将 Java 密钥库转换为 PEM 格式 [英] Converting a Java Keystore into PEM Format

问题描述

我正在尝试使用 keytool 和 openssl 应用程序将 Java 密钥库文件转换为 PEM 文件.但是我找不到进行转换的好方法.有任何想法吗?

我没有将密钥库直接转换为 PEM，而是尝试先创建一个 PKCS12 文件，然后再转换为相关的 PEM 文件和密钥库.但是我无法使用它们建立连接.(请注意，我只需要一个 PEM 文件和一个密钥库文件来实现安全连接.没有像从 java 密钥库文件开始"这样的限制.:) 所以我的情况可以从其他格式开始)

但是最好使用从 jks 到 pem 的直接转换方法.

解决方案

很简单，至少使用 jdk6...

<前>bash$ keytool -keystore foo.jks -genkeypair -alias foo -dname 'CN=foo.example.com,L=墨尔本,ST=维多利亚,C=AU'输入密钥库密码:重新输入新的密码:输入密钥密码(如果与密钥库密码相同则返回):bash$ keytool -keystore foo.jks -exportcert -alias foo |openssl x509 -inform der -text输入密钥库密码:asdasd证书:数据:版本:3 (0x2)序列号:1237334757 (0x49c03ae5)签名算法:dsaWithSHA1发行人:C=AU，ST=Victoria，L=Melbourne，CN=foo.example.com有效性不是之前:格林威治标准时间 2009 年 3 月 18 日 00:05:57不之后:格林威治标准时间 2009 年 6 月 16 日 00:05:57主题:C=AU，ST=维多利亚，L=墨尔本，CN=foo.example.com主题公钥信息:公钥算法:dsaEncryptionDSA 公钥:酒馆:00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:bash$ keytool -importkeystore -srckeystore foo.jks -destkeystore foo.p12 -srcstoretype jks -deststoretype pkcs12输入目标密钥库密码:重新输入新的密码:输入源密钥库密码:别名 foo 的条目已成功导入.导入命令完成:1 个条目成功导入，0 个条目失败或取消bash$ openssl pkcs12 -in foo.p12 -out foo.pem输入导入密码:MAC验证OK输入 PEM 密码:验证 - 输入 PEM 密码:bash$ openssl x509 -text -in foo.pem证书:数据:版本:3 (0x2)序列号:1237334757 (0x49c03ae5)签名算法:dsaWithSHA1发行人:C=AU，ST=Victoria，L=Melbourne，CN=foo.example.com有效性不是之前:格林威治标准时间 2009 年 3 月 18 日 00:05:57不之后:格林威治标准时间 2009 年 6 月 16 日 00:05:57主题:C=AU，ST=维多利亚，L=墨尔本，CN=foo.example.com主题公钥信息:公钥算法:dsaEncryptionDSA 公钥:酒馆:00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:bash$ openssl dsa -text -in foo.pem读取 DSA 密钥输入 PEM 密码:私钥:(1024 位)私人:00:8f:b1:af:55:63:92:7c:d2:0f:e6:f3:a2:f5:ff:1a:7a:fe:8c:39:dd酒馆:00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:

你最终得到:

• foo.jks - Java 格式的密钥库.
• foo.p12 - PKCS#12 格式的密钥库.
• foo.pem - 来自密钥库的所有密钥和证书，采用 PEM 格式.

(如果您愿意，可以将最后一个文件拆分为密钥和证书.)

<小时>

命令摘要 - 创建 JKS 密钥库:

keytool -keystore foo.jks -genkeypair -alias foo -dname 'CN=foo.example.com,L=墨尔本,ST=维多利亚,C=AU'

命令摘要 - 将 JKS 密钥库转换为 PKCS#12 密钥库，然后转换为 PEM 文件:

keytool -importkeystore -srckeystore foo.jks -destkeystore foo.p12 -srcstoretype jks -deststoretype pkcs12openssl pkcs12 -in foo.p12 -out foo.pem

如果您的 JKS 密钥库中有多个证书，并且您只想导出与别名之一关联的证书和密钥，则可以使用以下变体:

keytool -importkeystore -srckeystore foo.jks -destkeystore foo.p12 -srcalias foo -srcstoretype jks -deststoretype pkcs12openssl pkcs12 -in foo.p12 -out foo.pem

命令摘要 - 将 JKS 密钥库与 PEM 文件进行比较:

keytool -keystore foo.jks -exportcert -alias foo |openssl x509 -inform der -textopenssl x509 -text -in foo.pemopenssl dsa -text -in foo.pem

I am trying to convert from a Java keystore file into a PEM file using keytool and openssl applicactions. But I could not find a good way to do the conversion. Any ideas?

Instead of converting the keystore directly into PEM I tried to create a PKCS12 file first and then convert into relevant PEM file and Keystore. But I could not establish a connection using them. (Note that I just need a PEM file and a Keystore file to implement a secured connection. There is no restriction like "Start from a java keystore file". :) So starting from other formats is acceptable with my case)

But a direct conversion method from jks to pem is preferable.

解决方案

It's pretty straightforward, using jdk6 at least...

bash$ keytool -keystore foo.jks -genkeypair -alias foo 
        -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'
Enter keystore password:  
Re-enter new password: 
Enter key password for 
        (RETURN if same as keystore password):  
bash$ keytool -keystore foo.jks -exportcert -alias foo | 
       openssl x509 -inform der -text
Enter keystore password:  asdasd
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1237334757 (0x49c03ae5)
        Signature Algorithm: dsaWithSHA1
        Issuer: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com
        Validity
            Not Before: Mar 18 00:05:57 2009 GMT
            Not After : Jun 16 00:05:57 2009 GMT
        Subject: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub: 
                    00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:
                    7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:
 

bash$ keytool -importkeystore -srckeystore foo.jks 
       -destkeystore foo.p12 
       -srcstoretype jks 
       -deststoretype pkcs12
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias foo successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

bash$ openssl pkcs12 -in foo.p12 -out foo.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

bash$ openssl x509 -text -in foo.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1237334757 (0x49c03ae5)
        Signature Algorithm: dsaWithSHA1
        Issuer: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com
        Validity
            Not Before: Mar 18 00:05:57 2009 GMT
            Not After : Jun 16 00:05:57 2009 GMT
        Subject: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub: 
                    00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:
                    7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:
 

bash$ openssl dsa -text -in foo.pem
read DSA key
Enter PEM pass phrase:
Private-Key: (1024 bit)
priv:
    00:8f:b1:af:55:63:92:7c:d2:0f:e6:f3:a2:f5:ff:
    1a:7a:fe:8c:39:dd
pub: 
    00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:
    7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:

You end up with:

• foo.jks - keystore in java format.
• foo.p12 - keystore in PKCS#12 format.
• foo.pem - all keys and certs from keystore, in PEM format.

(This last file can be split up into keys and certificates if you like.)

---

Command summary - to create JKS keystore:

keytool -keystore foo.jks -genkeypair -alias foo 
    -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'

Command summary - to convert JKS keystore into PKCS#12 keystore, then into PEM file:

keytool -importkeystore -srckeystore foo.jks 
   -destkeystore foo.p12 
   -srcstoretype jks 
   -deststoretype pkcs12

openssl pkcs12 -in foo.p12 -out foo.pem

if you have more than one certificate in your JKS keystore, and you want to only export the certificate and key associated with one of the aliases, you can use the following variation:

keytool -importkeystore -srckeystore foo.jks 
   -destkeystore foo.p12 
   -srcalias foo 
   -srcstoretype jks 
   -deststoretype pkcs12

openssl pkcs12 -in foo.p12 -out foo.pem

Command summary - to compare JKS keystore to PEM file:

keytool -keystore foo.jks -exportcert -alias foo | 
   openssl x509 -inform der -text

openssl x509 -text -in foo.pem

openssl dsa -text -in foo.pem

这篇关于将 Java 密钥库转换为 PEM 格式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！