将 Java 密钥库转换为 PEM 格式
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/652916/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Converting a Java Keystore into PEM Format
提问by Chathuranga Chandrasekara
I am trying to convert from a Java keystore file into a PEM file using keytool and openssl applicactions. But I could not find a good way to do the conversion. Any ideas?
我正在尝试使用 keytool 和 openssl 应用程序将 Java 密钥库文件转换为 PEM 文件。但是我找不到进行转换的好方法。有任何想法吗?
Instead of converting the keystore directly into PEM I tried to create a PKCS12 file first and then convert into relevant PEM file and Keystore. But I could not establish a connection using them. (Note that I just need a PEM file and a Keystore file to implement a secured connection. There is no restriction like "Start from a java keystore file". :) So starting from other formats is acceptable with my case)
我没有将密钥库直接转换为 PEM,而是尝试先创建一个 PKCS12 文件,然后再转换为相关的 PEM 文件和密钥库。但是我无法使用它们建立连接。(请注意,我只需要一个 PEM 文件和一个密钥库文件来实现安全连接。没有像“从 java 密钥库文件开始”这样的限制。:) 所以我的情况可以接受从其他格式开始)
But a direct conversion method from jks to pem is preferable.
但是最好使用从 jks 到 pem 的直接转换方法。
采纳答案by Stobor
It's pretty straightforward, using jdk6 at least...
这很简单,至少使用 jdk6 ......
bash$ keytool -keystore foo.jks -genkeypair -alias foo \
-dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'
Enter keystore password:
Re-enter new password:
Enter key password for
(RETURN if same as keystore password):
bash$ keytool -keystore foo.jks -exportcert -alias foo | \
openssl x509 -inform der -text
Enter keystore password: asdasd
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1237334757 (0x49c03ae5)
Signature Algorithm: dsaWithSHA1
Issuer: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com
Validity
Not Before: Mar 18 00:05:57 2009 GMT
Not After : Jun 16 00:05:57 2009 GMT
Subject: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:
7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:
bash$ keytool -importkeystore -srckeystore foo.jks \
-destkeystore foo.p12 \
-srcstoretype jks \
-deststoretype pkcs12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias foo successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
bash$ openssl pkcs12 -in foo.p12 -out foo.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
bash$ openssl x509 -text -in foo.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1237334757 (0x49c03ae5)
Signature Algorithm: dsaWithSHA1
Issuer: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com
Validity
Not Before: Mar 18 00:05:57 2009 GMT
Not After : Jun 16 00:05:57 2009 GMT
Subject: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:
7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:
bash$ openssl dsa -text -in foo.pem
read DSA key
Enter PEM pass phrase:
Private-Key: (1024 bit)
priv:
00:8f:b1:af:55:63:92:7c:d2:0f:e6:f3:a2:f5:ff:
1a:7a:fe:8c:39:dd
pub:
00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14:
7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:
You end up with:
你最终得到:
- foo.jks - keystore in java format.
- foo.p12 - keystore in PKCS#12 format.
- foo.pem - all keys and certs from keystore, in PEM format.
- foo.jks - java 格式的密钥库。
- foo.p12 - PKCS#12 格式的密钥库。
- foo.pem - 来自密钥库的所有密钥和证书,采用 PEM 格式。
(This last file can be split up into keys and certificates if you like.)
(如果您愿意,可以将最后一个文件拆分为密钥和证书。)
Command summary - to create JKS keystore:
命令摘要 - 创建 JKS 密钥库:
keytool -keystore foo.jks -genkeypair -alias foo \
-dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'
Command summary - to convert JKS keystore into PKCS#12 keystore, then into PEM file:
命令摘要 - 将 JKS 密钥库转换为 PKCS#12 密钥库,然后转换为 PEM 文件:
keytool -importkeystore -srckeystore foo.jks \
-destkeystore foo.p12 \
-srcstoretype jks \
-deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
if you have more than one certificate in your JKS keystore, and you want to only export the certificate and key associated with one of the aliases, you can use the following variation:
如果您的 JKS 密钥库中有多个证书,并且您只想导出与别名之一关联的证书和密钥,则可以使用以下变体:
keytool -importkeystore -srckeystore foo.jks \
-destkeystore foo.p12 \
-srcalias foo \
-srcstoretype jks \
-deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
Command summary - to compare JKS keystore to PEM file:
命令摘要 - 将 JKS 密钥库与 PEM 文件进行比较:
keytool -keystore foo.jks -exportcert -alias foo | \
openssl x509 -inform der -text
openssl x509 -text -in foo.pem
openssl dsa -text -in foo.pem
回答by Charlie Martin
Well, OpenSSL should do it handilyfrom a #12 file:
好吧,OpenSSL 应该从 #12 文件中轻松完成:
openssl pkcs12 -in pkcs-12-certificate-file -out pem-certificate-file
openssl pkcs12 -in pkcs-12-certificate-and-key-file -out pem-certificate-and-key-file
Maybe more details on what the error/failure is?
也许有关错误/失败的更多详细信息?
回答by erickson
The keytoolcommand will not allow you to export the private key from a key store. You have to write some Java code to do this. Open the key store, get the key you need, and save it to a file in PKCS #8 format. Save the associated certificate too.
该keytool命令不允许您从密钥库中导出私钥。您必须编写一些 Java 代码来执行此操作。打开密钥库,获取您需要的密钥,并将其保存为 PKCS #8 格式的文件。也保存关联的证书。
KeyStore ks = KeyStore.getInstance("jks");
/* Load the key store. */
...
char[] password = ...;
/* Save the private key. */
FileOutputStream kos = new FileOutputStream("tmpkey.der");
Key pvt = ks.getKey("your_alias", password);
kos.write(pvt.getEncoded());
kos.flush();
kos.close();
/* Save the certificate. */
FileOutputStream cos = new FileOutputStream("tmpcert.der");
Certificate pub = ks.getCertificate("your_alias");
cos.write(pub.getEncoded());
cos.flush();
cos.close();
Use OpenSSL utilities to convert these files (which are in binary format) to PEM format.
使用 OpenSSL 实用程序将这些文件(二进制格式)转换为 PEM 格式。
openssl pkcs8 -inform der -nocrypt < tmpkey.der > tmpkey.pem
openssl x509 -inform der < tmpcert.der > tmpcert.pem
回答by sanghaviss
Direct conversion from jks to pem file using the keytool
使用 keytool 从 jks 直接转换为 pem 文件
keytool -exportcert -alias selfsigned -keypass password -keystore test-user.jks -rfc -file test-user.pem
回答by Marco Luly
I found a very interesting solution:
我发现了一个非常有趣的解决方案:
http://www.swview.org/node/191
http://www.swview.org/node/191
Then, I divided the pair public/private key into two files private.key publi.pem and it works!
然后,我将一对公钥/私钥分成两个文件 private.key publi.pem 并且它起作用了!
回答by cmcginty
I kept getting errors from opensslwhen using StoBor's command:
openssl使用 StoBor 的命令时,我不断收到错误消息:
MAC verified OK
Error outputting keys and certificates
139940235364168:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535:
139940235364168:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
139940235364168:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:123:
For some reason, only this style of command would work for my JKS file
出于某种原因,只有这种风格的命令适用于我的 JKS 文件
keytool -importkeystore -srckeystore foo.jks \
-destkeystore foo.p12 \
-srcstoretype jks \
-srcalias mykey \
-deststoretype pkcs12 \
-destkeypass DUMMY123
The key was setting destkeypass, the value of the argument did not matter.
关键是设置destkeypass,参数的值并不重要。
回答by asami
Simplified instructions to converts a JKS file to PEM and KEY format (.crt & .key):
将 JKS 文件转换为 PEM 和 KEY 格式(.crt 和 .key)的简化说明:
keytool -importkeystore -srckeystore <Source-Java-Key-Store-File> -destkeystore <Destination-Pkcs12-File> -srcstoretype jks -deststoretype pkcs12 -destkeypass <Destination-Key-Password>
openssl pkcs12 -in <Destination-Pkcs12-File> -out <Destination-Pem-File>
openssl x509 -outform der -in <Destination-Pem-File> -out <Destination-Crt-File>
openssl rsa -in <Destination-Pem-File> -out <Destination-Key-File>
回答by Mark Lagendijk
Converting a JKS KeyStore to a single PEM file can easily be accomplished using the following command:
使用以下命令可以轻松地将 JKS KeyStore 转换为单个 PEM 文件:
keytool -list -rfc -keystore "myKeystore.jks" | sed -e "/-*BEGIN [A-Z]*-*/,/-*END [A-Z]-*/!d" >> "myKeystore.pem"
Explanation:
解释:
keytool -list -rfc -keystore "myKeystore.jks"lists everything in the 'myKeyStore.jks' KeyStore in PEM format. However, it also prints extra information.| sed -e "/-*BEGIN [A-Z]*-*/,/-*END [A-Z]-*/!d"filters out everything we don't need. We are left with only the PEMs of everything in the KeyStore.>> "myKeystore.pem"write the PEMs to the file 'myKeyStore.pem'.
keytool -list -rfc -keystore "myKeystore.jks"以 PEM 格式列出“myKeyStore.jks”密钥库中的所有内容。但是,它也会打印额外的信息。| sed -e "/-*BEGIN [A-Z]*-*/,/-*END [A-Z]-*/!d"过滤掉我们不需要的一切。我们只剩下 KeyStore 中所有内容的 PEM。>> "myKeystore.pem"将 PEM 写入文件“myKeyStore.pem”。
回答by Marcio Jasinski
In case you don't have openssl installed and you are looking for a quick solution, there is software called portclewhich is very useful and small to download.
如果您没有安装 openssl 并且正在寻找快速解决方案,可以使用名为portcle 的软件,该软件非常有用且易于下载。
The disadvantage is that there is no command line as far as I know. But from the GUI, it is pretty straight forward to export a PEM private key:
缺点是据我所知没有命令行。但是从 GUI 中,导出 PEM 私钥非常简单:
- Open you JKS key store
- Right click over your private key entry and select export
Select Private Key and certificates and PEM format
- 打开您的 JKS 密钥库
- 右键单击您的私钥条目并选择导出
选择私钥和证书以及 PEM 格式
回答by Johnnyboy
Try Keystore Explorer http://keystore-explorer.org/
尝试密钥库资源管理器http://keystore-explorer.org/
KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. It does openssl/pkcs12 as well.
KeyStore Explorer 是 Java 命令行实用程序 keytool 和 jarsigner 的开源 GUI 替代品。它也支持 openssl/pkcs12。
