如何在java信任库中导入jks证书 [英] How to import a jks certificate in java trust store

问题描述

如何将.jks文件导入java security的truststore？我看到的所有教程都使用.crt文件。但是，我只有.jks文件，它也是我使用keytool命令生成的密钥库。

How do I import a .jks file into the java security's truststore? All the tutorial I'm seeing is using a ".crt" file. However, I only have the ".jks" file which is also the keystore I generated using the keytool command.

目前，我正在关注本教程。

我能够生成Java密钥库和密钥对，并为现有Java密钥库生成证书签名请求（CSR），该请求基于本教程。但我无法将根证书或中间CA证书导入现有Java密钥库，并将签名的主证书导入现有Java密钥库，因为它正在查找.cert文件。

I was able to generate a Java keystore and key pair and generate a certificate signing request (CSR) for an existing Java keystore, which is based on the tutorial. But I cannot import a root or intermediate CA certificate to an existing Java keystore, and import a signed primary certificate to an existing Java keystore, because it is looking for a ".cert" file.

我是否遗漏了教程中列出的步骤？如果我拥有的唯一文件是.jks文件，我如何信任证书？什么是.csr文件的用途？

Am I missing something on the steps listed on the tutorial? How can I trust a certificate if the only file I have is the ".jks" file? And what is the use of the ".csr" file?

请注意我使用的是Windows。

Please note that I'm using Windows.

推荐答案

。jks 信任库，或者至少它应该是你分配的它到JSSE。您应该将CA中的证书添加到该文件中。然后，软件将通过迭代证书来查找证书链。私钥应保留在（密码保护的）。jks文件中。

The ".jks" is the truststore, or at least it should be if you assign it to JSSE. You should add the certificates from your CA to that file. The software will then look up the certificate chain by iterating through the certificates. The private key should remain in the (password protected) ".jks" file.

换句话说，你应该将证书导入。jks而不是从中导出证书。如果证书请求的响应中未包含特定提供商的证书，则可能需要单独下载这些证书。您可能也可以从您喜欢的浏览器中导出它们。通常这些是以X5.09 DER格式存储的（它应该与Java keytool 兼容）。

In other words, you should import certificates to the ".jks" not export certificates out of it. You may have to download the certificates of your specific provider separately if they are not included in the response of your certificate request. You proabably could export them from your favourite browser as well. Normally these are stored in X5.09 DER format (which should be compatible with the Java keytool).

步骤（一般情况下）：

1. 生成密钥对&证书请求，存储到新的或现有的密钥库（ .jks ）


2. 发送要签名的证书请求，获取从您请求的证书


3. 使用私钥将证书链导入密钥存储区


4. 为需要执行的一方生成新密钥存储区或使用现有密钥存储区验证（使用SSL时至少有一个或多个客户端），并导入证书链


5. 信任上述密钥库中证书链中的证书，可能是最高证书（ root证书）。


6. 配置和测试各方，例如使用带有私钥的密钥库的服务器和使用后者密钥库的多个客户端。

1. Generate a key pair & cert request, store into new or existing key store (.jks)
2. Send the certificate request to be signed, obtain chain starting with the certificate that you requested
3. Import certificate chain into key store with private key
4. Generate new or use existing key store for the party that needs to do the verification (at least one or more clients when using SSL), and import the certificate chain
5. Trust a certicificate in the certificate chain in the above key store, probably the top most certificate (the "root" certificate).
6. Configure and test the parties, e.g. a server using the key store with the private key and multiple clients using the latter key store.

这篇关于如何在java信任库中导入jks证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！