使用新CSR(不是原始CSR)通过Symantec续订来续订Java Keystore的命令 [英] Commands to renew a Java Keystore with a Symantec renewal using a new CSR (not the original CSR)
问题描述
两年前,我获得了VeriSign/Symantec SSL证书.发起此请求时,我们在与证书的通用名称无关的随机服务器上创建了CSR.要创建Java密钥库,我执行了以下两个步骤.
Two years ago, I got a VeriSign/Symantec SSL certificate. When initiating this request, we created a CSR on a random server that is not associated with the common name of the certificate. To create a Java Keystore, I did the following two steps.
openssl pkcs12 -export -in common_name.cer -inkey common_name.key -out renewal.p12 -name common_name_alias -CAfile NewVerisignIM.cer -caname root
keytool -importkeystore -deststorepass XXX! -destkeypass XXX!
-destkeystore renewal.keystore -srckeystore renewal.p12 -srcstoretype PKCS12 -srcstorepass XXX! -alias common_name_alias
现在我们的证书即将过期.在Symantec网站上使用原始条目并创建新的CSR时,我们获得了签名证书文件(与上面的common_name.cer相同的文件名),私钥(与上面的common_name.key相同的文件名).在签署了新的CSR之后,我们没有找到"NewVerisignIM.cer"文件,该文件似乎是根CA和中间CA合并在一个文件中(我相信是CA链).因此,我不知道如何在没有该文件的情况下重新创建Java Keystore.
Now our certificate is about to expire. When using the original entry on the Symantec website, and creating a new CSR, we got the signed certificate file (same file name as common_name.cer above), the private key (same file name as common_name.key above). After signing the new CSR, we DID NOT get back the "NewVerisignIM.cer" file, which appears to be the root CA and intermediate CA combined in one file (aka the CA chain I believe). So I don't know how to recreate the Java Keystore without that file.
我尝试在签名后将旧的"NewVerisignIM.cer"与新文件一起使用,但这没有用.到目前为止,我已经尝试过了.我有
I tried using the old "NewVerisignIM.cer" with the new files after signing, but that did not work. That's all I've tried so far. I got a Java exception of
PKIX路径构建失败: sun.security.provider.certpath.SunCertPathBuilderException:无法执行 找到到所请求目标的有效认证路径
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
此站点包含有关使用原始CSR和JKS的说明.
This site contains instructions when using the original CSR and using a JKS.
但是此问题/答案建议使用新的CSR.
But this question/answer recommends using a new CSR.
如果使用新的CSR,我可以使用哪些命令?
What commands can I use if we use the new CSR?
推荐答案
我的命令正确.第一个命令(X509至PKCS12)需要 new 私钥.第一个命令中需要 new 签名证书.创建原始证书时,在第一条命令中需要原始CA链文件.续订不包含此文件作为输出.在2015年,Verisign可能尚未被Symantec收购,因此该文件名为"NewVerisignIM.cer".上面的第二个命令将PKCS12转换为JKS(Java密钥库)格式.
I had the commands correct. The new private key is needed in the first command (X509 to PKCS12). The new signed certificate is needed in the first command. And the original CA chain file, when the original certificate was created, is needed in the first command. The renewal did not contain this file as output. In 2015, Verisign probably had not been acquired by Symantec yet, so the file was named "NewVerisignIM.cer". The second command above converts from PKCS12 to JKS (Java Keystore) format.
我的问题是,作为客户端身份对服务器进行身份验证的服务器没有更新公钥,因为在续订中分配了新的私钥.请注意,Symantec建议使用此新私钥,但不是必需的.因此,在服务器上将这两个命令转换为包含续订证书公用名的命令后,我不得不从新创建的JKS存储中导出证书,然后从客户端Java Keystore中删除旧的公共密钥(条目)(在另一台服务器),然后导入新的公共密钥,以便它可以与服务器进行对话(包括续订和新的私钥).
My problem was that servers acting as the client who were authenticating against this server did not have the public key updated, because there was a new private key assigned in the renewal. Please note that this new private key is recommended by Symantec, but not required. So I had to export the certificate from the newly created JKS store after the conversion of those two commands on the server containing the common name of the renewal certificate, and then delete the old public key (entry) from the client Java Keystore (on a different server), and import the new public key, so it could talk to the server (with the renewal, and new private key).
命令在服务器上运行(创建了新的密钥库):
Commands run on server (new keystore gets created):
openssl pkcs12 -export -in common_name.cer -inkey common_name.key -out renewal.p12 -name common_name_alias -CAfile NewVerisignIM.cer -caname root
keytool -importkeystore -deststorepass XXX! -destkeypass XXX!
-destkeystore renewal.keystore -srckeystore renewal.p12 -srcstoretype PKCS12 -srcstorepass ppp1 -alias common_name_alias
keytool -export -alias https-renewal -file https-renewal.pem -keystore renewal.keystore
命令在客户端上运行(密钥库保持不变):
Commands run on client (keystore remains the same):
keytool –delete –alias https-renewal –keystore original.keystore –storepass ppp2
keytool -import -v -alias https-renewal -file https-renewal.pem -keystore original.keystore -storepass ppp2
(其中"https-renewal.pem"是此答案中第3条命令导出的文件)
(where "https-renewal.pem" is the file exported from the 3rd command in this answer)
这篇关于使用新CSR(不是原始CSR)通过Symantec续订来续订Java Keystore的命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
