使用或不使用OpenSSL将SSL .pem转换为.p12 [英] Convert SSL .pem to .p12 with or without OpenSSL

问题描述

我得到需要转换为.p12文件的外部.pem文件-我在此过程中添加了用户名和密码. (我需要这样做以利用第三方API.)

I get external .pem files that need to be converted to .p12 files - I add a username and password in the process. (I need to do this to utilize a third party API.)

使用openssl，命令是...

openssl pkcs12 -export -in xxxx.pem -inkey xxxx.pem -out xxx.p12 -passout pas:newpassword -name "newname"

我可以在终端会话中运行它，并且效果很好.

I can run this from a terminal session and it works perfectly.

但是，我将需要经常执行此操作，并编写了一个Java类来处理此问题以及更多(我的应用程序主要是.jsp，其中使用Tomcat和Apache).当我尝试使用Runtime.exec从Java运行相同的命令时，出现了可怕的无法写入'随机状态'"错误().

However, I will need to do this often and have written a Java class that handles this and more (my application is mostly .jsp with Tomcat and Apache). When I try run the same command from Java using Runtime.exec, I get the dreaded "unable to write 'random state'" error ( Using OpenSSL what does "unable to write 'random state'" mean? ).

我认为区别在于，当我从Java运行时，用户不是"root"用户.

I assume that the difference is that, when I run from Java, the user is not "root".

那么，有没有比使用命令行程序(即openssl)更好的方法，可以使用Java库将pem转换为.p12?

So, is there a better way to convert from pem to .p12 using a Java library rather than executing a command line program (i.e. openssl)?

否则，我想我需要在服务器上进行一些配置.我在服务器上的任何位置都找不到任何.md文件.唯一的openssl.cnf文件位于怪异的目录(/etc/pki/tls)中.我是否需要在其他地方创建一个新的openssl.cnf文件?

Otherwise, I guess I need to do some configuration on my server. I can not find any .md file anywhere on the server. The only openssl.cnf file is in a weird directory (/etc/pki/tls). Do I need to create a new openssl.cnf file somewhere else?

推荐答案

这应该做您想要做的(使用上面建议的BouncyCastle PEMReader)-采取PEM编码的私钥+证书，并输出PKCS #12文件.为PKCS12使用与保护私钥相同的密码.

This should do what you want to do (using the BouncyCastle PEMReader as suggested above) -- take a PEM-encoded private key + certificate, and output a PKCS#12 file. Uses the same password for the PKCS12 that was used to protect the private key.

public static byte[] pemToPKCS12(final String keyFile, final String cerFile, final String password) throws Exception {
    // Get the private key
    FileReader reader = new FileReader(keyFile);

    PEMReader pem = new PEMReader(reader, new PasswordFinder() {
        @Override public char[] getPassword() {
            return password.toCharArray();
        }
    });

    PrivateKey key = ((KeyPair)pem.readObject()).getPrivate();

    pem.close();
    reader.close();

    // Get the certificate      
    reader = new FileReader(cerFile);
    pem = new PEMReader(reader);

    X509Certificate cert = (X509Certificate)pem.readObject();

    pem.close();
    reader.close();

    // Put them into a PKCS12 keystore and write it to a byte[]
    ByteArrayOutputStream bos = new ByteArrayOutputStream();
    KeyStore ks = KeyStore.getInstance("PKCS12");
    ks.load(null);
    ks.setKeyEntry("alias", (Key)key, password.toCharArray(), new java.security.cert.Certificate[]{cert});
    ks.store(bos, password.toCharArray());
    bos.close();
    return bos.toByteArray();
}

这篇关于使用或不使用OpenSSL将SSL .pem转换为.p12的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！