怎么把.jks转换成.pem的信任证书? [英] How to convert trust certificate from .jks to .pem?

问题描述

我有一个Java SSL服务器，我希望我的Java SSL客户端和C ++ SSL客户端能够连接到. Java客户端连接没有问题.现在，我想让我的C ++ SSL客户端能够连接.因此，为此我想，我想将serverpub.jks导出到一个.pem文件，以便我的C ++客户端可以将其加载到其ssl上下文中.但这是行不通的.

I have a Java SSL server to which I want my Java SSL client and C++ SSL client to be able to connect. The Java client connects without issues. Now I want to have my C++ SSL client to be able to connect. So for this purpose ,I imagined, that I want to export the serverpub.jks to an .pem file so that my C++ client can load it into its ssl context. But this is not working.

下面是有关如何为Java客户端和服务器创建jks密钥库以及如何尝试将serverpub.jks导出到.pem文件的说明.

Below is a description of how I created the jks keystores for Java client and server and then how I am trying to export the serverpub.jks to .pem file.

第1步:生成客户端和服务器密钥库

step 1: Generate the Client and Server Keystores

c:\keytool -genkeypair -alias myserverkeys -keyalg RSA -dname "CN=my Server,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore server.jks -storepass password
c:\keytool -genkeypair -alias myclientkeys -keyalg RSA -dname "CN=my Client,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore myclient.jks -storepass password

步骤2:导出服务器公共证书并创建单独的密钥库

step 2: Export the server public certificate and create a seperate keystore

c:\keytool -exportcert -alias myserverkeys -file serverpub.cer -keystore myserver.jks -storepass spacex
c:\keytool -importcert -keystore serverpub.jks -alias serverpub -file serverpub.cer -storepass password

第3步:导出客户端公共证书并创建单独的密钥库

step 3: Export the client public certificate and create a seperate keystore

c:\keytool -exportcert -alias myclientkeys -file clientpub.cer -keystore myclient.jks -storepass spacey
c:\keytool -importcert -keystore clientpub.jks -alias clientpub -file clientpub.cer -storepass password

到目前为止一切都很好.

So far so good.

现在这是我遇到问题的地方.

Now here is where I run into problems.

第4步:将serverpub.jks转换为.pem格式

step 4: Convert serverpub.jks to .pem format

c:\keytool -importkeystore -srckeystore serverpub.jks -destkeystore serverpub.p12 -srcstoretype jks -deststoretype pkcs12

还有回复

Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Problem importing entry for alias serverpub: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias serverpub not imported.
Do you want to quit the import process? [no]:

这是什么意思?我在做什么错了?

What does this mean? What am I doing wrong?

第5步:应该

c:\openssl pkcs12 -in serverpub.p12 -out serverpub.pem

但是正如您所看到的，我走不了那么远.

But as you can see I couldn't get that far.

我非常感谢您提供一些帮助，以帮助您了解如何正确地做到这一点.

I would really appreciate some help understanding how to do this right.

谢谢

推荐答案

不幸的是，由于keytool认为PEM文件不支持可信证书的概念，因此keytool明确不允许您从信任库中导出.因此，我将改用cer文件的密钥库.

Unfortunately keytool explicitly will not let you export from a trust store since they are of the opinion that PEM files do not support the concept of trusted certificate. So I would use the keystore of cer files instead.

• 来自cer:

• From a cer:

openssl x509 -inform der -in serverpub.cer -out serverpub.pem

从密钥库:

From a keystore:

keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12
openssl pkcs12 -in server.p12 -nokeys -out server.cer.pem
openssl pkcs12 -in server.p12 -nodes -nocerts -out server.key.pem

或尝试

keytool -exportcert -alias myserverkeys -keystore serverpub.jks -rfc -file serverpub.pem

这篇关于怎么把.jks转换成.pem的信任证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！