在 Java KeyStore 中导入私钥/公共证书对 [英] Importing the private-key/public-certificate pair in the Java KeyStore
问题描述
我使用以下步骤创建了一个带有一对私钥/公钥的新 Java 密钥库,供具有 TLS 的 Java(内部)服务器使用.请注意,证书是自签名的:
I used the following steps to create a new Java keystore with a pair of private/public key to be used by a Java (internal) server with TLS. Please notice that the certificate is selfsigned:
1) 使用 AES256 生成密钥
1) Generate key with AES256
openssl genrsa -aes256 -out server.key 1024
2) 为 CA 生成证书请求
2) Generate cert request for CA
openssl req -x509 -sha256 -new -key server.key -out server.csr
3) 生成自签名到期时间 10 年
3) Generate self signed expiry-time 10 years
openssl x509 -sha256 -days 3652 -in server.csr -signkey server.key -out selfsigned.crt
4) 使用KeyStoreExplorer 之类的程序将一对(私钥和自签名证书)导入一个新的 JKS
4) Use a program like KeyStoreExplorer to import the pair (private key and selfsigned certificate) in a new JKS
这可行,但我想在不使用 GUI 的情况下实现最后一步.
This works but I'd like to implement the last step without using a GUI.
我只知道如何导入自签名证书:
I know how to import the self signed certificate only:
// create the keystore and import the public key. THIS WILL NOT IMPORT THE PRIVATE KEY SO THE KEYSTORE CAN'T BE USED ON THE SERVER TO MAKE THE TLS CONNECTION
/usr/java/jdk1.6.0_45/bin/keytool -import -alias myservercert -file server.crt -keystore mykeystore.jks
所以问题是:如何在不使用 GUI 的情况下创建 Java KeyStore 并使用公钥和私钥导入证书?
So the question is: how can I create a Java KeyStore and import both the certificate with the public key and the private key without using a GUI?
推荐答案
有了你的私钥和公共证书,你需要先创建一个 PKCS12 keystore,然后将它转换成 JKS.
With your private key and public certificate, you need to create a PKCS12 keystore first, then convert it into a JKS.
# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12
# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert
要验证 JKS 的内容,可以使用以下命令:
To verify the contents of the JKS, you can use this command:
keytool -list -v -keystore mykeystore.jks
如果这不是自签名证书,您可能希望按照此步骤导入通向受信任 CA 证书的证书链.
If this was not a self-signed certificate, you would probably want to follow this step with importing the certificate chain leading up to the trusted CA cert.
这篇关于在 Java KeyStore 中导入私钥/公共证书对的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!