新手keytool命令 - 如何更新已添加到密钥库的证书？ [英] Newbie keytool command -- how to update cert already added to keystore?

问题描述

我的linux电子邮件服务器exim的自签名证书。为了让我的Java函数能够通过GlassFish访问这个电子邮件服务器，我最初发布了：

I have a self-signed cert for my linux email server exim. To enable my Java functions to access this email server via GlassFish, I originally issued:

# keytool -importcert -v -noprompt -alias mail.mycompany.com -file /path/to/mail.mycompany.com.der -keystore /path/to/config/cacerts.jks -storepass changeit
Certificate was added to keystore

这个工作正常，直到证书过期。我不得不创建一个新的自签名证书，现在Java提供错误 PKIX路径验证失败...路径不与任何信任锚链接。

This worked fine, until the certificate expired. I had to create a new self-signed cert, and now Java gives the error PKIX path validation failed … path does not chain with any of the trust anchors.

为了尝试解决此问题，我从新的exim中派生了一个新的 mail.mycompany.com.der 文件证书（最初完成）。但是当我发出上面的keytool命令（最初完成）时，它会给出错误证书未导入，别名< mail.mycompany.com>已存在。

To attempt to fix this, I derived a new mail.mycompany.com.der file from the new exim cert (as done originally). But when I issue the above keytool command (as done originally), it gives error Certificate not imported, alias <mail.mycompany.com> already exists.

我认为问题在于我无法使用相同的keytool命令。我需要使用另一个不将证书添加到密钥库的证书，但是使用更新的版本更新证书。任何人都可以指出我正确的方向为该命令？

I think the problem is that I can't use that same keytool command. I need to use a different one that doesn't add the cert to the keystore, but updates the cert already there with a newer version. Anyone can point me in the right direction for that command?

顺便说一句，是否有一些我缺少的自动化过程？也就是说，cert一直过期......这是否意味着IT管理员需要始终使用这样的代码手动使用新证书更新密钥库？或者，这可以以某种方式自动化吗？

As an aside, is there some automated process that I'm missing? That is, cert's expire all the time... does that mean IT admins need to always update the keystore with the new certs manually using code like this? Or, can this be automated somehow?

推荐答案

可能最简单的方法是让keytool删除原始证书并生成新的具有相同信息的证书。解决这个问题的一个好方法是，如果你有一个小型虚拟机可以安装它，那就是安装EJBCA。它有点笨重，但EJBCA是一个用Java编写的免费开源CA服务器。您可以创建自己的假CA证书，用户证书，服务器证书等，这些证书都具有信任链。此外，当您在证书过期后重新颁发证书时，可以快速为您生成新的JKS文件。

Probably the simplest way would be to have keytool delete the original cert and generate a new cert with the same information. A good way to get around this, if you have a small VM you can spare for it is to install EJBCA. It's kinda clunky, but EJBCA is a free, open source CA server written in Java. You can create your own fake CA certs, user certs, server certs, etc. that all have trust chains. Plus it's pretty good for quickly generating a new JKS file for you when you reissue a certificate after one's expired.

要删除：

keytool -delete -keystore myfile.jks -alias'alias_from_keytool_-list'

这篇关于新手keytool命令 - 如何更新已添加到密钥库的证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！