在Java KeyStore中导入私钥/公钥证书对 [英] Importing the private-key/public-certificate pair in the Java KeyStore

问题描述

我使用以下步骤创建一个新的Java密钥库，其中包含一对私有/公共密钥，供Java（内部）服务器使用TLS。请注意，证书是自签名的：

I used the following steps to create a new Java keystore with a pair of private/public key to be used by a Java (internal) server with TLS. Please notice that the certificate is selfsigned:

1）使用AES256生成密钥

1) Generate key with AES256

openssl genrsa -aes256 -out server.key 1024

2）生成CA的证书申请

2) Generate cert request for CA

openssl req -x509 -sha256 -new -key server.key -out server.csr

3）生成自签名到期时间10年

3) Generate self signed expiry-time 10 years

openssl x509 -sha256 -days 3652 -in server.csr -signkey server.key -out selfsigned.crt

4）使用 KeyStoreExplorer 等程序导入该对（私钥和自签名证书） ）在一个新的JKS

4) Use a program like KeyStoreExplorer to import the pair (private key and selfsigned certificate) in a new JKS

这有效，但我想在不使用GUI的情况下实现最后一步。

This works but I'd like to implement the last step without using a GUI.

我知道如何仅导入自签名证书：

I know how to import the self signed certificate only:

// create the keystore and import the public key. THIS WILL NOT IMPORT THE PRIVATE KEY SO THE KEYSTORE CAN'T BE USED ON THE SERVER TO MAKE THE TLS CONNECTION
/usr/java/jdk1.6.0_45/bin/keytool -import -alias myservercert -file server.crt -keystore mykeystore.jks

所以问题是：如何创建Java KeyStore并导入两者使用公钥和私钥而不使用GUI的证书？

So the question is: how can I create a Java KeyStore and import both the certificate with the public key and the private key without using a GUI?

推荐答案

使用您的私钥和公共证书，您需要首先创建一个PKCS12密钥库，然后将其转换为JKS。

With your private key and public certificate, you need to create a PKCS12 keystore first, then convert it into a JKS.

# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12

# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert

验证内容JKS，你可以使用这个命令：

To verify the contents of the JKS, you can use this command:

keytool -list -v -keystore mykeystore.jks

如果这不是自签名证书，您可能需要按照此步骤导入通向可信CA的证书链证书。

If this was not a self-signed certificate, you would probably want to follow this step with importing the certificate chain leading up to the trusted CA cert.

这篇关于在Java KeyStore中导入私钥/公钥证书对的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！