将 CA 签名证书导入 JKS [英] Import CA signed certificates to JKS
问题描述
我从 CA 获得了 4 个 .crt 文件,如下所示,
I got 4 .crt files from a CA as follows,
AddTrustExternalCARoot.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
demo_site_domain.crt
第二个和第三个是中间证书.我想将 .crt 文件导入 wso2carbon.jks 存储并将其替换为 wso2 服务器的现有 jks,如记录 这里.我的问题是,文档想要 wso2carbon 作为别名,但我只能使用该别名导入一个证书,因此我应该导入哪个 .crt 文件?或者我应该导入从以上四个 crt 文件创建的复合 .crt 文件(可能吗?)我尝试使用 AddTrustExternalCARoot.crt 和 demo_site_domain.crt 但在 wso2 服务器中设置 .jks 文件后,服务器 url 出现以下错误,
second and third are intermediate certificates. I want to import .crt file(s) to wso2carbon.jks store and replace it with the existing jks of a wso2 server as documented here.
My problem is, document wants wso2carbon as the alias, but I can import only one certificate using that alias, therefore which .crt file should I import? Or should I import a composite .crt file which is created from above four crt files (is it possible?)
I tried with AddTrustExternalCARoot.crt and demo_site_domain.crt but after I set up the .jks file in the wso2 server, server url gives the following error,
安全连接失败
到 ip:port 的连接在页面被中断时正在加载.
The connection to ip:port was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
我在这里做错了什么?
我使用的 wso2 服务器是 WSO2 UES,我必须将密码放在以下四个文件中以克服 Caused by: java.io.IOException: Keystore was tampered with,或密码不正确错误.
The wso2 server that I am using is WSO2 UES and I have to place the password in following four files to overcome the Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect error.
repository/conf/security/cipher-text.properties
repository/conf/identity.xml
repository/conf/carbon.xml
repository/conf/tomcat/catalina-server.xml
更新:
我按照给出的答案,但最后一个命令没有给出 installed in keystore 而是 Certificate was added to keystore以下是我的命令和响应,
I followed the answer given, but last command doesn't give the installed in keystore instead it is Certificate was added to keystore
following are my comands and repsponses ,
keytool -importcert -keystore wso2carbon.jks -file AddTrustExternalCARoot.crt -alias commoroot -trustcacerts
输入密钥库密码:
重新输入新的密码:证书已以别名存在于系统范围的 CA 密钥库中是否仍要将其添加到您自己的密钥库中?[否]:是的证书已添加到密钥库
Enter keystore password:
Re-enter new password:
Certificate already exists in system-wide CA keystore under alias
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore
keytool -importcert -keystore wso2carbon.jks -file COMODORSAAddTrustCA.crt -alias commointermediate1
输入密钥库密码:
证书已添加到密钥库
Enter keystore password:
Certificate was added to keystore
keytool -importcert -keystore wso2carbon.jks -file COMODORSADomainValidationSecureServerCA.crt -alias commointermediate2
输入密钥库密码:
证书已添加到密钥库
Enter keystore password:
Certificate was added to keystore
keytool -importcert -keystore wso2carbon.jks -file demo_site_domain.crt -alias wso2carbon
输入密钥库密码:
证书已添加到密钥库
Enter keystore password:
Certificate was added to keystore
推荐答案
(Meta:我很确定这是重复的,但我找不到好的答案.)
(Meta: I'm pretty sure this is a duplicate, but I can't find a good one. Answering anyway.)
那个page 似乎缺少 keytool 命令行选项和 PEM 文件格式所需的所有破折号;假设您已经对此进行了纠正:
That page seems to be missing all of the dashes required on keytool commandline options and in PEM file formats; assuming you already corrected for that:
在第 3 项中,它说您可能必须先导入任何中间证书……然后才能导入您的 [CA-] 签名证书".事实上,你做到了.有两种方法可以做到这一点:
In item 3 it says "you might have to import any intermediate certificates ... before you can import your [CA-]signed certificate". In fact, you do. There are two ways to do this:
1:导入每个证书除了您的服务器(或其他最终实体)证书,自上而下,到密钥库中的单独条目;对于您的情况:<代码>keytool -importcert -keystore wso2carbon.jks -file AddTrustExternalCARoot -alias somealias1 -trustcacertskeytool -importcert -keystore wso2carbon.jks -file COMODORSAAddTrustCA.crt -alias somealias2keytool -importcert -keystore wso2carbon.jks -file COMODORSADomainValidationSecureServerCA.crt -alias somealias3其中 somealias{1,2,3} 是彼此不同的别名,并且不同于密钥库中已有的任何别名,尤其是 wso2carbon.Meta:那些 code 行不应该这样换行,但我不能让它们停下来.
1: Import each cert other than your server (or other End Entity) cert, from the top down, to separate entries in the keystore; for your case:
keytool -importcert -keystore wso2carbon.jks -file AddTrustExternalCARoot -alias somealias1 -trustcacerts
keytool -importcert -keystore wso2carbon.jks -file COMODORSAAddTrustCA.crt -alias somealias2
keytool -importcert -keystore wso2carbon.jks -file COMODORSADomainValidationSecureServerCA.crt -alias somealias3
where somealias{1,2,3} are aliases different from each other and different from any alias already in the keystore especially wso2carbon. Meta: those code lines shouldn't wrap like that, but I can't get them to stop.
然后将您的服务器证书导入到 (编辑)同一密钥库文件中的同一别名,其中 -genkeypair 和 -certreq 是以前完成的(或者是别名,它是 之前创建的 PrivateKey 条目的此密钥库中的 副本通过 -genkeypair 和 -certreq):<代码>keytool -importcert -keystore wso2carbon.jks -文件 demo_site_domain.crt -alias wso2carbon这(最后)步骤应该说 Certificate reply was installed in keystore 而不是 Certificate was added to keystore.否则它实际上失败了,即使它没有给出错误消息.
Then import your server cert to the (edit) same alias in the same keystore file where the -genkeypair and -certreq were previously done (or alternatively to an alias which is a copy in this keystore of the PrivateKey entry that was earlier created by -genkeypair and -certreq):
keytool -importcert -keystore wso2carbon.jks -file demo_site_domain.crt -alias wso2carbon
This (last) step should say Certificate reply was installed in keystore NOT Certificate was added to keystore. Otherwise it actually failed, even though it didn't give an error message.
2:将所有证书连接到一个文件中,首先使用服务器 (EE) 证书,然后将该 组合 文件导入到 (编辑)使用的同一密钥库文件中的同一别名更早的(或该 privateKey 条目的副本):
2: concatenate all the certs in one file, with the server (EE) cert first, and import that combined file to (edit) the same alias in the same keystore file used earlier (or to a copy of that privateKey entry):
# assuming any kind of Unix
cat demo_site_domain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >combinedfile
# if Windows use copy a+b+etc or (for PEM) cut&paste in a plaintext editor like Notepad
keytool -importcert -keystore wso2carbon.jks -file combinedfile -alias wso2carbon -trustcacerts
除第一个以外的证书顺序实际上并不重要here,但它们将存储在密钥库中并以向上"顺序在 SSL/TLS 协议中使用,所以我使用cat 中的该顺序以保持一致性和清晰性.
The order of the certs other than first doesn't actually matter here, but they will be stored in the keystore and used in the SSL/TLS protocol in "upward" order, so I use that order in the cat for consistency and clarity.
(edit) 如果在任何时候对给定密钥库文件中有或没有哪些条目有任何疑问,您可以使用 keytool -list -v - 列出它们密钥库文件名.您使用 -genkeypair 生成的任何条目都是 PrivateKey 条目,并且将包含 either 由 keytool<自动生成的自签名证书/code> 或您从 CA 获得的证书 with 链.显示格式相当杂乱,可能会造成混淆,但请查找 Certificate[1]: Certificate[2]: 等行,然后是 Owner:(在标准术语中表示 Subject)和 Issuer:.另一方面,您单独导入的每个 CA 根或中间证书将是一个 trustedCert 条目,仅包含该一个证书.
(edit) If there is at any time any doubt what entries you have or don't have in a given keystore file, you can list them with keytool -list -v -keystore filename. Any entry you generate with -genkeypair is a PrivateKey entry, and will contain either a self-signed cert automatically generated by keytool or a certificate with chain you have obtained from a CA. The display format is rather straggly and can be confusing, but look for the lines like Certificate[1]: Certificate[2]: etc. followed immediately by lines for Owner: (which means Subject in standard terminology) and Issuer:.
On the other hand each CA root or intermediate cert you import separately will be a trustedCert entry containing only that one cert.
该页面还说您需要将签名证书"导入 client-truststore.jks.我相信那是错误的.您通常需要将 自签名 证书放入任何客户端信任库中,但您不需要为由知名 CA 签名的证书执行此操作,Comodo/Addtrust 是.但是,向信任库添加一个不必要但有效的证书并没有什么坏处.
Also the page says you need to import your "signed certificate" into client-truststore.jks. I believe that's wrong. You DO usually need to put a self-signed cert in any client truststore(s), but you should NOT need to do this for a cert signed by a well-known CA, which Comodo/Addtrust is. However, it doesn't hurt to add an unnecessary but valid cert to the truststore.
这篇关于将 CA 签名证书导入 JKS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
