如何从Java密钥库中的证书链中仅删除一个证书 [英] How to remove just one certificate from a certificate chain in a Java keystore
问题描述
我有一个Tomcat服务器,其中包含存储在Java密钥库中的HTTPS证书链。该链包括自签名根CA证书。虽然 TLS规范显然没有问题,但有些验证服务对此提出警告,并且最好不要把它关掉。
I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. The chain includes the self-signed root CA certificate. Although this is apparently okay by the TLS spec, some validation services warn about it, and it's probably better to leave it off.
如何编辑密钥库以仅删除自签名的根CA证书,但保留链的其余部分和私钥完整?
How can I edit the keystore to remove just the self-signed root CA certificate, but leave the rest of the chain and the private key intact?
推荐答案
首先,将密钥库从JKS转换为PKCS12(此命令和其他命令将需要密码输入):
First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
接下来,导出包含PKCS12文件中的密钥和证书的PEM文件:
Next, export a PEM file with key and certs from the PKCS12 file:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
现在只需使用文本编辑器编辑 pemfile.pem
并删除违规证书(及其前面的行包属性)。
Now simply use a text editor to edit pemfile.pem
and remove the offending certificate (and its preceding "Bag Attributes").
接下来,将编辑后的PEM文件加载到新的PKCS12文件中。您需要为证书/密钥提供适当的密钥库别名,例如: tomcat,此时。
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "tomcat", at this point.
openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12
最后,从PKCS12转换回JKS:
Finally, convert back from PKCS12 to JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
文件 new.jks
就是你想要的。
这篇关于如何从Java密钥库中的证书链中仅删除一个证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!