如何解决:jno_key_entry [英] How to resolve : jno_key_entry

问题描述

我有一个由Sectigo生成的以下文件:

I have a the following files that where generated by Sectigo:

1. XXX1.pem
2. XXX1.key
3. XXX1.csr
4. XXX1.crt
5. XXX1.ca

我在Windows上使用Zulu JDK 11.0.8和SpringBoot 2.2.0.我想做的是在SpringBoot应用程序中启用https.

I am using Zulu JDK 11.0.8 and SpringBoot 2.2.0 on windows. What I am trying to do is to enable https in SpringBoot app.

这是SpringBoot属性文件中的ssl属性:

This are the ssl properties in SpringBoot properties file:

server.ssl.key-store-type=JKS
server.ssl.key-store=XX1.jks
server.ssl.key-store-password=password
server.ssl.key-alias=tomcat

我使用以下命令生成了密钥库:

I generated a keystore using the following command:

keytool -import -alias tomcat -file XXX1.crt -keystore XX1.jks -storepass password

运行该应用程序时，出现以下错误消息:

When running the app I am getting the following error message:

Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1008) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 17 common frames omitted
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 19 common frames omitted
Caused by: java.io.IOException: jsse.alias_no_key_entry
    at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:328) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 25 common frames omitted

知道我做错了什么吗?

谢谢

推荐答案

TLDR:您需要私钥

尽管我们经常松散地谈论具有或使用证书"的SSL/TLS服务器，但实际上它不仅需要证书，而且还需要关联的私钥(始终)以及任何关联的中间链" CA证书. )(通常，但可能取决于CA和/或客户端). keytool -import是-importcert的别名，仅导入证书或链.这可以将证书/链添加到预先存在的 privateKeyEntry中，或创建一个TrustedCertEntry.在您的情况下，您的密钥库尚未包含私钥，因此keytool创建了TrustedCertEntry，这就是为什么Tomcat抱怨配置的别名为'no_key_entry'的原因-即它是TrustedCertEntry，它是不足，无法使用和错误的，而不是

Although we often talk loosely about an SSL/TLS server having or using 'a certificate', in fact it needs not just a certificate but the associated private key (always) and any associated intermediate aka 'chain' CA cert(s) (usually, but can depend on the CA and/or clients). keytool -import is an alias for -importcert which imports only a certificate or chain; this either adds a cert/chain to a preexisting privateKeyEntry, or creates a trustedCertEntry. In your case your keystore did not already contain the privatekey, so keytool created a trustedCertEntry, which is why Tomcat complains that the configured alias is 'no_key_entry' -- i.e. it is a trustedCertEntry, which is inadequate, unusable, and wrong, not a privateKeyEntry as is needed and required.

搜索将PEM转换为Java密钥库"或将PEM转换为JKS"(也可能将将PEM转换为PKCS12")，您会发现在过去十年中有数百个问题，其中包括两个真实答案:

Search for 'convert PEM to Java keystore' or 'convert PEM to JKS' (and possibly 'convert PEM to PKCS12' also) and you will find hundreds of Questions asked over the past decade, with about as many variations of the two real Answers:

1. 如果拥有或获得OpenSSL，请使用openssl pkcs12 -export将证书，私钥和链(CA)PEM格式的文​​件合并为PKCS12格式的文件.现代Java(自2017年起)始终可以直接将PKCS12用作密钥库；较早的版本有时可以做到这一点，但有时需要您使用keytool -importkeystore(不是-import[cert])将PKCS12转换为JKS，而较早的答案则反映了以前的要求.如有必要，您可以将PEM格式的文​​件移动或复制到足够安全并具有OpenSSL的另一台计算机上，然后再将PKCS12移动或复制.

1. If you have or get OpenSSL, use openssl pkcs12 -export to combine the certificate, privatekey, and chain (CA) PEM-format files into a PKCS12-format file. Modern Java (since 2017) can always use PKCS12 directly as a keystore; older versions sometimes could do this but sometimes required you to convert the PKCS12 to JKS with keytool -importkeystore (not -import[cert]) and older Answers reflect that former requirement. If necessary you could move or copy the PEM-format files to another machine that is sufficently secure and has OpenSSL and then move or copy the PKCS12 back.

OpenSSL在几乎所有Linux和许多其他Unix(而非Windows)上都是标准配置.您可以从Windows A的多个来源获得它，我认为这些来源是 http://slproweb.com/products/Win32OpenSSL .html 维护得最好的

OpenSSL comes standard on nearly all Linuxes and many other Unixes, but not Windows. You can get it for Windows from several sources of which I consider http://slproweb.com/products/Win32OpenSSL.html the best-maintained.

下载并使用 KeyStore Explorer .

这篇关于如何解决:jno_key_entry的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！