如何将证书链添加到密钥库? [英] How to add certificate chain to keystore?
问题描述
我有包含证书链的文件 - certificate.cer:
I have file with chain of certificates - certificate.cer:
subject=/C...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/O=VeriSign, Inc...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/O=VeriSign, Inc...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
我需要将此证书链添加到密钥库中.
我做什么:
I need to add this chain of certificates to keystore.
What I do:
openssl x509 -outform der -in certificate.cer -out cert.der
keytool -v -importcert -alias mykey -file cert.der -keypass <passwd> -keystore keystore -storepass <passwd> -alias <myalias>
结果我在密钥库中只有 1 个证书.
但是应该有 3.
可能有什么问题?
In result I have only 1 certificate in keystore.
But should have 3.
What could be wrong?
解决方案:
CA 向我发送了 PKCS#7 格式的证书.
我将它们存储在 certificate.p7b 文件中,然后通过以下命令将它们成功添加到密钥库:
SOLUTION:
CA sent me certificates in PKCS#7 format.
I stored them in certificate.p7b file and then successfully added them to keystore by following command:
keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"
推荐答案
来自 keytool man - 它导入证书链,如果输入以 PKCS#7 格式给出,否则只导入单个证书.您应该能够通过 openssl crl2pkcs7 命令使用 openssl 将证书转换为 PKCS#7 格式.
From the keytool man - it imports certificate chain, if input is given in PKCS#7 format, otherwise only the single certificate is imported. You should be able to convert certificates to PKCS#7 format with openssl, via openssl crl2pkcs7 command.
这篇关于如何将证书链添加到密钥库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
