密钥库别名空错误 [英] Keystore Alias Null Error
问题描述
我试图配置一个名为Hermes的产品进行数字签名。
我有一个文件MyCert.pfx,其配置如下:
< component id =keystore-manager-for-signaturename =数字签名密钥存储管理器>
< class> hk.hku.cecid.piazza.commons.security.KeyStoreManager< / class>
< parameter name =keystore-locationvalue =/ opt / mycompany / certs / MyCert.pfx/>
< parameter name =keystore-passwordvalue =12345678/>
<! - parameter name =key-aliasvalue =joeblank/ - >
<! - parameter name =key-passwordvalue =12345678/ - >
< parameter name =keystore-typevalue =PKCS12/>
< parameter name =keystore-providervalue =org.bouncycastle.jce.provider.BouncyCastleProvider/>
< / component>
Hermes会抛出以下异常:
hk.hku.cecid.ebms.spa.task.MessageValidationException:无法签署ebxml消息
by hk.hku.cecid.ebms.pkg.SignatureException:[10204]不能sign message异常:java.lang.NullPointerException消息:null
尝试从密钥库中检索密钥别名[null] [/opt/mycompany/certs/MyCert.pfx]
by java.lang.NullPointerException
我没有pfx文件的别名。我不需要指定一个,当我在Tomcat的server.xml中使用它。
还建议我使用这样的命令将证书导入jsk存储:
keytool -importkeystore -deststorepass [password] -destkeystore [JKS密钥库文件] -deststoretype JKS -destalias [别名] -srckeystore [p12密钥库文件] -srcstoretype PKCS12 -srcstorepass [password] -srcalias [别名]
我不得不删除-srcalias部分,因为我没有,我删除-destalias以及。所以在这种情况下,我没有在mycompany.jks中引用的已知别名
无论如何我没有别名。我尝试使用keytool -import导入pfx文件,但它会抛出一个输入不是X.509证书。
你们建议我下一步怎么办?
听起来你的应用程序不使用默认的别名当没有指定。这是非常常见的应用程序/库(包括Apache Tomcat)选择他们发现当没有指定的第一个别名。
您可以使用 keytool -list -storetype PKCS12 -keystore 如果需要,还可以使用 -v 更清楚地看到别名)。别名应该是该行的第一部分,它表示像 2,2012年1月12日,PrivateKeyEntry (这里是 2 ),就在指纹之前。
keystore -import p>
keytool -importkeystore 可用于将PKCS#12存储转换为JKS存储,因为您可以指定 PKCS12 类型。
I am trying to configure a product called Hermes for a digital signature.
I have a file MyCert.pfx which I specified in its configuration as follows:
<component id="keystore-manager-for-signature" name="Key Store Manager for Digital Signature">
<class>hk.hku.cecid.piazza.commons.security.KeyStoreManager</class>
<parameter name="keystore-location" value="/opt/mycompany/certs/MyCert.pfx"/>
<parameter name="keystore-password" value="12345678"/>
<!-- parameter name="key-alias" value="joeblank"/-->
<!-- parameter name="key-password" value="12345678"/-->
<parameter name="keystore-type" value="PKCS12"/>
<parameter name="keystore-provider" value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
</component>
Hermes throws an exception like this:
hk.hku.cecid.ebms.spa.task.MessageValidationException: Cannot sign the ebxml message
by hk.hku.cecid.ebms.pkg.SignatureException: [10204] Cannot sign message Exception: java.lang.NullPointerException Message: null
Try to retreive key alias[null] from keystore[/opt/mycompany/certs/MyCert.pfx]
by java.lang.NullPointerException
I don't have the alias for the pfx file. I didn't need to specify one when I used it in Tomcat's server.xml.
It was also suggested that I should use a command like this to import the certificate into a jsk store:
keytool -importkeystore -deststorepass [password] -destkeystore [JKS keystore file] -deststoretype JKS -destalias [alias] -srckeystore [p12 keystore file] -srcstoretype PKCS12 -srcstorepass [password] -srcalias [alias]
I had to remove the -srcalias portion since I didn't have that, which required me to remove the -destalias as well. So in this case, I don't have a known alias to reference in mycompany.jks
Either way I don't have an alias. I tried importing the pfx file using keytool -import, but that throws a " Input not an X.509 certificate".
What do you guys suggest I should try next?
It sounds like your application doesn't use a default alias when none is specified. It's quite common for applications/libraries (including Apache Tomcat) to pick the first alias they find when none is specified. However, yours seems to need one.
You can find it using keytool -list -storetype PKCS12 -keystore (if needed, use -v too to see the alias more clearly). The alias name should be the first part of the line that says something like 2, Jan 12, 2012, PrivateKeyEntry (here "2"), just before the fingerprint.
keystore -import is indeed just for certificates.
keytool -importkeystore could be used for converting the PKCS#12 store into a JKS store, but you shouldn't need it, since you're able to specify the PKCS12 type.
这篇关于密钥库别名空错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
