Current location - Quotes Website - Signature design - How to install openssl to generate certificates
How to install openssl to generate certificates
(1)Openssl generates public and private keys

Openssl is used to generate public and private key pairs, which are used to verify the security of messages between external merchant systems and xxx systems. If the user does not need to generate the public and private keys, but directly processes the message, refer to the fourth part to calculate the digest and signature value.

1. directly click the exe file for the steps of installing openssl. If you need to install vs28 plug-ins, just ignore them.

2. during the installation process, find the corresponding installation directory of OpenSSL, enter the bin directory to find the openssl.exe executable file, and click Run. Then enter the following commands in sequence:

a.genrsa–out private-rsa.key124

Description: this command is to generate an unencrypted private key

genrsa generates a private key file, and the private key is stored in private-RSA.key, with a length of 124. Specify the output file name after out.

private-rsa.key is the generated private key file, but it must be processed to get the private key.

B. req–new–x59–key private-rsa.key–days 75–out public-RSA. cer

Description: generating certificate public-rsa.cer

-new represents a new request

-59 table. The output certificate structure

75 indicates the valid days of the certificate

-out public-rsa.cer -out followed by a public key certificate, which is used to verify the digital signature. This public key certificate or public key needs to be sent to the receiver who needs to verify the data of the company or department in advance.

C. PKCS12–export–name test-alias–in public-RSA. cer–inkeyprivate-RSA. key–out99bill-RSA. pfx

note: the password in pkcs12 format should be input consistently before and after it is generated, which will be used in the process of generating public and private keys with Keystore.

public-rsa.cer, private-rsa.key was generated before.

attachment 1:

the following code is the Java version code for obtaining the private key from 99bill-rsa.pfx Because the private key generated in private-rsa.key cannot be used directly, it must be handled to some extent.

There are several points to note in the code:

The file stream initialization path needs to be filled in according to its own actual path.

the password is the password in step c in the second section, and suning is entered in this example.

KeyStorekeyStore = KeyStore.getInstance("PKCS12");

FileInputStreamfileInputStream = newFileInputStream("D:/OpenSSL/bin/99bill-rsa.pfx");

char[]nPassword = "suning".toCharArray();

StringkeyAlias = null;

keyStore.load(fileInputStream,nPassword);

fileInputStream.close();

System.out.println("keystoretype=" + keyStore.getType());

Enumeration< String> enumeration = keyStore.aliases();

if(enumeration.hasMoreElements())

{

keyAlias = (String) enumeration.nextElement();

System.out.println("alias=[" + keyAlias +"]");

}

System.out.println("iskey entry=" + keyStore.isKeyEntry(keyAlias));

PrivateKeyprikey = (PrivateKey) keyStore.getKey(keyAlias, nPassword);

// the private key is converted into a string

stringprivatestr = base64.encodedbase64String (prikey.getencoded ()). Trim ();

// generate a public key string, and

certificate cert = keystore.get certificate (keyalias) can also be generated through a cer certificate;

PublicKeypubkey = cert.getPublicKey();

StringpublicStr = Base64.encodeBase64String(pubKey.getEncoded()).trim();

Note:

1. Description of the classes used:

base64:

importorg.apache.commons.net.util.base64;

Certificate:

import java.security.cert.Certificate;

2. In the process of generating public and private keys by openssl, the user entered the password. The password in this example is suning.

1. abstract and generation method

the generation process of abstract (the digest method completely realizes the following three processes):

1. Sort the incoming map data according to the key;

2. generate a1 = B1 & a2=b2& A3=b3 string, excluding some string Key values;

3. Call digest method for md5 coding;

the above three steps are all realized by the method of Digest.digest ():

string digest = digest.digest (map <; String,String> map, String... keys);

the body content of the delivered http newspaper is as follows: a1 = B1&; a2=b2& A3=b3 character string, extract the character string to be tagged and convert it into map form. ExecludeKes is a field to be excluded, which is an array of strings.

it is very important to calculate the summary, because the selected fields require the sender and the receiver to be consistent, that is, which fields the sender calculates the summary for, then the receiver must also calculate the summary for the same fields, otherwise an error of 661 will be reported.

description: a. Map is a field in which the calculation summary is stored

b. keys is an excluded field, which cannot be used to calculate the summary, such as signature,signAlgorithm

2. Public key certificate and string conversion method

The purpose of conversion is to facilitate storage. (The merchant can directly provide the public key certificate, but for the merchant who provides the public key string to the signature verification system, it is necessary to use the following code to convert the public key into a string)

1. The public key/private key string is converted into a public key, mainly to convert the string into a public key public key public key

x59 encoded keyspec pubkeyspec = new x59 encoded keyspec (base64. Decodebase64 (STR PubKey));

KeyFactorykeyFactory = KeyFactory.getInstance(RSA);

PublicKeypubKey = keyFactory.generatePublic(pubKeySpec);

2. public key or private key is converted into Base64 string:

stringpublicstr = base64.encodedbase64 string (pubkey.getencoded ()). trim ();

3. verification method of public and private keys

verification purpose: after the public and private keys are generated, it is necessary to verify whether they match. (Before, many merchants generated public and private keys in confusion, and it was impossible to determine whether the public and private keys matched, so they added them to the sign verification system). This code is run by the user himself with junit verification. Verify whether the public and private keys are generated correctly. If the result is true, it means that the public and private keys are generated correctly. Otherwise, the generated public and private keys have problems and cannot be used.

String prik1 ="";

String pubb ="";

String data ="wkk";

String digest =Digest.digest(data);

PrivateKey privateKey =RSAUtil.getPrivateKey(prik1);

String sign =RSAUtil.sign(digest, privateKey);

boolean result =RSAUtil.vertiy(digest, sign,

RSAUtil.getPublicKey(pubb));

System.out.println(result);