Java keytool 从 url/port 添加服务器证书的简单方法 [英] Java keytool easy way to add server cert from url/port

问题描述

我有一个带有自签名证书的服务器，但也需要客户端证书身份验证.我在尝试获取原始 CA 服务器证书时遇到了困难，因此我可以将其导入密钥库.有人对如何轻松做到这一点有一些建议吗?谢谢.

I have a server with a self signed certificate, but also requires client side cert authentication. I am having a rough time trying to get the raw CA server cert so I can import it into a keystore. Anyone have some suggestions on how to easily do that? Thanks.

推荐答案

正在研究使用jenkins cli时如何信任证书，发现https://issues.jenkins-ci.org/browse/JENKINS-12629 有一些配方那个.

Was looking at how to trust a certificate while using jenkins cli, and found https://issues.jenkins-ci.org/browse/JENKINS-12629 which has some recipe for that.

这会给你证书:

openssl s_client -connect ${HOST}:${PORT} </dev/null

如果您只对证书部分感兴趣，请通过管道将其剪掉:

if you are interested only in the certificate part, cut it out by piping it to:

| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

并重定向到一个文件:

> ${HOST}.cert

然后使用keytool导入:

Then import it using keytool:

keytool -import -noprompt -trustcacerts -alias ${HOST} -file ${HOST}.cert 
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

一口气:

HOST=myhost.example.com
PORT=443
KEYSTOREFILE=dest_keystore
KEYSTOREPASS=changeme

# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null 
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

# create a keystore and import certificate
keytool -import -noprompt -trustcacerts 
    -alias ${HOST} -file ${HOST}.cert 
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

# verify we've got it.
keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}

这篇关于Java keytool 从 url/port 添加服务器证书的简单方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！