Java密钥库是否可以导入OpenSSL生成的密钥对? [英] Can a Java key store import a key pair generated by OpenSSL?
问题描述
我使用openssl生成认证密钥。这是我的命令:
I generate a certification key with openssl. Here is my command:
openssl genrsa -des3 -out enc_key.pem 1024
openssl genrsa -des3 -out enc_key.pem 1024
我导出到cer文件,然后使用java keytool导入到java密钥库(jks)。
I export into cer file, then with java keytool I import into java keystore (jks).
密钥库听起来不错。我可以从我的java应用程序加载密钥库。
The keystore sounds good. I can load the keystore from my java app.
问题是当客户端连接到服务器时(在这种情况下是FTP服务器,而不是Web服务器,我使用apache mina),发生异常:
The problem is when client connect to the server (In this case is FTP server, not web server, and I use apache mina), the exception occured:
javax.net.ssl.SSLHandshakeException:SSL握手失败。
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access $ 5(DefaultIoFilterChain.java:429)
javax.net.ssl.SSLHandshakeException: SSL handshake failed. at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)
。 ..
引起:javax.net.ssl.SSLHandshakeException:com.sun.net上没有共同的密码套件
.ssl.internal.ssl.Handshaker.checkThrown(未知来源)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(未知来源)
at com.sun.net.ssl .internal.ssl.SSLEngineImpl.writeAppRecord(未知来源)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
at javax.net.ssl.SSLEngine.wrap (未知来源)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source) at javax.net.ssl.SSLEngine.wrap(Unknown Source)
...
引起:javax.net.ssl.SSLHandshakeException:没有ci在com.sun.net.ssl.internal.ssl.Alerts.getSSLException(未知来源)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(未知)的共同套房#b $ b来源)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
我想问一些事情:
- 我使用openssl生成的认证密码是什么?我们怎么知道?也许是通过命令行openssl xxx?
- 我去 http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA 。我把SSL_RSA_xxx设置为启用密码套件,但仍然无法工作(我把SSL_RSA放在SSL,因为SSL使用的是ssl implisit,而genrsa,只是我的意见genrsa生成RSA)。是正确的吗?
- 有人知道解决方案吗?
- 或者,任何人都知道如何从openssl命令行生成标准密钥库,直到可以用于java app(使用密码的课程)。因为我现在可以从openssl和export keystore java生成认证,但我不知道我使用的密码是什么以及我在java应用程序中的使用方式。注意:如果密钥库直接从java生成,我可以运行。现在问题是如果java keytool生成的密钥库来自认证,如openssl(和其他可能)。
- What is the cipher of certification that I generate with openssl? How can we know? maybe by command line openssl xxx?
- I go to http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA. And I put SSL_RSA_xxx to enabled cipher suites, but still can't work (I put SSL_RSA because it the SSL is using ssl implisit, and genrsa, just my opinion genrsa is generate RSA). Is it correct?
- Anybody knows the solution?
- Or, anybody knows how to generate the standard keystore from openssl command line until can be used in java app (off course with the cipher). Because right now I can generate the certification from openssl and export keystore java, but I don't know what is the cipher that I used and how I use in the java app. Note: I can run if the keystore is generate directly FROM java. Right now the problem is if the keystore generated by java keytool from certification like openssl (and other maybe).
任何帮助将不胜感激!谢谢
Any help will be appreciated! Thanks
推荐答案
为什么使用OpenSSL生成密钥对?为什么不直接使用 keytool ?
Why are you using OpenSSL to generate the keypair? Why not just use keytool?
genrsa 工具只需生成一个私钥。你是如何创建相应的证书的?如何将私钥导入Java密钥库? (我问,因为 keytool 只能从现有的密钥库导入私钥,而且只能从Java 6开始导入。)
The genrsa tool just generates a private key. How are you creating a corresponding certificate? How are you importing the private key into your Java keystore? (I ask, because keytool can only import a private key from an existing key store, and only from Java 6 onward.)
我怀疑您的问题是您的密钥库不包含密钥条目(私钥和对应的证书)。当您使用 keytool 列出密钥库内容时,有多少条目?它们是关键条目还是可信条目?
I suspect that your problem is that your key store doesn't contain a key entry (private key and corresponding certificate). When you list the keystore contents with keytool, how many entries are there? Are they key entries or trusted entries?
服务器需要访问私钥才能对自身进行身份验证。要导入私钥,请使用 Java 6的增强 keytool 。
The server needs access to the private key in order to authenticate itself. To import a private key, use Java 6's enhanced keytool.
创建后密钥和OpenSSL证书,使用OpenSSL创建PKCS#12密钥库:
After creating the key and the certificate with OpenSSL, use OpenSSL to create a PKCS #12 key store:
openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
然后将此商店转换为Java密钥库:
Then convert this store into a Java key store:
keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12
现在在SSL启用服务器中使用 server.jks ,其中包含证书和私有key。
Now use server.jks in your SSL-enable server, which contains the certificate and the private key.
这篇关于Java密钥库是否可以导入OpenSSL生成的密钥对?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
