将公共证书导入密钥库时出错 [英] Error while Importing public certificate to a keystore
问题描述
我有一个CA的公共证书。我想使用此证书创建一个Java SSL连接。我参考我如何接受具有Java HttpsURLConnection的自签名证书?和具有自签名证书的Java SSL连接,而不将完整的密钥库复制到客户端。从这我了解,我需要导入证书到密钥库。但是我没有从CA收到任何密钥库。我创建了一个密钥库,并尝试将公共证书导入到它。但是,我得到以下错误:
keytool错误:java.lang.Exception:回复中的公钥和密钥库不匹配
我需要一个密钥库从CA或我做错了吗?
以创建密钥库:
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
用于导入证书的命令:
keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks
我认为你没有正确地遵循证书登录过程。要查看此讨论 https://forums.oracle.com/thread/1533940 以按照以下步骤正确实施它们: / p>
-
创建密钥库
keytool -genkey -keyalg RSA -keystore test.keystore -validity 360
这会生成一个密钥库和一个带有mykey别名的密钥(DC)) -
创建证书签名请求(CSR)。
keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore
(这将生成一个文本CSR文件) -
已产生签署的凭证:
http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index。 html
-
导入的签名证书
(如果粘贴了步骤3中签署的证书,请注意CRLF)
keytool -import -alias newkey -file -keystore test.keystore
(重要的是,这有一个别名不同于步骤1(默认为mykey)? -
导出用于客户端使用的公钥
keytool -export -alias mykey -file test.publickey -keystore test.keystore
在服务器系统上
-
创建信任库
keytool -genkey -keyalg RSA -keystore test.truststore -validity 360
(这会生成一个密钥库和一个键(DC),别名为mykey) - key - 用于通过客户端测试SSL SOAP服务
keytool -import -file test.publickey -keystore test.truststore
问题是让步骤1和6中的别名默认为mykey。
当我将第6步更改为:
keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360
import使用上面的步骤7(虽然我没有在步骤7中添加-alias apublickey)。
这对我有用。
I have a public certificate from a CA. I want to create a Java SSL connection using this certificate. I referred How do I accept a self-signed certificate with a Java HttpsURLConnection? and Java SSL connection with self-signed certificate without copying complete keystore to client. From this I understand that I need to import the certificate into a keystore. However I haven't received any keystore from the CA. I created a keystore and tried to import the public certificate to it. But then I get the following error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Do i need a keystore from the CA or am i doing something wrong?
Command used to create the keystore:
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
Command used to import the cert:
keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks
I think you are not properly following certificate signin process. Checkout this discussion https://forums.oracle.com/thread/1533940 to implement them properly by following below steps:
create a keystore keytool -genkey -keyalg RSA -keystore test.keystore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")
create a Certificate Signing Request (CSR). keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore (this generates a text CSR file)
Had signed cert generated:
http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html
Imported signed certificate (watch out for CRLFs if pasting signed cert from step 3) keytool -import -alias newkey -file -keystore test.keystore (?important that this has an alias different to step 1 (which defaults to "mykey")?
Export public key for client usage keytool -export -alias mykey -file test.publickey -keystore test.keystore
On Server system
create a truststore keytool -genkey -keyalg RSA -keystore test.truststore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")
Import public key - for testing SSL SOAP service via client keytool -import -file test.publickey -keystore test.truststore
The problem was letting the alias in steps 1 and 6 default to "mykey". When I changed step 6 to be: keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360
you can import using step 7 above (though I did add "-alias apublickey" in step 7). This worked for me.
这篇关于将公共证书导入密钥库时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!