Java 密钥库可以导入 OpenSSL 生成的密钥对吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2685512/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can a Java key store import a key pair generated by OpenSSL?
提问by Jef
I generate a certification key with openssl. Here is my command:
我用 openssl 生成了一个认证密钥。这是我的命令:
openssl genrsa -des3 -out enc_key.pem 1024
openssl genrsa -des3 -out enc_key.pem 1024
I export into cer file, then with java keytool I import into java keystore (jks).
我导出到 cer 文件,然后使用 java keytool 导入 java keystore (jks)。
The keystore sounds good. I can load the keystore from my java app.
密钥库听起来不错。我可以从我的 Java 应用程序加载密钥库。
The problem is when client connect to the server (In this case is FTP server, not web server, and I use apache mina), the exception occured:
问题是当客户端连接到服务器(在这种情况下是 FTP 服务器,而不是 Web 服务器,我使用 apache mina)时,发生了异常:
javax.net.ssl.SSLHandshakeException: SSL handshake failed. at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)
javax.net.ssl.SSLHandshakeException:SSL 握手失败。在 org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433) 在 org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) 在 org.apache.mina.core .filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)
...
...
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source) at javax.net.ssl.SSLEngine.wrap(Unknown Source)
引起:javax.net.ssl.SSLHandshakeException:com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl 没有共同的密码套件.checkTaskThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source) at javax.net .ssl.SSLEngine.wrap(来源不明)
...
...
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
引起:javax.net.ssl.SSLHandshakeException:com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl 上没有共同的密码套件.fatal(来源不明)
There is a few things that I want to ask:
有几点想请教一下:
- What is the cipher of certification that I generate with openssl? How can we know? maybe by command line openssl xxx?
- I go to http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA. And I put SSL_RSA_xxx to enabled cipher suites, but still can't work (I put SSL_RSA because it the SSL is using ssl implisit, and genrsa, just my opinion genrsa is generate RSA). Is it correct?
- Anybody knows the solution?
- Or, anybody knows how to generate the standard keystore from openssl command line until can be used in java app (off course with the cipher). Because right now I can generate the certification from openssl and export keystore java, but I don't know what is the cipher that I used and how I use in the java app. Note: I can run if the keystore is generate directly FROM java. Right now the problem is if the keystore generated by java keytool from certification like openssl (and other maybe).
- 我用 openssl 生成的认证密码是什么?我们怎么知道?也许通过命令行 openssl xxx?
- 我去http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA。而且我将 SSL_RSA_xxx 放入启用的密码套件,但仍然无法工作(我放入 SSL_RSA 是因为 SSL 使用 ssl implisit 和 genrsa,只是我认为 genrsa 是生成 RSA)。这是正确的吗?
- 有人知道解决方案吗?
- 或者,任何人都知道如何从 openssl 命令行生成标准密钥库,直到可以在 Java 应用程序中使用(当然,密码除外)。因为现在我可以从 openssl 生成证书并导出密钥库 java,但我不知道我使用的密码是什么以及我如何在 java 应用程序中使用。注意:如果密钥库是直接从 java 生成的,我可以运行。现在的问题是,如果 java keytool 从像 openssl 这样的证书(和其他可能)中生成的密钥库。
Any help will be appreciated! Thanks
任何帮助将不胜感激!谢谢
采纳答案by erickson
Why are you using OpenSSL to generate the keypair? Why not just use keytool?
为什么要使用 OpenSSL 生成密钥对?为什么不直接使用keytool?
The genrsatool just generates a private key. How are you creating a corresponding certificate? How are you importing the private key into your Java keystore? (I ask, because keytoolcan only import a private key from an existing key store, and only from Java 6 onward.)
该genrsa工具只生成一个私钥。您如何创建相应的证书?您如何将私钥导入 Java 密钥库?(我问,因为keytool只能从现有的密钥库中导入私钥,而且只能从 Java 6 开始。)
I suspect that your problem is that your key store doesn't contain a key entry (private key andcorresponding certificate). When you list the keystore contents with keytool, how many entries are there? Are they key entries or trusted entries?
我怀疑您的问题是您的密钥库不包含密钥条目(私钥和相应的证书)。当您使用 列出密钥库内容时keytool,有多少条目?它们是关键条目还是可信条目?
The server needs access to the private key in order to authenticate itself. To import a private key, use Java 6'senhanced keytool.
服务器需要访问私钥才能对其进行身份验证。要导入私钥,请使用Java 6 的增强keytool.
After creating the key and the certificate with OpenSSL, use OpenSSL to create a PKCS #12 key store:
使用 OpenSSL 创建密钥和证书后,使用 OpenSSL 创建 PKCS #12 密钥库:
openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
Then convert this store into a Java key store:
然后将此存储转换为 Java 密钥存储:
keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12
Now use server.jksin your SSL-enable server, which contains the certificate andthe private key.
现在server.jks在启用 SSL 的服务器中使用,其中包含证书和私钥。
