证书概述:
ICM服务器证书 由中间CA签发 中间CA由CA签发
UCGW客户端证书 由中间CA签发 中间CA由CA签发
证书签发过程:
创建ICM自签证书
keytool -genkey -dname "CN=mars_icm, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias icm -keyalg RSA -keystore temp/iview.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -certreq -alias icm -keypass 111111 -file "temp/icm.self.csr" -keystore "temp/iview.keystore" -storepass 111111
keytool -export -alias icm -keystore temp/iview.keystore -storepass 111111 -rfc -file temp/icm.self.cer
创建UCGW自签证书
keytool -genkey -dname "CN=mars_UCGW, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias ucgw -keyalg RSA -keystore temp/ucgw.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -certreq -alias ucgw -keypass 111111 -file "temp/ucgw.self.csr" -keystore "temp/ucgw.keystore" -storepass 111111
keytool -export -alias ucgw -keystore temp/ucgw.keystore -storepass 111111 -rfc -file temp/ucgw.self.cer
创建中间CA自签证书
keytool -genkey -dname "CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias intermediary -keyalg RSA -keystore temp/inter.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -certreq -alias intermediary -keypass 111111 -file "temp/inter.self.csr" -keystore "temp/inter.keystore" -storepass 111111
keytool -export -alias intermediary -keystore temp/inter.keystore -storepass 111111 -rfc -file temp/inter.self.cer
创建CA证书
keytool -genkey -dname "CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias root -keyalg RSA -keystore temp/ca--ca.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -certreq -alias root -keypass 111111 -file "temp/root.csr" -keystore "temp/ca--ca.keystore" -storepass 111111
keytool -export -alias root -keystore temp/ca--ca.keystore -storepass 111111 -rfc -file temp/root.cer
CA签发中间CA证书
keytool -export -alias ca_signed -keystore temp/ca--ca_sign.keystore -storepass 111111 -rfc -file temp/inter.cer
验证中间CA证书
It is signed by the CA
导入中间CA的KeyStore
keytool -importcert -noprompt -trustcacerts -alias root -file temp/root.cer -keystore temp/inter.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -alias intermediary -file temp/inter.cer -keystore temp/inter.keystore -storepass 111111
中间CA签发icm证书
keytool -export -alias inter_signed -keystore temp/ca--ca_sign.keystore -storepass 111111 -rfc -file temp/icm.signed.cer
中间CA签发ucgw证书
keytool -export -alias inter_signed -keystore temp/ca--ca_sign.keystore -storepass 111111 -rfc -file temp/ucgw.signed.cer
验证ICM证书
It is signed by the CA
验证UCGW证书
It is signed by the CA
导入ICM的KeyStore
keytool -importcert -noprompt -trustcacerts -alias root -file temp/root.cer -keystore temp/iview.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -trustcacerts -alias intermediary -file temp/inter.cer -keystore temp/iview.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -alias icm -file temp/icm.signed.cer -keystore temp/iview.keystore -storepass 111111
导入UCGW的KeyStore
keytool -importcert -noprompt -trustcacerts -alias root -file temp/root.cer -keystore temp/ucgw.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -trustcacerts -alias intermediary -file temp/inter.cer -keystore temp/ucgw.keystore -storepass 111111 -keypass 111111
keytool -importcert -noprompt -alias ucgw -file temp/ucgw.signed.cer -keystore temp/ucgw.keystore -storepass 111111
---------------------------------------------------------------
keytool -list -keystore temp/ca--ca.keystore -storepass 111111
...
root, 2011-11-5, PrivateKeyEntry,
认证指纹 (MD5): 49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
---------------------------------------------------------------
keytool -list -keystore temp/inter.keystore -storepass 111111
...
root, 2011-11-5, trustedCertEntry,
认证指纹 (MD5): 49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
intermediary, 2011-11-5, PrivateKeyEntry,
认证指纹 (MD5): 23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
---------------------------------------------------------------
keytool -list -v -keystore temp/iview.keystore -storepass 111111
...
您的 keystore 包含 3 输入
别名名称: root
创建日期: 2011-11-5
输入类型: trustedCertEntry
所有者:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449c5
有效期: Sat Nov 05 04:23:33 CST 2011 至Wed Jan 04 04:23:33 CST 2012
证书指纹:
MD5:49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
SHA1:EA:92:AE:59:D1:8D:B6:2F:33:B7:65:CC:6E:B0:B5:7D:40:CF:45:BE
签名算法名称:SHA1withRSA
版本: 3
*******************************************
*******************************************
别名名称: intermediary
创建日期: 2011-11-5
输入类型: trustedCertEntry
所有者:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449c7
有效期: Sat Nov 05 04:23:35 CST 2011 至Wed Jan 22 04:23:35 CST 2020
证书指纹:
MD5:23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
SHA1:54:86:85:BC:9C:D5:D2:E8:A4:E6:33:DD:4F:42:87:FB:2A:92:F3:84
签名算法名称:MD5withRSA
版本: 3
*******************************************
*******************************************
别名名称: icm
创建日期: 2011-11-5
项类型: PrivateKeyEntry
认证链长度: 3
认证 [1]:
所有者:CN=mars_icm, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449ca
有效期: Sat Nov 05 04:23:38 CST 2011 至Wed Jan 22 04:23:38 CST 2020
证书指纹:
MD5:95:97:C3:2C:2C:A5:B4:7A:17:EF:98:B7:7B:BC:AE:4A
SHA1:E1:92:F9:79:48:FE:59:AF:3F:85:CE:2A:21:82:AD:B2:00:60:EB:D7
签名算法名称:MD5withRSA
版本: 3
认证 [2]:
所有者:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449c7
有效期: Sat Nov 05 04:23:35 CST 2011 至Wed Jan 22 04:23:35 CST 2020
证书指纹:
MD5:23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
SHA1:54:86:85:BC:9C:D5:D2:E8:A4:E6:33:DD:4F:42:87:FB:2A:92:F3:84
签名算法名称:MD5withRSA
版本: 3
认证 [3]:
所有者:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449c5
有效期: Sat Nov 05 04:23:33 CST 2011 至Wed Jan 04 04:23:33 CST 2012
证书指纹:
MD5:49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
SHA1:EA:92:AE:59:D1:8D:B6:2F:33:B7:65:CC:6E:B0:B5:7D:40:CF:45:BE
签名算法名称:SHA1withRSA
版本: 3
---------------------------------------------------------------
keytool -list -v -keystore temp/ucgw.keystore -storepass 111111
...
您的 keystore 包含 3 输入
别名名称: root
创建日期: 2011-11-5
输入类型: trustedCertEntry
所有者:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449c5
有效期: Sat Nov 05 04:23:33 CST 2011 至Wed Jan 04 04:23:33 CST 2012
证书指纹:
MD5:49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
SHA1:EA:92:AE:59:D1:8D:B6:2F:33:B7:65:CC:6E:B0:B5:7D:40:CF:45:BE
签名算法名称:SHA1withRSA
版本: 3
*******************************************
*******************************************
别名名称: intermediary
创建日期: 2011-11-5
输入类型: trustedCertEntry
所有者:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449c7
有效期: Sat Nov 05 04:23:35 CST 2011 至Wed Jan 22 04:23:35 CST 2020
证书指纹:
MD5:23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
SHA1:54:86:85:BC:9C:D5:D2:E8:A4:E6:33:DD:4F:42:87:FB:2A:92:F3:84
签名算法名称:MD5withRSA
版本: 3
*******************************************
*******************************************
别名名称: ucgw
创建日期: 2011-11-5
项类型: PrivateKeyEntry
认证链长度: 3
认证 [1]:
所有者:CN=mars_UCGW, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449cb
有效期: Sat Nov 05 04:23:39 CST 2011 至Wed Jan 22 04:23:39 CST 2020
证书指纹:
MD5:D7:6D:ED:9C:13:B6:79:D2:4C:B1:B7:57:CE:AA:BB:54
SHA1:C0:AD:FC:86:53:CB:4F:92:D6:6C:2E:23:25:8F:EF:89:7D:8D:3A:EB
签名算法名称:MD5withRSA
版本: 3
认证 [2]:
所有者:CN=mars_inter, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449c7
有效期: Sat Nov 05 04:23:35 CST 2011 至Wed Jan 22 04:23:35 CST 2020
证书指纹:
MD5:23:6C:C0:46:67:CF:9E:4E:EF:A9:74:95:AB:EE:37:21
SHA1:54:86:85:BC:9C:D5:D2:E8:A4:E6:33:DD:4F:42:87:FB:2A:92:F3:84
签名算法名称:MD5withRSA
版本: 3
认证 [3]:
所有者:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
签发人:CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China
序列号:4eb449c5
有效期: Sat Nov 05 04:23:33 CST 2011 至Wed Jan 04 04:23:33 CST 2012
证书指纹:
MD5:49:44:8A:79:3C:62:ED:66:AA:20:D6:BF:65:3E:23:C4
SHA1:EA:92:AE:59:D1:8D:B6:2F:33:B7:65:CC:6E:B0:B5:7D:40:CF:45:BE
签名算法名称:SHA1withRSA
版本: 3
双向认证TLS网络包:
filter:
tcp.port==9527&&ssl
route add <your_IP> mask 255.255.255.255 <the_gateway> metric 1
route delete <your_IP>
route add 192.168.0.100 mask
255.255.255.255 192.168.0.1
metric 1
route delete 192.168.0.100
1: 54292[client] 9527[server] TLSv1 Client Hello
2,3,4,5: 9527[server] 54292[client] TLSv1 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
6,7: 54292[client] 9527[server] TLSv1 Certificate, Client Key Exchange
8: 54292[client] 9527[server] TLSv1 Certificate Verify
9,10: 54292[client] 9527[server] TLSv1 Change Cipher Spec, Encrypted Handshake Message
11,12: 9527[server] 54292[client] TLSv1 Change Cipher Spec (Finished)
9527[server]
54292[client]
TLSv1
Encrypted Handshake Message, Application Data, Application Data, Encrypted Alert双向认证流程: