Java 将证书从 pem 转换为 jks
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22296312/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
convert certificate from pem into jks
提问by Narf
I have to convert a certificate in pem format into an java key store.
我必须将 pem 格式的证书转换为 java 密钥库。
To use this one with tomcat at a windows server
在 Windows 服务器上与 tomcat 一起使用这个
I've got those files:
我有这些文件:
cert_request.csr
-----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST-----cert_public_key.pem
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----cert_private_key.pem
-----BEGIN ENCRYPTED PRIVATE KEY----- ... -----END ENCRYPTED PRIVATE KEY-----cert.txt
contains an 16 digit key
cert_request.csr
-----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST-----cert_public_key.pem
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----cert_private_key.pem
-----BEGIN ENCRYPTED PRIVATE KEY----- ... -----END ENCRYPTED PRIVATE KEY-----证书.txt
contains an 16 digit key
I tryed to combine the pem files (by combining the two files were chain together) and converted this with openssl into an
我尝试组合 pem 文件(通过将两个文件链接在一起)并使用 openssl 将其转换为
- .der file and import that with keytool into an new keystore
- same with .p12
- directly imported to keystore
- .der 文件并使用 keytool 将其导入新的密钥库
- 与 .p12 相同
- 直接导入keystore
I also tryed to change the
我也试图改变
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
into
进入
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
and tryed the 3 ways above
并尝试了上述 3 种方式
what have I to do that I get an working certificate?
我该怎么做才能拿到工作证书?
EDIT:
编辑:
I combinied the cert_public_key.pem and the cert_private_key.pem to cert_comb.pem
我将 cert_public_key.pem 和 cert_private_key.pem 组合到 cert_comb.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
采纳答案by dave_thompson_085
You aren't clear which files you combined, but it should work to use openssl to combine the cert and private key to a PKCS#12:
您不清楚您组合了哪些文件,但应该可以使用 openssl 将证书和私钥组合到 PKCS#12:
cat cert_public_key.pem cert_private_key.pem >combined.pem
openssl pkcs12 -export -in combined.pem -out cert.p12
or on the fly but (update:) the privatekey must be first:
或即时但(更新:)私钥必须是第一个:
cat cert_private_key.pem cert_public_key.pem | openssl pkcs12 -export -out cert.p12
If your cert needs any chain cert(s) -- the CA should have told you this when you submitted the CSR and they issued the cert -- it's easiest to also include it(them) now.
如果您的证书需要任何链式证书——CA 应该在您提交 CSR 并且他们颁发证书时告诉您这一点——现在最容易也包括它(它们)。
Then (1) someJava programs can actually use a pkcs12 directly as a keystore, but (2) if you need or prefer a JKS use keytool:
然后 (1)一些Java 程序实际上可以直接使用 pkcs12 作为密钥库,但是 (2) 如果您需要或更喜欢 JKS,请使用 keytool:
keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -destkeystore cert.jks
If you care about the alias in the resulting JKS, easiest to fix it after converting.
如果您关心生成的 JKS 中的别名,则在转换后最容易修复它。
Also: just changing the labels in an encrypted PEM doesn't unencrypt it, nor does changing the label from generic PKCS#8 to RSA actually change the data to match (and they are different, though only a little). If you do want a separate PEM file with the decrypted private key:
另外:仅更改加密 PEM 中的标签不会对其进行解密,也不会将标签从通用 PKCS#8 更改为 RSA 实际上将数据更改为匹配(它们是不同的,尽管只有一点点)。如果您确实需要带有解密私钥的单独 PEM 文件:
openssl pkey -in encryptedpk8 -out clearpk8.pem # 1.0.0 up
openssl pkcs8 -in encryptedpk8 -out clearpk8.pem # 1.0.0 up
openssl pkcs8 -topk8 -nocrypt -in encryptedpk8 -out clearpk8.pem # below 1.0.0
openssl rsa -in encryptedpk8 -out clearrsa.pem
回答by nablex
First question: you only have a certificate request? Not an actual certificate? It needs to be signed, you can self-sign it or have it signed by an external party.
第一个问题:你只有一个证书请求?不是真正的证书?它需要签名,您可以自行签名或由外部方签名。
If you have the actual cert you can use this to parse the private key file and the cert file:
如果您有实际的证书,您可以使用它来解析私钥文件和证书文件:
// parse the private key
KeyFactory keyFactory = KeyFactory.getInstance("RSA"); // might not be RSA
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(byteArray);
PrivateKey privateKey = keyFactory.generatePrivate(spec);
// parse cert
CertificateFactory factory = CertificateFactory.getInstance("X.509");
X509Certificate cert = factory.generateCertificate(certInputStream);
// add it to the keystore
store.setKeyEntry(alias, privateKey, password, new X509Certificate[] { cert });
UPDATE
更新
As far as I know the command line keytool does not support any advanced options like signing a csr. Even standard java does not support this, you need an external library like bouncy castle. This is not easy. E.g:
据我所知,命令行 keytool 不支持任何高级选项,例如签署 csr。即使是标准的 java 也不支持这个,你需要一个像充气城堡这样的外部库。这并不容易。例如:
JcaPKCS10CertificationRequest pkcs10 = new JcaPKCS10CertificationRequest(csrBytes);
X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
issuer,
generateSerialId(),
new Date(),
until,
subject,
pkcs10.getPublicKey()
);
X509CertificateHolder holder = builder.build(getContentSigner(privateKey, type));
X509Certificate cert = getCertificate(holder);
...
ContentSigner getContentSigner(PrivateKey privateKey) {
AsymmetricKeyParameter keyParameter = PrivateKeyFactory.createKey(privateKey.getEncoded());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WITHRSA"); // or what you want
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
return new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(keyParameter);
}
