从证书别名到带有Java的包含私钥的PEM文件 [英] From certificate Alias to PEM File with private key included using Java

问题描述

我有以下代码使用别名生成CER文件:

public class TestFromAliasToCER {

    public static final int KEY_SIZE = 1024;
    public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
    public static final String END_CERT = "-----END CERTIFICATE-----";
    public final static String LINE_SEPARATOR = System.getProperty("line.separator");

    public static void main(String[] args) throws FileNotFoundException, IOException, NoSuchAlgorithmException, NoSuchProviderException, KeyStoreException, CertificateException {


           KeyStore keyStore = KeyStore.getInstance ("Windows-MY");
           keyStore.load (null, null);         
           Enumeration<String> aux = keyStore.aliases();
           String alias = aux.nextElement();
           X509Certificate  certificate = (X509Certificate) keyStore.getCertificate (alias);
           String certString = formatCrtFileContents(certificate);         
           PrintWriter out = new PrintWriter("cert.CER");
           out.println(certString);
           out.close();

    }

    public static String formatCrtFileContents(final Certificate certificate) throws CertificateEncodingException { 

        final Base64.Encoder encoder = Base64.getMimeEncoder(64, LINE_SEPARATOR.getBytes());
        final byte[] rawCrtText = certificate.getEncoded();
        final String encodedCertText = new String(encoder.encode(rawCrtText));
        final String prettified_cert = BEGIN_CERT + LINE_SEPARATOR + encodedCertText + LINE_SEPARATOR + END_CERT;
        return prettified_cert;
    }
}

这将使用

-----BEGIN CERTIFICATE-----
data
-----END CERTIFICATE-----

我希望能够创建一个包含私钥的PEM证书，这可能吗?如果没有，为什么?

I want to be able to create a PEM Certificate with the private key included, is it possible? If not, why?

我不仅限于Java并且可以自由使用任何Java API，而且最好是在尽可能少的用户交互的情况下进行.

I'm not restricted to Java only and free to use any Java API, but preferable with the least user interaction as possible.

推荐答案

尽管我没有看到它的记录，但根据消息来源，SunMSCAPI提供程序仅为getEncoded实现一个存根，并且无法导出Windows私钥，因此您无法通过JCA做到这一点.

Although I don't see it documented, according to the source the SunMSCAPI provider implements only a stub for getEncoded and cannot export Windows privatekey so you can't do this with JCA.

您当然可以编写JNI或JNA来调用Windows CAPI，但这并不简单.

You could of course write JNI or JNA to call Windows CAPI, but that's not simple.

要在没有用户交互的情况下使用现有工具，可以使用Runtime或ProcessBuilder进行

To use existing tools without user interaction you can use Runtime or ProcessBuilder to

• 使用参数-exportpfx -user -p password certid filename

运行powershell并告诉它在cert:\currentuser\my中选择一个对象并调用Export('PFX','password')方法-

run powershell and tell it to select an object in cert:\currentuser\my and invoke the Export('PFX','password') method -- examples for machine rather than user cert here

或仅在最近的Powershell中使用Export-PFXCertificate cmdlet

or in (only) recent powershell use Export-PFXCertificate cmdlet documentation here

，然后在其中任何一个之后，使用openssl pkcs12从pkcs12提取到PEM，或者如果您更喜欢Java，可以通过以下方式进行提取:

and after any of these, extract from pkcs12 to PEM with openssl pkcs12, or if you prefer with Java by:

• 加载PKCS12密钥库并获取PrivateKey条目

• load the PKCS12 keystore and get the PrivateKey entry

调用getEncoded并像使用证书一样在折叠的(MIME)base64中对结果进行编码，除了使用-----BEGIN/END PRIVATE KEY-----

call getEncoded and encode the result in folded (MIME) base64 like you did for the certificate except use -----BEGIN/END PRIVATE KEY-----

警告:Java会生成未加密的(PKCS8)私钥，因此请确保没有未经授权的用户或程序可以访问此文件，您的磁盘/文件系统或任何备份.

Warning: Java produces an unencrypted (PKCS8) privatekey, so make certain no unauthorized user or program ever has access to this file, your disk/filesystem or any backup(s).

这篇关于从证书别名到带有Java的包含私钥的PEM文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！