CA PEM文件到jks tomcat truststore [英] CA PEM file to jks tomcat truststore

问题描述

我获得了由某个CA签署的p12公钥/私钥。我有一个本地tomcat服务器，我正在进行开发工作。我是安全新手，但我相信需要将CA公共证书放入我的tomcats信任库。 （我试图让x509证书与CAS一起工作）

I have been given a p12 public/private key signed by a certain CA. I have a local tomcat server that I am doing development work on. I am new to security but I believe that need to get the CA public cert into my tomcats truststore. (I am trying to get x509 certs working with CAS)

如何让我的tomcat（和JVM）信任这个CA？有没有办法从p12和我的tomcat信任库中获取CA公共证书？ （我还从firefox导出了证书以获取CA的PEM文件）

How do I get my tomcat (and JVM) to trust this CA? Is there a way to get the CA public cert out of a p12 and into my tomcat truststore? (I have also exported the cert from firefox to get a PEM file for the CA)

我看到jsk to pem的很多帖子，但不是相反的。我只需要CA. （我认为）：）

I see a lot of posts for jsk to pem, but not the other way round. I just need the CA. (I think) :)

推荐答案

首先，我们无法保证您拥有的p12文件包含与之相关的CA证书它包含的实体证书已颁发。尽管密钥库包含中间证书很有用（如此处所述），但在链的末尾包含CA.没有必要：如果远程方不信任它，将它添加到链中将没有什么区别（如此处）。

Firstly, there's no guarantee that the p12 file you have contains the CA certificate with which the End Entity Certificate it contains was issued. Although it is useful for a keystore to contain intermediate certificate (as discussed here), containing the CA at the end of the chain is not necessary: if the remote party doesn't trust it, adding it to the chain won't make a difference (as discussed here).

您可以使用 openssl pkcs12 -nokeys -out output.pem -in yourstore.p12 。使用文本编辑器查看 output.pem 的内容，您应该看看是否包含CA证书。如果没有，请联系颁发证书的CA，他们应该能够提供给您。

You can check this using openssl pkcs12 -nokeys -out output.pem -in yourstore.p12. Look at the content of output.pem with a text editor, you should see whether the CA certificate is included. If not, contact the CA that issued your certificate, they should be able to provide it to you.

然后，要构建一个新的密钥库以用作信任库，请使用 keytool -import ，例如 keytool -import -keystore mytruststore.jks -file the_ca_file.pem 。 （该CA文件应该只包含CA的证书，而不包含其他证书。如果您从以前的输出中复制它，只使用相关的 - BEGIN --...-- END- - 阻止。）

Then, to build a new keystore to use as a truststore, use keytool -import, for example keytool -import -keystore mytruststore.jks -file the_ca_file.pem. (That CA file should only contain the certificate of the CA, not the others. If you're copying this from the previous output, only use the relevant --BEGIN--...--END-- block.)

您不是说您是否希望此信任库用于验证连接到Tomcat服务器的客户端，或者用于在Tomcat中运行的webapps进行的连接（在这种情况下，它们是客户端）。设置此信任库的位置和方式取决于它。 （在第二种情况下，从默认的 cacerts 文件的副本开始，而不是从头开始创建新商店通常很有用。）

You're not saying whether you want this truststore to be used for authenticating clients connecting to your Tomcat server, or to be used for connections made by webapps running within Tomcat (in which case they're clients). Where and how to set up this truststore will depend on it. (In the second case, it's often useful to start from a copy of the default cacerts file, instead of creating a new store from scratch.)

这篇关于CA PEM文件到jks tomcat truststore的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！