由于以下错误，使用Java API创建pkcs12失败:java.security.KeyStoreException:不支持TrustedCertEntry [英] Creating pkcs12 using Java API failes due to error: java.security.KeyStoreException: TrustedCertEntry not supported

问题描述

我正在尝试使用Java API创建PKCS12密钥库文件.但是，一旦我尝试导入证书，就会出现异常

I am trying to create a PKCS12 keystore file using Java API. However as soon as I try to import the certificate I get the exception

java.security.KeyStoreException: TrustedCertEntry not supported

我的代码是:

Provider p = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME);
...
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(null, keystorePass);

keyStore.setCertificateEntry("certificate", certificate);

keyStore.setKeyEntry("key",privateKey, keypass, certChain);

相同的方法适用于创建JKS文件，但不适用于PKCS12文件.

The same approach works for creating JKS files but failed for PKCS12 files.

注意: 服务器使用输入的CSR创建此程序作为输入提供给该程序的证书，该CSR使用此处使用的相同私钥生成. IE.给定证书的公共模数，用于生成证书的CSR和给定私钥是相同的.

Note: The certificate given to this program as input is created by the server using the CSR generated with the same private key used here. I.e. the public modulus for the given certificate, CSR used to generate it and the given private key are the same.

服务器证书存储在变量certChain中.

The server cert is stored in variable certChain.

注意: 我已经尝试过使用OpenSSL创建pkcs12，但是我成功了，但是我需要使用Java API进行同样的操作.

Note: I have tried OpenSSL to create the pkcs12 and I was successful, however I need to do the same using Java API.

注意:我正在使用JDK 7

Note: I am using JDK 7

推荐答案

Java 7(及更早版本)不允许PKCS12密钥库中的trustedCert条目，尽管8允许，这可能是因为PKCS12是设计的并且通常仅用于私有密钥和相关证书，以及Java在privateKey条目中放在一起的证书.您说此证书是用于/匹配私钥的证书，因此它必须首先在certChain中的密钥"条目中，并且您不需要需要证书" "条目.

Java 7 (and earlier) does not allow a trustedCert entry in a PKCS12 keystore although 8 does, perhaps because PKCS12 was designed and is usually used only for privatekey(s) and the related cert(s) and which Java puts together in the privateKey entry. You say this cert is the cert for/matching the privatekey, so it must be first in the certChain in the "key" entry, and you do not need a "cert" entry for it.

这篇关于由于以下错误，使用Java API创建pkcs12失败:java.security.KeyStoreException:不支持TrustedCertEntry的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！