概述

数字证书

互联网通讯中标志通讯各方身份信息的一串数字，提供了一种在Internet上验证通信实体身份的方式，数字证书不是数字身份证，而是身份认证机构盖在数字身份证上的一个章或印（或者说加在数字身份证上的一个签名）。

数字证书是由权威机构（CA机构），又称为证书授权（Certificate Authority）中心发行的，人们可以在网上用它来识别对方的身份。

数字证书的应用场景

1、服务器证书，安装于服务器设备上，用来证明服务器的身份和进行通信加密，服务器证书可以用来防止欺诈钓鱼站点。

2、客户端个人/企业组织证书，用来身份认证和电子签名的，SSL双向登录，文档签名，代码签名，一些网页上的表单签名。

数字证书相关参考内容：

1、密钥库和证书格式：

2、Nginx配置SSL证书：

3、读取网站申请SSL证书，JKS、PFX、CRT格式：

4、命令制作证书及代码生成证书：

证书签名

pom.xml

<dependency>    <groupId>org.bouncycastle</groupId>    <artifactId>bcprov-jdk15to18</artifactId>    <version>1.70</version></dependency><dependency>    <groupId>org.bouncycastle</groupId>    <artifactId>bcpkix-jdk15to18</artifactId>    <version>1.70</version></dependency>

签名和验签案例

package com.what21.netty01.demo01.sign;import com.what21.netty01.demo01.cert2.KeyStoreUtils;public class CertSignUtilsDemo {    public static void main(String[] args) {        // 读取证书        KeyStoreUtils.KeyStoreEntry keyStoreEntry = KeyStoreUtils.readToKeyStoreEntry();        // ========================================================================//        // 证书签名====>使用证书私钥签名        // ========================================================================//        String text = "被签名的内容";        String signContent = "";        try {            // 签名            signContent = CertSignUtils.sign(keyStoreEntry.getPrivateKey(), text);        } catch (Exception e) {            e.printStackTrace();        }        System.out.println(signContent);        // ========================================================================//        // 证书验签====>使用证书公钥验签        // ========================================================================//        boolean verifySigned = false;        try {            // 验签            verifySigned = CertSignUtils.verify(keyStoreEntry.getPublicKey(), text, signContent);        } catch (Exception e) {            e.printStackTrace();        }        System.out.println(verifySigned);    }}

package com.what21.netty01.demo01.sign;import java.security.PrivateKey;import java.security.PublicKey;import java.security.Signature;import java.util.Base64;public class CertSignUtils {    /**     * 签名     *     * @param privateKey     * @param content     * @return     * @throws Exception     */    public static String sign(PrivateKey privateKey, String content) throws Exception {        // 用私钥对信息生成数字签名        Signature signature = Signature.getInstance("SHA384WithRSA");        signature.initSign(privateKey);        byte[] data = content.getBytes("utf-8");        signature.update(data);        byte[] signedData = signature.sign();        return Base64.getEncoder().encodeToString(signedData);    }    /**     * 验证签名     *     * @param publicKey     * @param content     * @param sign     * @return     * @throws Exception     */    public static boolean verify(PublicKey publicKey, String content, String sign)            throws Exception {        Signature signature = Signature.getInstance("SHA384WithRSA");        signature.initVerify(publicKey);        byte[] data = content.getBytes("utf-8");        signature.update(data);        boolean result = signature.verify(Base64.getDecoder().decode(sign));        return result;    }}

JKS格式与PFX格式相互转换

package com.what21.netty01.demo01.cert3;import java.io.FileInputStream;import java.io.FileOutputStream;import java.security.Key;import java.security.KeyStore;import java.security.cert.Certificate;import java.util.Enumeration;public class JKSConvertor {    // 证书格式    public static final String JKS = "JKS";    public static final String PKCS12 = "PKCS12";    /**     * @param storePath     * @param storePasswd     * @param pfxPath     * @throws Exception     */    public static void toPKCS12(String storePath, String storePasswd, String pfxPath) throws Exception {        // 读取KeyStore        KeyStore inputKeyStore = KeyStore.getInstance(JKS);        FileInputStream inputStream = new FileInputStream(storePath);        char[] nPassword = storePasswd.toCharArray();        inputKeyStore.load(inputStream, nPassword);        inputStream.close();        // 创建PKCS12        KeyStore outputKeyStore = KeyStore.getInstance(PKCS12);        outputKeyStore.load(null, storePasswd.toCharArray());        Enumeration<String> enumStrs = inputKeyStore.aliases();        while (enumStrs.hasMoreElements()) {            String keyAlias = enumStrs.nextElement();            if (inputKeyStore.isKeyEntry(keyAlias)) {                Key key = inputKeyStore.getKey(keyAlias, nPassword);                Certificate[] certChain = inputKeyStore.getCertificateChain(keyAlias);                outputKeyStore.setKeyEntry(keyAlias, key, storePasswd.toCharArray(), certChain);            }        }        // 输出        FileOutputStream outputStream = new FileOutputStream(pfxPath);        outputKeyStore.store(outputStream, nPassword);        outputStream.close();    }    /**     * @param args     * @throws Exception     */    public static void main(String[] args) throws Exception {        JKSConvertor.toPKCS12("D://localhost_server.jks", "123456", "D://localhost_server.pfx");        JKSConvertor.toPKCS12("D:/localhost_client1.jks", "123456", "D:/localhost_client1.pfx");    }}

package com.what21.netty01.demo01.cert3;import java.io.FileInputStream;import java.io.FileOutputStream;import java.security.Key;import java.security.KeyStore;import java.security.cert.Certificate;import java.util.Enumeration;public class PKCS12Convertor {    // 证书格式    public static final String JKS = "JKS";    public static final String PKCS12 = "PKCS12";    /**     * @param pfxPath     * @param storePasswd     * @param jksPath     * @throws Exception     */    public static void toJKS(String pfxPath, String storePasswd, String jksPath) throws Exception {        KeyStore inputKeyStore = KeyStore.getInstance(PKCS12);        // 加载证书        FileInputStream inputStream = new FileInputStream(pfxPath);        // P12证书密码        char[] nPassword = storePasswd.toCharArray();        inputKeyStore.load(inputStream, nPassword);        inputStream.close();        KeyStore outputKeyStore = KeyStore.getInstance(JKS);        outputKeyStore.load(null, storePasswd.toCharArray());        Enumeration<String> enumStrs = inputKeyStore.aliases();        while (enumStrs.hasMoreElements()) {            String keyAlias = enumStrs.nextElement();            if (inputKeyStore.isKeyEntry(keyAlias)) {                Key key = inputKeyStore.getKey(keyAlias, nPassword);                Certificate[] certChain = inputKeyStore.getCertificateChain(keyAlias);                outputKeyStore.setKeyEntry(keyAlias, key, storePasswd.toCharArray(), certChain);            }        }        FileOutputStream outputStream = new FileOutputStream(jksPath);        outputKeyStore.store(outputStream, nPassword);        outputStream.close();    }    /**     * @param args     * @throws Exception     */    public static void main(String[] args) throws Exception {        // keytool -list -keystore D://localhost_server.2.jks        // keytool -list -rfc -keystore D://localhost_server.2.jks -storepass 123456        PKCS12Convertor.toJKS("D://localhost_server.pfx", "123456", "D://localhost_server.2.jks");        // keytool -list -keystore D://localhost_client1.2.jks        // keytool -list -rfc -keystore D://localhost_client1.2.jks -storepass 123456        PKCS12Convertor.toJKS("D:/localhost_client1.pfx", "123456", "D:/localhost_client1.2.jks");    }}