怎么把.jks转换成.pem的信任证书? [英] How to convert trust certificate from .jks to .pem?
问题描述
我有一个Java SSL服务器,我希望我的Java SSL客户端和C ++ SSL客户端能够连接到. Java客户端连接没有问题.现在,我想让我的C ++ SSL客户端能够连接.因此,为此我想,我想将serverpub.jks导出到一个.pem文件,以便我的C ++客户端可以将其加载到其ssl上下文中.但这是行不通的.
I have a Java SSL server to which I want my Java SSL client and C++ SSL client to be able to connect. The Java client connects without issues. Now I want to have my C++ SSL client to be able to connect. So for this purpose ,I imagined, that I want to export the serverpub.jks to an .pem file so that my C++ client can load it into its ssl context. But this is not working.
下面是有关如何为Java客户端和服务器创建jks密钥库以及如何尝试将serverpub.jks导出到.pem文件的说明.
Below is a description of how I created the jks keystores for Java client and server and then how I am trying to export the serverpub.jks to .pem file.
第1步:生成客户端和服务器密钥库
step 1: Generate the Client and Server Keystores
c:\keytool -genkeypair -alias myserverkeys -keyalg RSA -dname "CN=my Server,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore server.jks -storepass password
c:\keytool -genkeypair -alias myclientkeys -keyalg RSA -dname "CN=my Client,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore myclient.jks -storepass password
步骤2:导出服务器公共证书并创建单独的密钥库
step 2: Export the server public certificate and create a seperate keystore
c:\keytool -exportcert -alias myserverkeys -file serverpub.cer -keystore myserver.jks -storepass spacex
c:\keytool -importcert -keystore serverpub.jks -alias serverpub -file serverpub.cer -storepass password
第3步:导出客户端公共证书并创建单独的密钥库
step 3: Export the client public certificate and create a seperate keystore
c:\keytool -exportcert -alias myclientkeys -file clientpub.cer -keystore myclient.jks -storepass spacey
c:\keytool -importcert -keystore clientpub.jks -alias clientpub -file clientpub.cer -storepass password
到目前为止一切都很好.
So far so good.
现在这是我遇到问题的地方.
Now here is where I run into problems.
第4步:将serverpub.jks转换为.pem格式
step 4: Convert serverpub.jks to .pem format
c:\keytool -importkeystore -srckeystore serverpub.jks -destkeystore serverpub.p12 -srcstoretype jks -deststoretype pkcs12
还有回复
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Problem importing entry for alias serverpub: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias serverpub not imported.
Do you want to quit the import process? [no]:
这是什么意思?我在做什么错了?
What does this mean? What am I doing wrong?
第5步:应该
c:\openssl pkcs12 -in serverpub.p12 -out serverpub.pem
但是正如您所看到的,我走不了那么远.
But as you can see I couldn't get that far.
我非常感谢您提供一些帮助,以帮助您了解如何正确地做到这一点.
I would really appreciate some help understanding how to do this right.
谢谢
推荐答案
不幸的是,由于keytool认为PEM文件不支持可信证书的概念,因此keytool明确不允许您从信任库中导出.因此,我将改用cer文件的密钥库.
Unfortunately keytool explicitly will not let you export from a trust store since they are of the opinion that PEM files do not support the concept of trusted certificate. So I would use the keystore of cer files instead.
-
来自cer:
From a cer:
openssl x509 -inform der -in serverpub.cer -out serverpub.pem
从密钥库:
From a keystore:
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12
openssl pkcs12 -in server.p12 -nokeys -out server.cer.pem
openssl pkcs12 -in server.p12 -nodes -nocerts -out server.key.pem
或尝试
keytool -exportcert -alias myserverkeys -keystore serverpub.jks -rfc -file serverpub.pem
这篇关于怎么把.jks转换成.pem的信任证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!