如何将 .cer 证书导入 java 密钥库? [英] How to import a .cer certificate into a java keystore?
问题描述
在开发 Java 网络服务客户端的过程中,我遇到了一个问题.Web 服务的身份验证使用客户端证书、用户名和密码.我从 Web 服务背后的公司收到的客户端证书采用 .cer
格式.当我使用文本编辑器检查文件时,它具有以下内容:
During the development of a Java webservice client I ran into a problem. Authentication for the webservice is using a client certificate, a username and a password. The client certificate I received from the company behind the webservice is in .cer
format. When I inspect the file using a text editor, it has the following contents:
-----BEGIN CERTIFICATE-----
[Some base64 encoded data]
-----END CERTIFICATE-----
我可以将此文件作为证书导入 Internet Explorer(无需输入密码!)并使用它来验证网络服务.
I can import this file as a certificate in Internet Explorer (without having to enter a password!) and use it to authenticate with the webservice.
通过首先剥离第一行和最后一行,转换为 unix 换行符并运行 base64 解码,我能够将此证书导入密钥库.生成的文件可以导入密钥库(使用 keytool
命令).当我列出密钥库中的条目时,该条目的类型为 trustedCertEntry
.由于此条目类型 (?),我无法使用此证书对 Web 服务进行身份验证.我开始认为提供的证书是用于身份验证的公共证书...
I was able to import this certificate into a keystore by first stripping the first and last line, converting to unix newlines and running a base64-decode. The resulting file can be imported into a keystore (using the keytool
command). When I list the entries in the keystore, this entry is of the type trustedCertEntry
. Because of this entry type (?) I cannot use this certificate to authenticate with the webservice. I'm beginning to think that the provided certificate is a public certificate which is being used for authentication...
我发现的一种解决方法是在 IE 中导入证书并将其导出为 .pfx
文件.此文件可作为密钥库加载,并可用于向 Web 服务进行身份验证.但是,我不能指望我的客户每次收到新证书时都执行这些步骤.所以我想直接将 .cer
文件加载到 Java 中.有什么想法吗?
A workaround I have found is to import the certificate in IE and export it as a .pfx
file. This file can be loaded as a keystore and can be used to authenticate with the webservice. However I cannot expect my clients to perform these steps every time they receive a new certificate. So I would like to load the .cer
file directly into Java. Any thoughts?
附加信息:网络服务背后的公司告诉我,应该从 PC 和稍后导入证书的用户那里请求证书(使用 IE 和网站).
Additional info: the company behind the webservice told me that the certificate should be requested (using IE & the website) from the PC and user that would import the certificate later.
推荐答案
- 如果您想进行身份验证,您需要私钥 - 没有其他选择.
- 证书是具有额外属性(如公司名称、国家/地区...)的公钥,由某些证书颁发机构签署,以保证附加属性的真实性.
.CER
文件是证书,没有私钥.私钥通常与.PFX keystore
文件一起提供.如果您真的进行身份验证是因为您已经导入了私钥.您通常可以导入
.CER
证书而- If you want to authenticate you need the private key - there is no other option.
- A certificate is a public key with extra properties (like company name, country,...) that is signed by some Certificate authority that guarantees that the attached properties are true.
.CER
files are certificates and don't have the private key. The private key is provided with a.PFX keystore
file normally. If you really authenticate is because you already had imported the private key.You normally can import
.CER
certificates without any problems withkeytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
这篇关于如何将 .cer 证书导入 java 密钥库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!