = no

email_in_dn = no

nameopt = default_ca

certopt = default_ca

policy = policy_match

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

default_bits = 2048 # Size of keys

default_keyfile = key.pem # name of generated keys

default_md = sha1 # message digest algorithm

string_mask = nombstr # permitted characters

distinguished_name = req_distinguished_name

req_extensions = v3_req

[ req_distinguished_name ]

# Variable name Prompt string

#------------------------- ----------------------------------

0.organizationName = Organization Name (company)

organizationalUnitName = Organizational Unit Name (department, division)

emailAddress = Email Address

emailAddress_max = 40

localityName = Locality Name (city, district)

stateOrProvinceName = State or Province Name (full name)

countryName = Country Name (2 letter code)

countryName_min = 2

countryName_max = 2

commonName = Common Name (hostname, IP, or your name)

commonName_max = 64

# Default values for the above, for consistency and less typing.

# Variable name Value

#------------------------ ------------------------------

0.organizationName_default = My Company

organizationalUnitName_default = My Org

emailAddress_default = demo@sample.com

localityName_default = My Town

stateOrProvinceName_default = My Providence

countryName_default = CN

[ v3_ca ]

basicConstraints = CA:TRUE

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

[ my_v3_ext ]

basicConstraints = CA:true

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

生成guilin bank CA Root根证书

有效期10年

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf

密码为password1

输入信息如下:

生成guilinBank CA 二级证书

openssl req -new -nodes -out GCSLevel2CA-req.pem -keyout private/GCSLevel2CA-key.pem -pubkey -days 3650 -config ./openssl.cnf

对二级证书进行签名

openssl ca -extensions my_v3_ext -out GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -infiles GCSLevel2CA-req.pem

生成服务器请求证书

对*.guilinbank.com.cn的主机都有效, 可用于WebLogic, OTD VIP等

keytool -genkey -dname "cn=*.guilinbank.com.cn, ou=it, o=guilinbank, c=CN" -keyalg RSA -keysize 2048 -alias mykey -keypass password1 -keystore mykeystore.jks -storepass password1 -validity 3650

keytool -certreq -alias mykey -file mykey-req.pem -keypass password1 -storetype JKS -keystore mykeystore.jks -storepass password1

用ll察看一下当前目录,已经有的文件包括

total 48

-rw-rw-r-- 1 oracle oracle 954 Sep 27 22:04 mykey-req.pem <-- 应用证书请求文件

-rw-rw-r-- 1 oracle oracle 1606 Sep 27 21:59 cacert.pem <-- 根证书

-rw-rw-r-- 1 oracle oracle 82 Sep 27 22:02 certindex.txt

-rw-rw-r-- 1 oracle oracle 21 Sep 27 22:02 certindex.txt.attr

-rw-rw-r-- 1 oracle oracle 0 Sep 27 21:57 certindex.txt.old

drwxrwxr-x 2 oracle oracle 4096 Sep 27 22:02 certs

-rw-rw-r-- 1 oracle oracle 4055 Sep 27 22:02 GCSLevel2CA-cert.pem <-- 二级证书

-rw-rw-r-- 1 oracle oracle 1582 Sep 27 22:02 GCSLevel2CA-req.pem <-- 二级证书请求文件

-rw-rw-r-- 1 oracle oracle 2117 Sep 27 22:04 mykeystore.jks <-- Java Keystore

-rw-rw-r-- 1 oracle oracle 3057 Sep 27 21:58 openssl.cnf <-- OpenSSL 配置文件

drwxrwxr-x 2 oracle oracle 4096 Sep 27 22:01 private

-rw-rw-r-- 1 oracle oracle 7 Sep 27 22:02 serial

-rw-rw-r-- 1 oracle oracle 7 Sep 27 21:57 serial.old

使用二级证书对应用请求文件进行签名

openssl ca -policy policy_anything -keyfile private/GCSLevel2CA-key.pem -cert GCSLevel2CA-cert.pem -days 3650 -config ./openssl.cnf -out mykey.pem -infiles mykey-req.pem

生成应用证书链

openssl crl2pkcs7 -nocrl -certfile mykey.pem -certfile GCSLevel2CA-cert.pem -certfile cacert.pem -outform PEM -out mykey.p7b

将应用证书链导入Jks证书库

keytool -import -alias mykey -file mykey.p7b -keystore mykeystore.jks

[root@el01gbcn01 sslcert]# keytool -list -keystore mykeystore.jks -storepass password1 -v

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey

Creation date: Jul 14, 2015

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=*.guilinbank.com.cn, OU=it, O=guilinbank, C=CN

Issuer: CN=guilinbankLevel2CA, OU=it, O=guilinbank, ST=guangxi, C=CN

Serial number: 100002

Valid from: Tue Jul 14 14:44:14 GMT 2015 until: Fri Jul 11 14:44:14 GMT 2025

Certificate fingerprints:

MD5: C4:D7:9D:1C:E1:E3:64:26:4A:23:50:2B:02:58:3E:37

SHA1: AC:F3:3E:00:B4:96:8D:4D:3E:29:FA:B1:57:43:9A:31:C2:74:2A:D8

SHA256: B3:DC:96:34:75:83:03:76:91:12:80:5E:FE:78:1D:7A:5D:33:C2:27:6A:9E:BE:E7:BE:BF:B5:B2:9E:64:6C:DC

Signature algorithm name: SHA1withRSA

Version: 1

Certificate[2]:

Owner: CN=guilinbankLevel2CA, OU=it, O=guilinbank, ST=guangxi, C=CN

Issuer: CN=guilinbankCA, C=CN, ST=guangxi, L=guilin, EMAILADDRESS=admin@guilinbank.com, OU=it, O=guilinbank

Serial number: 100001

Valid from: Tue Jul 14 14:40:53 GMT 2015 until: Fri Jul 11 14:40:53 GMT 2025

Certificate fingerprints:

MD5: 76:2A:F3:2A:69:1A:3B:69:A7:81:AC:66:8D:FE:67:FD

SHA1: 6D:A3:72:84:5D:76:12:02:35:37:B6:94:BA:36:00:AC:35:23:7C:F0

SHA256: 6D:66:0C:64:C6:45:5B:67:21:E6:4B:B7:3F:F9:63:54:4D:9D:12:F2:80:67:C4:35:D0:59:E6:70:98:02:F3:0D

Signature algorithm name: SHA1withRSA

Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:true

PathLen:2147483647

]

Certificate[3]:

Owner: CN=guilinbankCA, C=CN, ST=guangxi, L=guilin, EMAILADDRESS=admin@guilinbank.com, OU=it, O=guilinbank

Issuer: CN=guilinbankCA, C=CN, ST=guangxi, L=guilin, EMAILADDRESS=admin@guilinbank.com, OU=it, O=guilinbank

Serial number: f05c6d633a594760

Valid from: Tue Jul 14 14:38:55 GMT 2015 until: Fri Jul 11 14:38:55 GMT 2025

Certificate fingerprints:

MD5: 99:94:9C:35:E4:33:3B:88:22:03:50:52:62:08:CF:4D

SHA1: DC:DB:78:C3:88:E2:A1:02:43:8F:2F:41:6D:1E:FA:F0:45:79:B9:A6

SHA256: BF:FB:02:3E:BE:28:DF:44:65:30:3A:F4:CD:73:DA:85:7F:C1:9B:21:71:02:37:01:5D:9C:E4:D8:82:86:C2:90

Signature algorithm name: SHA1withRSA

Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: BA 53 F0 69 69 70 A8 6B B8 5B 82 F3 38 65 4F DF .S.iip.k.[..8eO.

0010: 96 B8 64 6D ..dm

]

[CN=guilinbankCA, C=CN, ST=guangxi, L=guilin, EMAILADDRESS=admin@guilinbank.com, OU=it, O=guilinbank]

SerialNumber: [ f05c6d63 3a594760]

]

#2: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:true

PathLen:2147483647

]

#3: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: BA 53 F0 69 69 70 A8 6B B8 5B 82 F3 38 65 4F DF .S.iip.k.[..8eO.

0010: 96 B8 64 6D ..dm

]

*******************************************

至此生成mykeystore.jks证书完毕

配置weblogic使用证书

登录weblogic server管理控制台,选择服务器Server1,选择配置,秘要库,选择更改

选择定制标示和java标准信任

输入mykeystore.jks的具体地址,为保证访问权限,需要将文件拷贝到/u01/sampleapp/application下并且修改owner为weblogic

选择类型为JKS

输入密码password1

选择SSL选项卡,然后输入别名和密码,保存

最后启用SSL端口7002

Server1配置完成,同样完成Server2

Weblogic Server SSL配置完成,验证

weblogic生成和配置SSL证书

生成guilin bank CA Root根证书

生成guilinBank CA 二级证书

对二级证书进行签名

生成服务器请求证书

使用二级证书对应用请求文件进行签名

生成应用证书链

将应用证书链导入Jks证书库

配置weblogic使用证书