-
Notifications
You must be signed in to change notification settings - Fork 0
2024‐07‐02‐keytool‐cheatsheet
應卓 edited this page Jul 4, 2024
·
6 revisions
#!/usr/bin/env bash
STOREPASS="123456"
KEYPASS="123456"
TYPE="PKCS12"
DNAME="CN=Bill Ying,OU=,O=,L=Shanghai,S=Shanghai,C=CN"
if [ "$TYPE" == "PKCS12" ]; then
FILEEXT="p12"
elif [ "$TYPE" == "JKS" ]; then
FILEEXT="jks"
else
echo "不支持的KeyStore类型"
exit 1;
fi
FILENAME="key-store-$STOREPASS.$FILEEXT"
if [ -e "$FILENAME" ]; then
rm -rf "$FILENAME"
fi
# 生成RSA算法证书和秘钥
keytool -genkeypair -alias rsa \
-storepass "$STOREPASS" \
-keyalg RSA \
-keysize 2048 \
-validity 36500 \
-sigalg SHA256withRSA \
-dname "$DNAME" \
-keypass "$KEYPASS" \
-storetype "$TYPE" \
-keystore "$FILENAME"
# 生成ECDSA算法证书和秘钥
keytool -genkeypair -alias ec \
-storepass "$STOREPASS" \
-keyalg EC \
-groupname secp256r1 \
-validity 36500 \
-sigalg SHA256withECDSA \
-dname "$DNAME" \
-keypass "$KEYPASS" \
-storetype "$TYPE" \
-keystore "$FILENAME"
# 生成DSA算法证书和秘钥
keytool -genkeypair -alias dsa \
-storepass "$STOREPASS" \
-keyalg DSA \
-keysize 2048 \
-validity 36500 \
-sigalg SHA256withDSA \
-dname "$DNAME" \
-keypass "$KEYPASS" \
-storetype "$TYPE" \
-keystore "$FILENAME"
# 展示
keytool -list \
-rfc \
-keystore key-store-"$STOREPASS".$FILEEXT \
-storepass "$STOREPASS"
# 到此为止,就有了一个”N合一“秘钥
for alias in "rsa" "ec" "dsa"; do
# N个alias 分别导出到各自的密钥库
keytool -importkeystore \
-srckeystore "$FILENAME" \
-destkeystore "$alias-$STOREPASS.$FILEEXT" \
-srcstorepass "$STOREPASS" \
-deststorepass "$STOREPASS" \
-srcalias "$alias" \
-destalias "$alias" \
-srckeypass "$KEYPASS" \
-destkeypass "$KEYPASS" \
-srcstoretype "$TYPE" \
-deststoretype "$TYPE"
# PKCS12转换成PEM
# 转换的PEM也是带秘钥的
openssl pkcs12 \
-in "$alias-$STOREPASS.$FILEEXT" \
-out "$alias-$STOREPASS.pem" \
-passin pass:"$STOREPASS" \
-passout pass:"$STOREPASS"
# 利用OpenSSL导出证书
openssl x509 \
-in "$alias-$STOREPASS.pem" \
-inform PEM \
-passin pass:"$STOREPASS" \
-outform PEM \
-out "$alias-cert-x509.pem"
# 利用OpenSSL导出公钥
openssl x509 \
-in "$alias-$STOREPASS.pem" \
-inform PEM \
-passin pass:"$STOREPASS" \
-pubkey \
-nocert \
-outform PEM \
-out "$alias-public-key-x509.pem"
# 利用OpenSSL导出私钥
openssl pkcs8 \
-topk8 \
-in "$alias-$STOREPASS.pem" \
-inform PEM \
-passin pass:"$STOREPASS" \
-outform PEM \
-out "$alias-private-key-pkcs8.pem" \
-nocrypt
done#!/usr/bin/env bash
STOREPASS="123456"
KEYPASS="123456"
TYPE="PKCS12"
DNAME="CN=Bill Ying,OU=,O=,L=Shanghai,S=Shanghai,C=CN"
if [ "$TYPE" == "PKCS12" ]; then
FILEEXT="p12"
elif [ "$TYPE" == "JKS" ]; then
FILEEXT="jks"
else
echo "不支持的KeyStore类型"
exit 1;
fi
FILENAME="key-store-$STOREPASS.$FILEEXT"
if [ -e "$FILENAME" ]; then
rm -rf "$FILENAME"
fi
# 生成AES算法秘钥
keytool -genseckey -alias aes \
-storepass "$STOREPASS" \
-keyalg AES \
-keysize 128 \
-validity 36500 \
-dname "$DNAME" \
-storetype "$TYPE" \
-keystore "$FILENAME"
# 展示
keytool -list \
-rfc \
-keystore key-store-"$STOREPASS".$FILEEXT \
-storepass "$STOREPASS"