使用openssl创建.p12信任库 [英] Creating .p12 truststore with openssl

问题描述

我正在编写Java 8应用程序，并希望使用自签名证书设置一个简单的密钥库和信任库。

I'm writing a Java 8 application and want to set up a simple keystore and truststore using a self-signed certificate.

通常情况如下：

1. 使用<创建密钥对+证书 openssl 。


2. 使用 keytool <创建.jks密钥库+ .jks信任库/ li>
   

1. Create a keypair + certificate using openssl.
2. Create a .jks keystore + .jks truststore using keytool

现在我只想使用 openssl 并改为创建.p12密钥库of .jks keystores。

Now I'd like to only use openssl and create .p12 keystores instead of .jks keystores.

使用以下命令创建.p12密钥库效果很好：

Creating a .p12 keystore works great using the following commands:

# Create private key and certificate
openssl req -x509 -newkey rsa:"${rsa}" -sha256 \
    -keyout "${key}" \
    -out "${cert}" \
    -days "${days}"

# Create .p12 keystore
openssl pkcs12 -export -in "${cert}" -inkey "${key}" -out "${keystore}"

此密钥库似乎工作正常，因为在我的Java应用程序中提供相应的.jks信任将获得TLS连接。但是我不能让.p12信任库工作。

This keystore seems to be working correctly, as providing a corresponding .jks trustore in my Java application will get the TLS connection going. However I can't get a .p12 truststore working.

我尝试按照建议创建信任库此处：

I tried creating the truststore as suggested here:

# Create .p12 truststore
openssl pkcs12 -export -nokeys -in "${cert}" -out "${truststore}"

然后像这样加载：

FileInputStream fis = new FileInputStream(new File(trustorePath));
KeyStore trustStore = KeyStore.getInstance("PKCS12");
trustStore.load(fis, truststorePassword.toCharArray());
fis.close();

但我的java代码中收到以下异常：

but I receive the following exception in my java code:

意外错误：java.security.InvalidAlgorithmParameterException：
trustAnchors参数必须为非空

Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

任何想法我做错了什么？

Any ideas what I'm doing wrong?

（非常感谢使用带有Java 8的.p12信任库的工作片段。）

(A working snippet using .p12 truststore with Java 8 would be greatly appreciated.)

推荐答案

此行为的可能解释：

Java 7之前的标准PKCS＃12提供程序根本不允许受信任的
证书条目。 JSSE参考指南说明了这一点：

The standard PKCS#12 provider up to Java 7 did not allow trusted certificate entries at all. The JSSE Reference Guide says this:

不支持在PKCS12密钥库中存储可信证书。
PKCS12主要用于提供具有相关
证书链的私钥。它没有任何可信
证书的概念。在互操作性方面，其他PKCS12供应商的b $ b b同样限制。诸如Mozilla和Internet Explorer
之类的浏览器不接受仅包含可信证书的PKCS12文件。

Storing trusted certificates in a PKCS12 keystore is not supported. PKCS12 is mainly used to deliver private keys with the associated certificate chains. It does not have any notion of "trusted" certificates. In terms of interoperability, other PKCS12 vendors have the same restriction. Browsers such as Mozilla and Internet Explorer do not accept a PKCS12 file with only trusted certificates.

这在Java 8中有所改变，它支持可信证书PKCS＃12中的
- 如果它们标有特殊属性（OID
2.16.840.1.113894.746875.1.1）：

This has changed a bit in Java 8, which supports trusted certificates in PKCS#12 - if they are marked with a special attribute (OID 2.16.840.1.113894.746875.1.1):

openssl pkcs12 -in microsoft.p12 -info
MAC Iteration 1024
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Bag Attributes
    friendlyName: microsoft it ssl sha2 (baltimore cybertrust root)
    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>

资料来源：

• https://github.com/kaikramer/ keystore-explorer / issues / 35


• https://github.com/kaikramer/keystore-explorer/issues/11

• https://github.com/kaikramer/keystore-explorer/issues/35
• https://github.com/kaikramer/keystore-explorer/issues/11

这篇关于使用openssl创建.p12信任库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！