Java 密钥库可以导入 OpenSSL 生成的密钥对吗? [英] Can a Java key store import a key pair generated by OpenSSL?
问题描述
我用 openssl 生成了一个认证密钥.这是我的命令:
I generate a certification key with openssl. Here is my command:
openssl genrsa -des3 -out enc_key.pem 1024
openssl genrsa -des3 -out enc_key.pem 1024
我导出到 cer 文件,然后使用 java keytool 导入 java keystore (jks).
I export into cer file, then with java keytool I import into java keystore (jks).
密钥库听起来不错.我可以从我的 Java 应用程序加载密钥库.
The keystore sounds good. I can load the keystore from my java app.
问题是当客户端连接到服务器时(这里是FTP服务器,不是web服务器,我使用的是apache mina),出现异常:
The problem is when client connect to the server (In this case is FTP server, not web server, and I use apache mina), the exception occured:
javax.net.ssl.SSLHandshakeException:SSL 握手失败.在 org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433)在 org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)在 org.apache.mina.core.filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)
javax.net.ssl.SSLHandshakeException: SSL handshake failed. at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)
...
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common在 com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(来源不明)在 com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(来源不明)在 com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(来源不明)在 com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(来源不明)在 javax.net.ssl.SSLEngine.wrap(来源不明)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source) at javax.net.ssl.SSLEngine.wrap(Unknown Source)
...
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common在 com.sun.net.ssl.internal.ssl.Alerts.getSSLException(来源不明)在 com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(来源不明)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
有几件事我想问:
- 我用 openssl 生成的认证密码是什么?我们怎么知道?也许通过命令行 openssl xxx?
- 我去http:///java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA.并且我将 SSL_RSA_xxx 放入启用的密码套件,但仍然无法工作(我放入 SSL_RSA 是因为它的 SSL 使用 ssl implisit 和 genrsa,只是我认为 genrsa 是生成 RSA).正确吗?
- 有人知道解决方案吗?
- 或者,任何人都知道如何从 openssl 命令行生成标准密钥库,直到可以在 Java 应用程序中使用(当然是密码).因为现在我可以从 openssl 生成证书并导出 keystore java,但我不知道我使用的密码是什么以及我如何在 java 应用程序中使用.注意:如果密钥库是直接从 java 生成的,我可以运行.现在的问题是 java keytool 是否从 openssl 等认证中生成的密钥库(以及其他可能).
- What is the cipher of certification that I generate with openssl? How can we know? maybe by command line openssl xxx?
- I go to http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA. And I put SSL_RSA_xxx to enabled cipher suites, but still can't work (I put SSL_RSA because it the SSL is using ssl implisit, and genrsa, just my opinion genrsa is generate RSA). Is it correct?
- Anybody knows the solution?
- Or, anybody knows how to generate the standard keystore from openssl command line until can be used in java app (off course with the cipher). Because right now I can generate the certification from openssl and export keystore java, but I don't know what is the cipher that I used and how I use in the java app. Note: I can run if the keystore is generate directly FROM java. Right now the problem is if the keystore generated by java keytool from certification like openssl (and other maybe).
任何帮助将不胜感激!谢谢
Any help will be appreciated! Thanks
推荐答案
为什么要使用 OpenSSL 生成密钥对?为什么不直接使用 keytool?
Why are you using OpenSSL to generate the keypair? Why not just use keytool?
genrsa 工具只生成一个私钥.您如何创建相应的证书?您如何将私钥导入 Java 密钥库?(我问,因为 keytool 只能从现有的密钥库中导入私钥,而且只能从 Java 6 开始.)
The genrsa tool just generates a private key. How are you creating a corresponding certificate? How are you importing the private key into your Java keystore? (I ask, because keytool can only import a private key from an existing key store, and only from Java 6 onward.)
我怀疑您的问题是您的密钥库不包含密钥条目(私钥和对应的证书).当您使用 keytool 列出密钥库内容时,有多少个条目?它们是关键条目还是可信条目?
I suspect that your problem is that your key store doesn't contain a key entry (private key and corresponding certificate). When you list the keystore contents with keytool, how many entries are there? Are they key entries or trusted entries?
服务器需要访问私钥才能对其进行身份验证.要导入私钥,请使用 Java 6's 增强的 keytool.
The server needs access to the private key in order to authenticate itself. To import a private key, use Java 6's enhanced keytool.
使用 OpenSSL 创建密钥和证书后,使用 OpenSSL 创建 PKCS #12 密钥库:
After creating the key and the certificate with OpenSSL, use OpenSSL to create a PKCS #12 key store:
openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
然后将此存储转换为 Java 密钥存储:
Then convert this store into a Java key store:
keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12
现在在启用 SSL 的服务器中使用 server.jks,其中包含证书和私钥.
Now use server.jks in your SSL-enable server, which contains the certificate and the private key.
这篇关于Java 密钥库可以导入 OpenSSL 生成的密钥对吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
