无法将P7B文件加载到密钥库文件中 [英] Not able to load P7B file into keystore file

问题描述

我收到了 crt / cert 格式的新证书。当我在文本编辑器中打开此文件时，他们将完整的证书链添加到此文件。每个证书开头为：

  ----- BEGIN CERTIFICATE ----- 
  

结尾为：

  --- END CERTIFICATE ----- 
  

两者之间没有空行。因为我不喜欢 openssl ，所以我将证书打开到Windows并导出了具有完整链的证书 PKCS＃7 format（test.p7b）。当我打开这个文件在Windows中看起来很好，根，中间体和证书都是他们的链。

当我把文件 test.p7b ，并尝试使用 keytool 将其导入，如下所示：

  keytool -import -trustcacerts -alias my.domain.com -keystore my.domain.keystore -keypass changeme -storepass changeme -file test.p7b 
  
 
 
 
我得到以下错误：
  keytool错误：java.lang.Exception：输入不是X.509证书
  
当我测试P7B文件我也得到错误：
  bash-4.1 $ openssl x509 -in test.p7b -text 
无法加载证书
 140009984849736：错误：0906D06C：PEM例程：PEM_read_bio：无开始行：pem_lib.c：698：期望：TRUSTED CERTIFICATE 
  
或：
  bash-4.1 $ openssl x509 -in test.p7b -inform DER  - 文本
无法加载证书
 140396587853640：错误：0D0680A8：asn1编码例程：ASN1_CHECK_TLEN：错误标记：tasn_dec.c：1320：
 140396587853640：错误：0D07803A：asn1编码例程：ASN1_ITEM_EX_D2I：嵌套asn1错误：tasn_dec.c：382：类型= X509_CINF 
 140396587853640：错误：0D08303A：asn1编码例程：ASN1_TEMPLATE_NOEXP_D2I：嵌套asn1错误：tasn_dec.c：752：字段= cert_info，类型= X509 
  
有人可以帮助我吗？
解决方案
在导入证书链时，keytool希望以DER形式加载证书。您可以使用openssl创建此类捆绑：
 
 
 
 1  - 转换DER格式的所有证书
  openssl x509 -in certificate.pem -outform DER -out certificate.crt 
  
 2  - 将所有DER证书合并到一个文件中
  cat cert1.crt cert2.crt ...> chain.der 
  
 3  - 现在您可以使用keytool将链接导入您的密钥库
  keytool -importcert -trustcacerts -alias< myalias> -file chain.der -keystore keystore.jks -storepass< mypassword> 
  
请注意 myalias   
 
 
 
 4  - 验证链是否已成功导入
  keytool -list -v -keystore keystore.jks 
  
 
I received a new certificate in crt / cert format. When I open this file in a text editor they added the complete certificate chain to this file. Each certificate starts with:
-----BEGIN CERTIFICATE-----
And ends with:
-----END CERTIFICATE-----
There are no empty lines in between. Since I am not keen with openssl, I opened up the certificate into Windows and exported the certificate with the complete chain in PKCS#7 format (test.p7b). When I open this file all looks fine in Windows and the root, intermediate and the certificate are all their in the chain.

When I put the file test.p7b on the server and try to import this with keytool as follows:
keytool -import -trustcacerts -alias my.domain.com -keystore my.domain.keystore -keypass changeme -storepass changeme -file test.p7b
I get the following error:
keytool error: java.lang.Exception: Input not an X.509 certificate
When I test the P7B file I also get errors:
bash-4.1$ openssl x509 -in test.p7b -text
unable to load certificate
140009984849736:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
or:
bash-4.1$ openssl x509 -in test.p7b -inform DER -text
unable to load certificate
140396587853640:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140396587853640:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509_CINF
140396587853640:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=cert_info, Type=X509
Can someone help me out?
解决方案
When importing a certificate chain, keytool expects the certificates to be loaded in DER form. You can create such a bundle with openssl:

1 - Convert all certificates in DER format 
openssl x509 -in certificate.pem -outform DER -out certificate.crt
2 - Concat all DER certificates into one single file
cat cert1.crt cert2.crt ... > chain.der
3 - Now you can import the chain into your keystore with keytool 
keytool -importcert -trustcacerts -alias <myalias> -file chain.der -keystore keystore.jks -storepass <mypassword>
Note that myalias MUST be the same as the one used when the key was generated.

4 - verify that the chain was successfully imported
keytool -list -v -keystore keystore.jks


                        
这篇关于无法将P7B文件加载到密钥库文件中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！