如何从Java密钥库中的证书链中仅删除一个证书 [英] How to remove just one certificate from a certificate chain in a Java keystore

问题描述

我有一个Tomcat服务器，其中包含存储在Java密钥库中的HTTPS证书链。该链包括自签名根CA证书。虽然 TLS规范显然没有问题，但有些验证服务对此提出警告，并且最好不要把它关掉。

I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. The chain includes the self-signed root CA certificate. Although this is apparently okay by the TLS spec, some validation services warn about it, and it's probably better to leave it off.

如何编辑密钥库以仅删除自签名的根CA证书，但保留链的其余部分和私钥完整？

How can I edit the keystore to remove just the self-signed root CA certificate, but leave the rest of the chain and the private key intact?

推荐答案

首先，将密钥库从JKS转换为PKCS12（此命令和其他命令将需要密码输入）：

First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):

keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12

接下来，导出包含PKCS12文件中的密钥和证书的PEM文件：

Next, export a PEM file with key and certs from the PKCS12 file:

openssl pkcs12 -in old.p12 -out pemfile.pem -nodes

现在只需使用文本编辑器编辑 pemfile.pem 并删除违规证书（及其前面的行包属性）。

Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").

接下来，将编辑后的PEM文件加载到新的PKCS12文件中。您需要为证书/密钥提供适当的密钥库别名，例如： tomcat，此时。

Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "tomcat", at this point.

openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12

最后，从PKCS12转换回JKS：

Finally, convert back from PKCS12 to JKS:

keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12

文件 new.jks 就是你想要的。

这篇关于如何从Java密钥库中的证书链中仅删除一个证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！