自制CA证书篇

参考：liang.iteye.com/blog/2003057

在tomcat实施后发现提示弱签名算法，晕，百度竟然没有找到解决的方法，则google之Weak signature，

在这里找到解决的思路：http://michaelwyres.com/2012/05/chrome-weak-signature-algorithm-solved/

The solution?

Change the hashing from MD5 to SHA512.

If you create your certificates directly from the command line, use the -sha512 switch instead of the -md5 switch – for example:

    “openssl req -new -x509 -sha512 -nodes -out server.crt -keyout server.key”

If using an “openssl.cnf” configuration file, make sure all “default_md” directives have “sha512″ as their values.

    “default_md = sha512″

Your new keys should now be signed with SHA512 instead of MD5, and no more complaints from Google Chrome about the weak algorithm.

p.s. CMD命令（手动敲）

set OPENSSL_CONF=openssl.cnf
openssl.exe
制作CA根证书:
req -new -x509 -sha512 -nodes -days 3650 -out ca.crt -keyout ca.key
pkcs12 -export -inkey ca.key -in ca.crt -out ca.p12 

生成请求证书并用CA根证书签名:
req -new  -key server_21.key -out server_21.csr -days 3650 -extensions v3_req -config openssl-21.cnf  
ca -in server_21.csr -out server_21.crt -cert ca.crt -keyfile ca.key  -config openssl-21.cnf
pkcs12 -export -inkey server_21.key -in server_21.crt -out server_21.p12
注：-extensions v3_req加入SubjectAltName列表；If you have not set copy_extensions=copy under the       [CA_default] section in the openssl.cnf file, the      signed certificate will not include any of the certificate extensions that were in the      original CSR.
参考帖子：
http://apetec.com/support/GenerateSAN-CSR.htm
http://documentation.progress.com/output/Iona/artix/5.5/security_guide_java/i382674.html

 REVOKE:
ca  -cert ca.crt -keyfile ca.key -revoke server_29.crt 

查看：
req -text -noout -in server_21.csr

问题：1

java.security.cert.CertificateException: No subject alternative names present

-extensions v3_req加入SubjectAltName列表

问题：2

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
	... 31 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

把根证书加入jre的信任证书库：
管理员运行cmd
keytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" |find "myca"
keytool -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -delete -alias myca 
keytool -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -import -alias gcidesignca -file ca.crt 

问题：3

IP address as subjectaltname does not work with IE8 but works with firefox

(待补充)