如何将私钥和公钥（pvk，spc）和证书（cer）导入密钥库？ [英] How do I import the private and public keys (pvk,spc) and certificates (cer) into the keystore?

问题描述

我们拥有从Thawte（.cer，pvk和spc文件）购买的Microsoft Authenticode证书，并希望重用它们来签署java jar文件。请参阅 http://www.thawte.com/code-signing/index.html
换句话说，我不想再进行第二次（和不必要的）购买 - 购买下面列出的Java代码签名证书。 注意： Thawte允许此操作但不支持。

We have Microsoft Authenticode certificates purchased from Thawte (.cer, pvk and spc files) and want to reuse them to sign java jar files. see http://www.thawte.com/code-signing/index.html In other words, I do not want to make a second (and unnecessary) purchase - to buy the Java code signing certs also listed below on that page. Note: Thawte allows this but will not support it.

Thawte_Code_Signing_Intermediate_CA.cer，
Thawte_Primary_Intermediate_Root_CA.cer，
Thawte_Primary_Root_CA_Cross .cer

Thawte_Code_Signing_Intermediate_CA.cer, Thawte_Primary_Intermediate_Root_CA.cer, Thawte_Primary_Root_CA_Cross.cer

我有pvk和spc文件。

I have the pvk and spc files.

如何导入私钥和公钥以及证书进入密钥库？

How do I import the private and public keys and certificates into the keystore?

按照这里的步骤进行操作
http://docs.oracle.com/javase/tutorial/security/toolsign/signer.html

Following the steps here http://docs.oracle.com/javase/tutorial/security/toolsign/signer.html

keytool -import -trustcacerts -keystore mykeystore -alias primary_root -file Thawte_Primary_Root_CA_Cross.cer
keytool -import -trustcacerts -keystore mykeystore -alias intermediate_root -file Thawte_Primary_Intermediate_Root_CA.cer
keytool -import -trustcacerts -keystore mykeystore -alias myalias -file Thawte_Primary_Intermediate_Root_CA.cer

T使用Netbeans7.3通过将其指向密钥库来进行签名并进行构建产生：

Trying to use Netbeans7.3 to sign the jar by pointing it to the keystore and doing a build produces:

jarsigner：找不到证书链for：primary_root。
primary_root必须引用包含
私钥和相应公钥证书链的有效KeyStore密钥条目。

jarsigner: Certificate chain not found for: primary_root. primary_root must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

我意识到我必须将私钥和公钥和证书导入密钥库，但目前尚不清楚如何。
这篇关于.crt文件的帖子，所以看起来不一样。 https://stackoverflow.com/a/8224863/398348
还
https://stackoverflow.com/a/9131421/398348

I realize I must import the private and public keys and certificates into the keystore, but it is not clear how. Posts like this talk of .crt files, so it does not seem the same thing. https://stackoverflow.com/a/8224863/398348 also https://stackoverflow.com/a/9131421/398348

无法加载PKCS7对象

unable to load PKCS7 object

推荐答案

更多细节会有所帮助，但是您在此处列出的文件似乎是CA证书链证书，例如没有任何文件名似乎表明它包含代码签名证书。从文件名中猜测，您需要将.spc和.pvk文件导入密钥库。

More details would help, however the files you list here seem to be CA certificate chain certificates e.g. none of the file names seem to indicate that it contains a code signing certificate. Guessing from your file names, you need to import the .spc and .pvk file to the keystore.

您必须有权访问OpenSSL命令行工具才能执行此操作。使用Linux / Unix机器或安装CygWin来访问它。

You have to have access to an OpenSSL command line tool to do that. Either use Linux/Unix machine or install CygWin to get access to it.

将spc文件转换为更合理的格式：

Convert spc file to a more sane format:

openssl pkcs7 -inform DER -in mycert.spc -print_certs -out mycert.crt

使用OpenSSL将密钥对（正确的.crt和相应的.pvk文件）转换为PKCS＃12密钥库

Use OpenSSL to convert keypair (correct .crt and corresponding .pvk file) to a PKCS#12 keystore

openssl pkcs12 -export -in mycert.crt -inkey mycert.pvk \
           -out mycert.p12 -name some-alias

将PKCS＃12格式文件转换为Java密钥库格式

Convert PKCS#12 format file into Java keystore format

keytool -importkeystore \
    -deststorepass changeit -destkeypass changeit -destkeystore mycert.keystore \
    -srckeystore mycert.p12 -srcstoretype PKCS12 -srcstorepass some-password \
    -alias some-alias

参见：

http://www.drh-consultancy.demon.co.uk/pkcs12faq.html

将Java密钥库中的现有x509证书和私钥导入在ssl中使用

这篇关于如何将私钥和公钥（pvk，spc）和证书（cer）导入密钥库？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！