Java 将证书链添加到 p12(pfx) 证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18787491/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Adding certificate chain to p12(pfx) certificate
提问by bary
I have aplication in java and cxf which connects to WebServices with client certificate.
我在 java 和 cxf 中有应用程序,它使用客户端证书连接到 WebServices。
I got certificates form WebService owner
我从 WebService 所有者那里获得了证书
- certificate.p12
- certificate.pem
- certificate.crt
- trusted_ca.cer
- root_ca.cer
- 证书.p12
- 证书.pem
- 证书.crt
- trust_ca.cer
- root_cacer
I have problem with straightforward converting this p12 certficate to working jks keystore requred by java.
我无法直接将此 p12 证书转换为 java 所需的工作 jks 密钥库。
I did this:
我这样做了:
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore certificate1.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
keytool -import -alias trusted -file trusted_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
but this jks doesn`t work and I get HTTP response '403: Forbidden' when using this certificate1.jks
但是这个 jks 不起作用,我在使用这个 certificate1.jks 时得到 HTTP 响应 '403: Forbidden'
However if I import this p12(pfx) certificate to Internet Explorer and then export this certificate from IE to pfx format selecting "Include all certificates in the certification path" checkbox and use:
但是,如果我将此 p12(pfx) 证书导入 Internet Explorer,然后将此证书从 IE 导出为 pfx 格式,并选择“在证书路径中包含所有证书”复选框并使用:
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore certificate2.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
keytool -import -alias trusted -file trusted_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
Then everything works fine and I can connect to WebService using certificate2.jks.
然后一切正常,我可以使用certificate2.jks连接到WebService。
I found that original certificate.p12(pfx) contains only one entry (Certificate chain length: 1):
我发现原来的 certificate.p12(pfx) 只包含一个条目(证书链长度:1):
keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v
*******************************************
*******************************************
Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=MyCompany, [email protected], O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
...
*******************************************
*******************************************
while certificate.pfx exported from IE with "Include all certificates in the certification path" contains certificate chain with second Trusted CA certificate (Certificate chain length: 2):
而从 IE 导出的带有“包括证书路径中的所有证书”的 certificate.pfx 包含带有第二个受信任 CA 证书的证书链(证书链长度:2):
keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v
*******************************************
*******************************************
Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=MyCompany, [email protected], O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
...
Certificate[2]:
Owner: CN=Trusted CA, O=ble ble ble, C=PL
Issuer: CN=ROOT CA, O=ble ble ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
*******************************************
*******************************************
So to solve my problem I need to have p12 certificate with chain to trusted CA certificate. I can do this by importing p12 to IE and then exporting back with "Include all certificates in the certification path".
所以为了解决我的问题,我需要有 p12 证书和可信任的 CA 证书链。我可以通过将 p12 导入到 IE,然后使用“包括证书路径中的所有证书”导出回来来实现。
How can I do this without IE using keytool or other tool?
如何在没有 IE 的情况下使用 keytool 或其他工具执行此操作?
Bary
巴里
采纳答案by bary
Own answer.
自己的答案。
I figured out how to do this with OpenSSL:
我想出了如何使用 OpenSSL 做到这一点:
openssl pkcs12 -in certificate.p12 -out clientcert.pem -nodes -clcerts
openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem
openssl x509 -in root_ca.cer -inform DER -out root_ca.pem
cat clientcert.pem trusted_ca.pem root_ca.pem >> clientcertchain.pem
openssl pkcs12 -export -in clientcertchain.pem -out clientcertchain.pfx
回答by Cristian Solervicéns
If you are working in Windows OS, you can install the certificate as usual through the IIS, then open mmc.exe -> File -> Add / Remove Snap In -> Double click on "Certificates" Select "Computer Account", next, finish, OK.
如果您使用的是 Windows 操作系统,您可以像往常一样通过 IIS 安装证书,然后打开 mmc.exe -> 文件 -> 添加/删除管理单元 -> 双击“证书”选择“计算机帐户”,然后,结束,好的。
Expand certificates, if needed add the certificates from the CA into "Intermediate Certification Authorities" or "Trusted Root Certification Authorities".
扩展证书,如果需要,将来自 CA 的证书添加到“中间证书颁发机构”或“受信任的根证书颁发机构”中。
Then go to "Web Hosting", here must be your webSite certificates, select the certificate, left click on it, select Export and follow the wizard, the important things to check are "Include Private Key", Include all certificates on the chain, export all extended properties, you must set a password, select the output flie name and this is it. Now you have a certificate with the complete chain on it. No more problems with Facebook or similar.
然后进入“Web Hosting”,这里必须是你的网站证书,选择证书,左键点击它,选择Export并按照向导,要检查的重要事项是“Include Private Key”,包括链上的所有证书,导出所有扩展属性,您必须设置密码,选择输出文件名,就是这样。现在您有一个带有完整链的证书。不再有 Facebook 或类似的问题。
