使用 openssl 创建 .p12 信任库 [英] Creating .p12 truststore with openssl
问题描述
我正在编写一个 Java 8 应用程序,想使用自签名证书设置一个简单的密钥库和信任库.
I'm writing a Java 8 application and want to set up a simple keystore and truststore using a self-signed certificate.
通常情况如下:
- 使用
openssl创建密钥对 + 证书. - 使用
keytool 创建 .jks 密钥库 + .jks 信任库
- Create a keypair + certificate using
openssl. - Create a .jks keystore + .jks truststore using
keytool
现在我只想使用 openssl 并创建 .p12 密钥库而不是 .jks 密钥库.
Now I'd like to only use openssl and create .p12 keystores instead of .jks keystores.
使用以下命令创建 .p12 密钥库效果很好:
Creating a .p12 keystore works great using the following commands:
# Create private key and certificate
openssl req -x509 -newkey rsa:"${rsa}" -sha256
-keyout "${key}"
-out "${cert}"
-days "${days}"
# Create .p12 keystore
openssl pkcs12 -export -in "${cert}" -inkey "${key}" -out "${keystore}"
此密钥库似乎工作正常,因为在我的 Java 应用程序中提供相应的 .jks trustore 将使 TLS 连接正常运行.但是我无法让 .p12 信任库工作.
This keystore seems to be working correctly, as providing a corresponding .jks trustore in my Java application will get the TLS connection going. However I can't get a .p12 truststore working.
我尝试按照此处的建议创建信任库:
I tried creating the truststore as suggested here:
# Create .p12 truststore
openssl pkcs12 -export -nokeys -in "${cert}" -out "${truststore}"
然后像这样加载它:
FileInputStream fis = new FileInputStream(new File(trustorePath));
KeyStore trustStore = KeyStore.getInstance("PKCS12");
trustStore.load(fis, truststorePassword.toCharArray());
fis.close();
但我在我的 java 代码中收到以下异常:
but I receive the following exception in my java code:
意外错误:java.security.InvalidAlgorithmParameterException:trustAnchors 参数必须非空
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
知道我做错了什么吗?
(使用 .p12 信任库和 Java 8 的工作片段将不胜感激.)
(A working snippet using .p12 truststore with Java 8 would be greatly appreciated.)
推荐答案
此行为的可能解释:
Java 7 之前的标准 PKCS#12 提供程序不允许可信证书条目.JSSE 参考指南是这样说的:
The standard PKCS#12 provider up to Java 7 did not allow trusted certificate entries at all. The JSSE Reference Guide says this:
不支持在 PKCS12 密钥库中存储受信任的证书.PKCS12 主要用于传递带有关联的私钥证书链.它没有任何可信"的概念.证书.在互操作性方面,其他 PKCS12 供应商有同样的限制.Mozilla 和 Internet Explorer 等浏览器不接受仅包含受信任证书的 PKCS12 文件.
Storing trusted certificates in a PKCS12 keystore is not supported. PKCS12 is mainly used to deliver private keys with the associated certificate chains. It does not have any notion of "trusted" certificates. In terms of interoperability, other PKCS12 vendors have the same restriction. Browsers such as Mozilla and Internet Explorer do not accept a PKCS12 file with only trusted certificates.
这在 Java 8 中发生了一些变化,它支持可信证书在 PKCS#12 中 - 如果它们标有特殊属性(OID2.16.840.1.113894.746875.1.1):
This has changed a bit in Java 8, which supports trusted certificates in PKCS#12 - if they are marked with a special attribute (OID 2.16.840.1.113894.746875.1.1):
openssl pkcs12 -in microsoft.p12 -info
MAC Iteration 1024
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Bag Attributes
friendlyName: microsoft it ssl sha2 (baltimore cybertrust root)
2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
来源:
- https://github.com/kaikramer/keystore-explorer/issues/35
- https://github.com/kaikramer/keystore-explorer/issues/11
这篇关于使用 openssl 创建 .p12 信任库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
