證書概述:
ICM服務器證書 由中間CA簽發 中間CA由CA簽發
UCGW客戶端證書 由中間CA簽發 中間CA由CA簽發
證書簽發過程:
創建ICM自簽證書
keytool -genkey -dname "CN=mars_icm, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias icm -keyalg RSA -keystore temp/iview.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -certreq -alias icm -keypass 111111 -file "temp/icm.self.csr" -keystore "temp/iview.keystore" -storepass 111111
keytool -export -alias icm -keystore temp/iview.keystore -storepass 111111 -rfc -file temp/icm.self.cer
創建UCGW自簽證書
keytool -genkey -dname "CN=mars_UCGW, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias ucgw -keyalg RSA -keystore temp/ucgw.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -certreq -alias ucgw -keypass 111111 -file "temp/ucgw.self.csr" -keystore "temp/ucgw.keystore" -storepass 111111
keytool -export -alias ucgw -keystore temp/ucgw.keystore -storepass 111111 -rfc -file temp/ucgw.self.cer
創建中間CA自簽證書
keytool -genkey -dname "CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias intermediary -keyalg RSA -keystore temp/inter.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -certreq -alias intermediary -keypass 111111 -file "temp/inter.self.csr" -keystore "temp/inter.keystore" -storepass 111111
keytool -export -alias intermediary -keystore temp/inter.keystore -storepass 111111 -rfc -file temp/inter.self.cer
創建CA證書
keytool -genkey -dname "CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias root -keyalg RSA -keystore temp/ca--ca.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -certreq -alias root -keypass 111111 -file "temp/root.csr" -keystore "temp/ca--ca.keystore" -storepass 111111
keytool -export -alias root -keystore temp/ca--ca.keystore -storepass 111111 -rfc -file temp/root.cer
CA簽發中間CA證書
keytool -export -alias ca_signed -keystore temp/ca--ca_sign.keystore -storepass 111111 -rfc -file temp/inter.cer
驗證中間CA證書
It is signed by the CA
導入中間CA的KeyStore
keytool -importcert -noprompt -trustcacerts -alias root -file temp/root.cer -keystore temp/inter.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -alias intermediary -file temp/inter.cer -keystore temp/inter.keystore -storepass 111111
中間CA簽發icm證書
keytool -export -alias inter_signed -keystore temp/ca--ca_sign.keystore -storepass 111111 -rfc -file temp/icm.signed.cer
中間CA簽發ucgw證書
keytool -export -alias inter_signed -keystore temp/ca--ca_sign.keystore -storepass 111111 -rfc -file temp/ucgw.signed.cer
驗證ICM證書
It is signed by the CA
驗證UCGW證書
It is signed by the CA
導入ICM的KeyStore
keytool -importcert -noprompt -trustcacerts -alias root -file temp/root.cer -keystore temp/iview.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -trustcacerts -alias intermediary -file temp/inter.cer -keystore temp/iview.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -alias icm -file temp/icm.signed.cer -keystore temp/iview.keystore -storepass 111111
導入UCGW的KeyStore
keytool -importcert -noprompt -trustcacerts -alias root -file temp/root.cer -keystore temp/ucgw.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -trustcacerts -alias intermediary -file temp/inter.cer -keystore temp/ucgw.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -alias ucgw -file temp/ucgw.signed.cer -keystore temp/ucgw.keystore -storepass 111111
---------------------------------------------------------------
keytool -list -keystore temp/ca--ca.keystore -storepass 111111
...
root, 2011-11-5, PrivateKeyEntry,
認證指紋 (MD5): 49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
---------------------------------------------------------------
keytool -list -keystore temp/inter.keystore -storepass 111111
...
root, 2011-11-5, trustedCertEntry,
認證指紋 (MD5): 49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
intermediary, 2011-11-5, PrivateKeyEntry,
認證指紋 (MD5): 23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
---------------------------------------------------------------
keytool -list -v -keystore temp/iview.keystore -storepass 111111
...
您的 keystore 包含 3 輸入
別名名稱: root
創建日期: 2011-11-5
輸入類型: trustedCertEntry
所有者:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449c5
有效期: Sat Nov 05 04:23:33 CST 2011 至Wed Jan 04 04:23:33 CST 2012
證書指紋:
MD5:49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
SHA1:EA:92:AE:59:D1:8D:B6:2F:33:B7:65:CC:6E:B0:B5:7D:40:CF:45:BE
簽名算法名稱:SHA1withRSA
版本: 3
*******************************************
*******************************************
別名名稱: intermediary
創建日期: 2011-11-5
輸入類型: trustedCertEntry
所有者:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449c7
有效期: Sat Nov 05 04:23:35 CST 2011 至Wed Jan 22 04:23:35 CST 2020
證書指紋:
MD5:23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
SHA1:54:86:85:BC:9C:D5:D2:E8:A4:E6:33:DD:4F:42:87:FB:2A:92:F3:84
簽名算法名稱:MD5withRSA
版本: 3
*******************************************
*******************************************
別名名稱: icm
創建日期: 2011-11-5
項類型: PrivateKeyEntry
認證鏈長度: 3
認證 [1]:
所有者:CN=mars_icm, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449ca
有效期: Sat Nov 05 04:23:38 CST 2011 至Wed Jan 22 04:23:38 CST 2020
證書指紋:
MD5:95:97:C3:2C:2C:A5:B4:7A:17:EF:98:B7:7B:BC:AE:4A
SHA1:E1:92:F9:79:48:FE:59:AF:3F:85:CE:2A:21:82:AD:B2:00:60:EB:D7
簽名算法名稱:MD5withRSA
版本: 3
認證 [2]:
所有者:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449c7
有效期: Sat Nov 05 04:23:35 CST 2011 至Wed Jan 22 04:23:35 CST 2020
證書指紋:
MD5:23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
SHA1:54:86:85:BC:9C:D5:D2:E8:A4:E6:33:DD:4F:42:87:FB:2A:92:F3:84
簽名算法名稱:MD5withRSA
版本: 3
認證 [3]:
所有者:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449c5
有效期: Sat Nov 05 04:23:33 CST 2011 至Wed Jan 04 04:23:33 CST 2012
證書指紋:
MD5:49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
SHA1:EA:92:AE:59:D1:8D:B6:2F:33:B7:65:CC:6E:B0:B5:7D:40:CF:45:BE
簽名算法名稱:SHA1withRSA
版本: 3
---------------------------------------------------------------
keytool -list -v -keystore temp/ucgw.keystore -storepass 111111
...
您的 keystore 包含 3 輸入
別名名稱: root
創建日期: 2011-11-5
輸入類型: trustedCertEntry
所有者:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449c5
有效期: Sat Nov 05 04:23:33 CST 2011 至Wed Jan 04 04:23:33 CST 2012
證書指紋:
MD5:49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
SHA1:EA:92:AE:59:D1:8D:B6:2F:33:B7:65:CC:6E:B0:B5:7D:40:CF:45:BE
簽名算法名稱:SHA1withRSA
版本: 3
*******************************************
*******************************************
別名名稱: intermediary
創建日期: 2011-11-5
輸入類型: trustedCertEntry
所有者:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449c7
有效期: Sat Nov 05 04:23:35 CST 2011 至Wed Jan 22 04:23:35 CST 2020
證書指紋:
MD5:23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
SHA1:54:86:85:BC:9C:D5:D2:E8:A4:E6:33:DD:4F:42:87:FB:2A:92:F3:84
簽名算法名稱:MD5withRSA
版本: 3
*******************************************
*******************************************
別名名稱: ucgw
創建日期: 2011-11-5
項類型: PrivateKeyEntry
認證鏈長度: 3
認證 [1]:
所有者:CN=mars_UCGW, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449cb
有效期: Sat Nov 05 04:23:39 CST 2011 至Wed Jan 22 04:23:39 CST 2020
證書指紋:
MD5:D7:6D:ED:9C:13:B6:79:D2:4C:B1:B7:57:CE:AA:BB:54
SHA1:C0:AD:FC:86:53:CB:4F:92:D6:6C:2E:23:25:8F:EF:89:7D:8D:3A:EB
簽名算法名稱:MD5withRSA
版本: 3
認證 [2]:
所有者:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449c7
有效期: Sat Nov 05 04:23:35 CST 2011 至Wed Jan 22 04:23:35 CST 2020
證書指紋:
MD5:23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
SHA1:54:86:85:BC:9C:D5:D2:E8:A4:E6:33:DD:4F:42:87:FB:2A:92:F3:84
簽名算法名稱:MD5withRSA
版本: 3
認證 [3]:
所有者:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
簽發人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列號:4eb449c5
有效期: Sat Nov 05 04:23:33 CST 2011 至Wed Jan 04 04:23:33 CST 2012
證書指紋:
MD5:49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
SHA1:EA:92:AE:59:D1:8D:B6:2F:33:B7:65:CC:6E:B0:B5:7D:40:CF:45:BE
簽名算法名稱:SHA1withRSA
版本: 3
雙向認證TLS網絡包:
filter:
tcp.port==9527&&ssl
route add <your_IP> mask 255.255.255.255 <the_gateway> metric 1
route delete <your_IP>
route add 192.168.0.100 mask
255.255.255.255 192.168.0.1
metric 1
route delete 192.168.0.100
1: 54292[client] 9527[server] TLSv1 Client Hello
2,3,4,5: 9527[server] 54292[client] TLSv1 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
6,7: 54292[client] 9527[server] TLSv1 Certificate, Client Key Exchange
8: 54292[client] 9527[server] TLSv1 Certificate Verify
9,10: 54292[client] 9527[server] TLSv1 Change Cipher Spec, Encrypted Handshake Message
11,12: 9527[server] 54292[client] TLSv1 Change Cipher Spec (Finished)
9527[server]
54292[client]
TLSv1
Encrypted Handshake Message, Application Data, Application Data, Encrypted Alert雙向認證流程:
