在Linux浏览器(或Linux命令行)中为Java证书信任库导出SSL证书 [英] Exporting SSL Certificate in Linux Browser (or Linux Command Line) for Java Certificate Truststore
问题描述
背景:
使用ColdFusion 9(对等方未通过身份验证)使用Web服务时遇到了一些麻烦.
I am having some trouble consuming a Web Service with ColdFusion 9 (peer not authenticated).
首先,我要尝试导入进入ColdFusion底层Java密钥库的证书.如果这不起作用,我将尝试
First, I'm going to try importing the cert into ColdFusion's underlying Java keystore. If that doesn't work, I'm going to try to fiddle with ColdFusion's security provider.
但是我的问题更具体...
But my questions are more specific...
问题:
如何在Chrome(或Linux CLI)中以正确的格式导出证书(在正确的级别上)?
How do I export the cert (at the right level) in Chrome (or Linux CLI), and in which format?
详细信息
我已经看到一些有关从浏览器导出证书的说明,但是这些说明适用于IE(当时是旧版本),并且我更喜欢使用Chrome,因为我使用的是Linux.
I have seen some instructions for exporting a cert from a browser, but they have been for IE (old versions, at that), and I would prefer to use Chrome, because I'm on Linux.
为了获得以下屏幕截图,我:
In order to get to the screen shot, below, I:
- 点击网址旁边的锁定图标
- 连接"标签(显示此网站的身份已由Thawte SSL CA验证")
- 点击证书信息链接"
- 详细信息"标签
从那里,我可以导出四个级别之一:
From there, I am able to export at one of four levels:
- 内置对象令牌:Thawte Premium Server CA
- thawte主根CA
- Thawte SSL CA
- sb1.geolearning.com
哪个合适?
此外, Adobe的文档说证书必须是可分辨编码规则(DER)格式的X.509证书.",Chrome的导出对话框提供以下选项:
Also, Adobe's documentation says "The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.", and Chrome's export dialog offers these options:
- Base64编码的ASCII,单个证书
- Base64编码的ASCII,证书链
- DER编码的二进制单证书
- PKCS#7,单一证书
- PKCS#7,证书链
- 所有文件
我认为"DER编码的二进制单证书"合适吗?
I assume "DER-encoded binary, single certificate" is appropriate?
推荐答案
使用浏览器
以下代码生成了我可以使用keytool导入的证书:
With a Browser
The following generated a certificate that I was able to import using keytool:
- 级别:sb1.geolearning.com
- 文件类型:DER编码的二进制,单个证书
为后代,这是用于导入的命令:
For posterity, here was the command used to import:
sudo keytool -import -keystore /opt/jrun4/jre/lib/security/cacerts -alias "sb1.geolearning.com (Thawte SSL CA)" -storepass changeit -noprompt -trustcacerts -file ~/Downloads/sb1.geolearning.com
没有浏览器
这是我最近几天在做的事情(在Vagrant设置程序中).在此脚本中,密钥库是硬编码的,因为目前我仅将其用于Lucee.但是,可以轻松地对密钥库的路径进行参数化.同样,与runfile相关的代码也只是为了确保Vagrant不会多次运行该脚本.如果您不将代码用作Vagrant设置程序,则这些行是多余的.
Without a Browser
Here's what I'm doing these days (in a Vagrant provisioner). In this script, the keystore is hard-coded, because I'm only using it for Lucee, at the moment; however, the path the the keystore could easily be parameterized. Also, the runfile related code is just so Vagrant doesn't run the script more than once; those lines are superfluous if you're not using the code as a Vagrant provisioner.
与上述解决方案唯一不同的是,它是通过openssl s_client获取证书(并使用sed清除证书),而不是通过浏览器手动获取证书.
The only thing that really differentiates this from the above solution is that this gets the cert via openssl s_client (and cleans it up with sed) instead doing so manually, via a browser.
#!/usr/bin/env bash
set -e
description="Add cert to Lucee's keystore."
while :
do
case $1 in
--provisioned-dir=*)
provisioned_dir=${1#*=} # Delete everything up till "="
shift
;;
--runfile-name=*)
runfile_name=${1#*=} # Delete everything up till "="
shift
;;
--site-host-name=*)
site_host_name=${1#*=} # Delete everything up till "="
shift
;;
-*)
echo "WARN: Unknown option (ignored): $1" >&2
shift
;;
*) # no more options. Stop while loop
break
;;
esac
done
runfile="${provisioned_dir}/${runfile_name}"
if [ -f "${runfile}" ]; then
echo "${description}: Already run."
exit 0
fi
echo "add cert to keystore"
echo -n | \
openssl s_client -connect ${site_host_name}:443 \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
> /tmp/${site_host_name}.cert
/opt/lucee/jdk/jre/bin/keytool \
-import \
-keystore /opt/lucee/lib/lucee-server/context/security/cacerts \
-alias "${site_host_name} (self-signed)" \
-storepass changeit \
-file /tmp/${site_host_name}.cert \
-noprompt \
|| true
touch "${runfile}"
这篇关于在Linux浏览器(或Linux命令行)中为Java证书信任库导出SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
