将证书从 pem 转换为 jks [英] convert certificate from pem into jks
问题描述
我必须将 pem 格式的证书转换为 java 密钥库.
I have to convert a certificate in pem format into an java key store.
在windows服务器上用tomcat使用这个
To use this one with tomcat at a windows server
我有这些文件:
cert_request.csr
cert_request.csr
-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
cert_public_key.pem
cert_public_key.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
cert_private_key.pem
cert_private_key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
cert.txt
cert.txt
contains an 16 digit key
我尝试合并 pem 文件(通过将两个文件链接在一起)并使用 openssl 将其转换为
I tryed to combine the pem files (by combining the two files were chain together) and converted this with openssl into an
- .der 文件并使用 keytool 将其导入新的密钥库
- 与 .p12 相同
- 直接导入密钥库
我也试图改变
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
进入
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
并尝试了上面的 3 种方法
and tryed the 3 ways above
我需要做什么才能获得工作证书?
what have I to do that I get an working certificate?
我将 cert_public_key.pem 和 cert_private_key.pem 合并为 cert_comb.pem
I combinied the cert_public_key.pem and the cert_private_key.pem to cert_comb.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
推荐答案
您不清楚合并了哪些文件,但应该可以使用 openssl 将证书和私钥组合到 PKCS#12:
You aren't clear which files you combined, but it should work to use openssl to combine the cert and private key to a PKCS#12:
cat cert_public_key.pem cert_private_key.pem >combined.pem
openssl pkcs12 -export -in combined.pem -out cert.p12
或即时但(更新:)私钥必须是第一个:
or on the fly but (update:) the privatekey must be first:
cat cert_private_key.pem cert_public_key.pem | openssl pkcs12 -export -out cert.p12
如果您的证书需要任何链式证书——CA 应该在您提交时告诉您这一点CSR 和他们颁发了证书——现在最容易也包括它(他们).
If your cert needs any chain cert(s) -- the CA should have told you this when you submitted the CSR and they issued the cert -- it's easiest to also include it(them) now.
然后 (1) 一些 Java 程序实际上可以直接使用 pkcs12 作为密钥库,但是 (2) 如果您需要或更喜欢 JKS,请使用 keytool:
Then (1) some Java programs can actually use a pkcs12 directly as a keystore, but (2) if you need or prefer a JKS use keytool:
keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -destkeystore cert.jks
如果您关心生成的 JKS 中的别名,则在转换后最容易修复它.
If you care about the alias in the resulting JKS, easiest to fix it after converting.
此外:仅更改加密 PEM 中的标签不会对其进行解密,也不会更改从通用 PKCS#8 到 RSA 的标签实际上将数据更改为匹配(并且它们是不同的,虽然只有一点点).如果您确实需要带有解密私钥的单独 PEM 文件:
Also: just changing the labels in an encrypted PEM doesn't unencrypt it, nor does changing the label from generic PKCS#8 to RSA actually change the data to match (and they are different, though only a little). If you do want a separate PEM file with the decrypted private key:
openssl pkey -in encryptedpk8 -out clearpk8.pem # 1.0.0 up
openssl pkcs8 -in encryptedpk8 -out clearpk8.pem # 1.0.0 up
openssl pkcs8 -topk8 -nocrypt -in encryptedpk8 -out clearpk8.pem # below 1.0.0
openssl rsa -in encryptedpk8 -out clearrsa.pem
这篇关于将证书从 pem 转换为 jks的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
