如何仅使用私钥文件创建Java密钥库? [英] How to create a java keystore only with a private key file?
问题描述
我只有一个私钥作为.key文件,没有其他.crt或ca内容. 我需要创建一个Java密钥库.如何转换?
I only have a private key as a .key file, no other .crt or ca stuff. I need to create a java keystore with that. How to convert it?
到目前为止我尝试过的是:
我将.key文件重命名为.pem.
我使用openssl在.pem中创建了.p12文件.
What I tried so far:
I renamed my .key file to .pem.
I used openssl to create a .p12 file out the .pem.
最后,我使用此命令创建Java密钥库:
And lastly I use this command to create the java keystore:
keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
-srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
-deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]
要求我输入密码,然后输入错误:
I am asked to give the passwords, which I enter and then I get an error:
PEM_read_bio:no start line: ...... Expecting: TRUSTED CERTIFICATE
我已经检查了是否缺少空格,并且文件以"-----"开头,也以"-----"结尾.
I already checked for missing spaces and that the file starts with the "-----" and ends with it as well.
有人知道这样做的方法吗?
Does anyone know a way to do it?
推荐答案
您没有显示所使用的openssl命令,但这可能是错误的,因为您引用的错误来自openssl,而不是 keytool,因此您的keytool命令可能无法工作.
You didn't show the openssl command you used, but it's probably wrong, since the error you quote comes from openssl and not keytool, and as a result your keytool command couldn't possibly work.
但是,您的目标不明智. Java KeyStore API旨在存储带有证书(或链)的私钥 ,对于没有证书的私钥,keytool和大多数其他程序都将无法正常工作或根本无法正常工作.当您没有私钥的真实证书时,Java中(通常也是OpenSSL中)的通常做法是创建虚拟"自签名证书;这并不能像真实证书那样扩展信任,但是可以填补证书状的漏洞,并允许程序至少运行到需要有效信任的程度.
However, your goal is unwise. The Java KeyStore API is designed to store a privatekey with a certificate (or chain) for it, and both keytool and most other programs won't work right or at all for a privatekey with no certificate. The usual practice in Java -- and mostly in OpenSSL as well -- when you have no real certificate(s) for a privatekey is to create a 'dummy' self-signed certificate; this does not extend trust as a real certificate does, but it fills the certificate-shaped hole(s) and allows programs to work at least up to the point they need valid trust.
有两种方法可以做到这一点. OpenSSL更容易,但不是编程的,因此不是真正的主题:
There are two ways to do this. OpenSSL is easier, but not programming and hence not really ontopic:
openssl req -new -x509 -inkey privkey.pem [-days N] [-subj name] -out dummy.pem
# -subj name has the form /attr=value/attr=value/...
# where commonly used attrs are C (Country), ST (State/Province),
# L (Locality), O (Organization), OU (Org Unit), CN (CommonName).
# if you omit -subj name you will be prompted for these (assuming normal config)
# -days defaults to 30
# if you modify the default config file or create and specify your own
# you can configure a variety of X.509 extensions, but for a dummy cert
# this is only rarely helpful, depending how you (will) use it
openssl pkcs12 -export -in dummy.pem -inkey privkey.pem -out keystore.p12 [-name alias]
# Java can use the PKCS12, but if you really want JKS for some reason
keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -deststoretype JKS \
[-srcstorepass p] [-deststorepass p] [-srcalias x [-destalias y]]
# most j8 can read PKCS12 without specifying it (due to a compatibility setting)
# and all j9 up autodetect the source type;
# j8 defaults dest type to JKS but j9 up do not
或者,您可以使用Java对此进行编程. OOTB Java不直接处理密钥的PEM格式,更重要的是仅处理OpenSSL所使用的八种格式中的一种-并且您谨慎地避免告诉我们您拥有哪种.同样,OOTB Java也没有记录证明的创建证书的方法. keytool使用了内部类,但是在j8之后,使用内部类变得越来越困难.两者均通过 BouncyCastle (bcpkix + bcprov)解决,该支持OpenSSL PEM密钥并在其中生成X.509证书其他东西.
Alternatively you can program this in Java. OOTB Java doesn't directly handle PEM format for keys, and more importantly handles only one of the eight formats used by OpenSSL -- and you carefully avoided telling us which you have. Also OOTB Java has no documented way to create a certificate; there are internal classes used by keytool, but after j8 it is increasingly difficult to use internal classes. Both of these are solved by BouncyCastle (bcpkix+bcprov) which supports OpenSSL PEM keys and generating X.509 certificates among other things.
要读取OpenSSL的传统"格式的未加密私钥文件,请参见
在JAVA中读取格式为PKCS1的RSA私钥
如何从文件加载RSA私钥
从PEM BASE64编码中获取RSA私钥文件
To read OpenSSL's 'traditional' format unencrypted privatekey file see
Read RSA private key of format PKCS1 in JAVA
How to Load RSA Private Key From File
Getting RSA private key from PEM BASE64 Encoded private key file
或传统加密的
从RSA .pem文件中获取私钥
使用Java解密OpenSSL PEM编码的RSA私钥吗? /a>
or traditional encrypted
Get a PrivateKey from a RSA .pem file
Decrypting an OpenSSL PEM Encoded RSA private key with Java?
对于PKCS8加密
以PEM格式读取PKCS8:找不到提供程序
使用Bouncy Castle解密PEM专用(RSA)密钥
并且由于您实际上还需要公钥,因此哪种传统"格式可以为您提供(如PEMKeyPair-> KeyPair),但PKCS8却没有
Bouncy Castle-如何从JceOpenSSLPKCS8DecryptorProviderBuilder获取公钥信息/a>(我的)
For PKCS8 encrypted
Reading PKCS8 in PEM format: Cannot find provider
Decrypt PEM private (RSA) key with Bouncy Castle
and since you actually need the publickey also, which 'traditional' formats give you (as PEMKeyPair -> KeyPair) but PKCS8 doesn't
Bouncy Castle - how to get Public Key Info from JceOpenSSLPKCS8DecryptorProviderBuilder (mine)
用于使用Bouncy生成自签名证书
在Java中用Bouncy Castle自签名的X509证书
使用Bouncy Castle Java生成X509证书(但不要使用SHA1 )
也许使用Bouncycastle X509v3CertificateBuilder生成X509Certificate
For generating a selfsigned cert with Bouncy
Self signed X509 Certificate with Bouncy Castle in Java
Generating X509 Certificate using Bouncy Castle Java (but don't use SHA1)
maybe Generating X509Certificate using bouncycastle X509v3CertificateBuilder
这篇关于如何仅使用私钥文件创建Java密钥库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
