ios 更改 p12 文件的密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29971837/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Changing password on p12 file
提问by heLL0
I was forwarded a p12 file from a client with the push cert.
我从带有推送证书的客户端转发了一个 p12 文件。
Can I change the password of this p12 file without any ramifications and if yes, can I use something like this:
我可以更改这个 p12 文件的密码而不会有任何后果吗,如果是,我可以使用这样的东西:
openssl pkcs12 -in Certificates.p12 -out temp.pem -passin pass: -passout
pass:temppassword
openssl pkcs12 -export -in temp.pem -out Certificates-final.p12 -passin
pass:temppassword -passout pass:newpa-ssword
rm -rf temp.pem
I found this on this website here
我发现这本网站上的点击这里
采纳答案by SysHex
There will be no problem.
不会有问题。
PFX is an encrypted container, changing the password of the container will have no effect on the certificates inside the container.
PFX 是一个加密容器,更改容器密码不会影响容器内的证书。
回答by nyov
No you cannot do so without ramifications.
Exporting PKCS#12 contents with openssl will lose information which won't be restored upon re-creationof the PKCS#12.
Whether that metadata is important to you will depend on your PKCS#12 contents and your use-case.
不,你不能这样做没有后果。
使用 openssl 导出 PKCS#12 内容将丢失在重新创建PKCS#12时不会恢复的信息。
该元数据对您是否重要取决于您的 PKCS#12 内容和您的用例。
There does not seem to be a way of simply "changing the password of the container" with openssl. (However, you can use Java's keytoolto do this, as I explain later.)
似乎没有一种方法可以简单地使用 openssl 来“更改容器的密码”。(但是,您可以使用 Javakeytool来执行此操作,我稍后会解释。)
TL;DR:use this instead of your openssl command:
keytool -importkeystore -srckeystore source.p12 -srcstoretype PKCS12 -srcstorepass:file ssp -destkeystore dest.p12 -deststoretype PKCS12 -deststorepass:file dsp -destkeypass:file dsp
TL;DR:使用这个代替你的 openssl 命令:
keytool -importkeystore -srckeystore source.p12 -srcstoretype PKCS12 -srcstorepass:file ssp -destkeystore dest.p12 -deststoretype PKCS12 -deststorepass:file dsp -destkeypass:file dsp
OpenSSL
开放式SSL
Here is a comparison between a re-created PKCS#12 and it's original, from an old (and invalid) german tax login keystore I had for testing.
这是重新创建的 PKCS#12 与其原始版本之间的比较,来自我用于测试的旧(且无效)德国税务登录密钥库。
In my case a PKCS#12 re-created in this way was no longer valid/working for the intended application(certificate-based login) so I had to find a different solution.
在我的情况下,以这种方式重新创建的 PKCS#12对于预期的应用程序(基于证书的登录)不再有效/工作,因此我必须找到不同的解决方案。
Short overview (the original, then the re-created file):
简短概述(原始文件,然后是重新创建的文件):
$ openssl pkcs12 -info -in Certificates.p12 -noout
Enter Import Password:
MAC:sha1 Iteration 1024
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
$ openssl pkcs12 -info -in Certificates-final.p12 -noout
Enter Import Password:
MAC:sha1 Iteration 2048
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
And now a diff between the original exported PEM file contents, and the re-exported PEM of the re-created PKCS#12.
(I have redacted some base64 lines and also re-ordered the PEM data in the output
to make the diff shorter and the changes more obvious.)
You can see the original had two private keys (a signaturekey and an encryptionkey) while the new one only has one, as well as lost metadata on the Certificate bags.
Also note how the localKeyID's have been changed:
现在原始导出的 PEM 文件内容与重新创建的 PKCS#12 的重新导出 PEM 之间存在差异。(我编辑了一些 base64 行,并重新排序了输出中的 PEM 数据,使差异更短,更改更明显。)
您可以看到原始有两个私钥(签名密钥和加密密钥),而新的只有一个,以及证书包上丢失的元数据。另请注意localKeyID's 的更改方式:
$ openssl pkcs12 -in Certificates.p12 -out temp.pem
$ openssl pkcs12 -in Certificates-final.p12 -out temp2.pem
$ diff -up temp.pem temp2.pem
--- temp.pem
+++ temp2.pem
@@ -1,74 +1,38 @@
Bag Attributes
- friendlyName: encryptionkey
- localKeyID: 54 4B 6A 30 42 67 43 63 35 33 6D 7A 30 45 44 47 47 44
+ localKeyID: DD 42 1D 23 0E 11 BB D7 0D 54 B7 10 D0 C6 F5 40 B6 B5 2C A4
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIpJIbNX5suS8CAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEUOqFMc2ya4BIIEyKcSq/QtaSQe
-KaGI+xHwWXmJ8kPova4Ypjy9ELFYH/qpOlfyvE2NUE8sTPfMmTGZfVgmzajZiAkv
-2bGbJJqotmBnX7Kq4R+p8rAsMNQeyc6Hz6HOFHB2u51m/+v6U89BnxZjzYPfBLrL
-mtEJJoEKLrwjh4lCZuEQjQ==
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIStmsb0FWO6ECAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECFnnIOcMl607BIIEyJeDvQMny+9a
+g38QaURLMHGW1ZcSl1SQL3aISeF9OOVNDT6SdpH9ta+ZiBL47KYYRmzb/mrkAk8w
+xEdaY/v8/l4zo86XS3ZXX9/59rieb3YAm6GfyTAYyAwU+xMz0FHPtWjN0sWKFamx
+49Gel9yYCtfc9oRKdvaBuQ==
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
- friendlyName: signaturekey
- localKeyID: 54 4B 6A 30 42 67 43 63 35 33 6D 7A 30 45 44 47 41 41
-Key Attributes: <No Attributes>
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIw8wbVkc1YxICAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCUFgpxoljgKBIIEyCIseTm0Y7uL
-6IaAqRqwPxb64iBLLN9E/XOkA5ZAzO4MgSsZieZQfpXLJPdTdnKx9WauzpDGVfs5
-p+i5Dmrl9olI2wEOCGdoG7YzzVh4SoTAf/4v9yJRylCXREoYDdK/EM09Am1XWRVa
-fqNaWVRO/1vfv7Rgc2Mwbw==
------END ENCRYPTED PRIVATE KEY-----
-Bag Attributes
- friendlyName: encryptionkey
- localKeyID: 54 4B 6A 30 42 67 43 63 35 33 6D 7A 30 45 44 47 47 44
+ localKeyID: DD 42 1D 23 0E 11 BB D7 0D 54 B7 10 D0 C6 F5 40 B6 B5 2C A4
subject=/serialNumber=991954729C/CN=991954729
issuer=/C=DE/O=Elster/OU=CA/CN=ElsterIdNrSoftCA
-----BEGIN CERTIFICATE-----
@@ -96,8 +60,7 @@ QmpEFSHJxYXOtyar3x9Viad9r9KtcVViJxe/cpVE
u4rfbLegLqZsXPVlY+6+k/vokTD9Oc0IdXHNk1u1dSTUc4rvxohZAxKW+5/EoLar
+AajwQNu5CmFz76Y6tDOS7XqUFkdu6JNMvBfuFNAng2GXwo/l8LsstAz/w==
-----END CERTIFICATE-----
-Bag Attributes
- friendlyName: CN=ElsterIdNrSoftCA,OU=CA,O=Elster,C=DE
+Bag Attributes: <No Attributes>
subject=/C=DE/O=Elster/OU=CA/CN=ElsterIdNrSoftCA
issuer=/C=DE/O=Elster/OU=RootCA/CN=ElsterRootCA
-----BEGIN CERTIFICATE-----
@@ -126,8 +89,7 @@ SxtMZZVZ6RuHLwfz+QYJ+uKghjImnZ7Gy93+S1yD
FwWQnJ1RBEUTIwMI9rrIGH5R4sUzfeS6YvJOCTcO372IC1CKRpx3odvLFR+FYM7/
nO/mlyfpTHkJrRm1IavqyBq0rUKbTUP7
-----END CERTIFICATE-----
-Bag Attributes
- friendlyName: CN=ElsterRootCA,OU=RootCA,O=Elster,C=DE
+Bag Attributes: <No Attributes>
subject=/C=DE/O=Elster/OU=RootCA/CN=ElsterRootCA
issuer=/C=DE/O=Elster/OU=RootCA/CN=ElsterRootCA
-----BEGIN CERTIFICATE-----
@@ -156,9 +118,7 @@ EgzvybfTPjUTXr4G1FZyAJkUAw4EdHZ8K2fIijy6
VThgfYVrIfjKr00WsIW1QC3aWWCfgs19UjeLOPtydDgsU+UBAZg/fFTKYwQpx1Jg
n8L8DNLudrfbsj6m7Ir39fVi634a+v9k
-----END CERTIFICATE-----
-Bag Attributes
- friendlyName: signaturekey
- localKeyID: 54 4B 6A 30 42 67 43 63 35 33 6D 7A 30 45 44 47 41 41
+Bag Attributes: <No Attributes>
subject=/serialNumber=991954729A/CN=991954729
issuer=/C=DE/O=Elster/OU=CA/CN=ElsterIdNrSoftCA
-----BEGIN CERTIFICATE-----
@@ -186,8 +146,7 @@ vByFoXLDf57jp0k2wGws31IBsPDmzlhlwziMstzk
u4rfbLegLqZsXPVlY+6+k/vokTD9Oc0IdXHNk1u1dSTUc4rvxohZAxKW+5/EoLar
zH7xfL59iS81Ok7F3kyWroq7Y6L5iG3+aXEVJyA9FfuGY2dKSVliqNQzEA==
-----END CERTIFICATE-----
-Bag Attributes
- friendlyName: CN=ElsterIdNrSoftCA,OU=CA,O=Elster,C=DE
+Bag Attributes: <No Attributes>
subject=/C=DE/O=Elster/OU=CA/CN=ElsterIdNrSoftCA
issuer=/C=DE/O=Elster/OU=RootCA/CN=ElsterRootCA
-----BEGIN CERTIFICATE-----
@@ -216,8 +175,7 @@ SxtMZZVZ6RuHLwfz+QYJ+uKghjImnZ7Gy93+S1yD
jftsxZFkkWV/2zx5Lw/pTruKSlWx4bSC9oWB9Tk1w10ST80JsVCFoeezonHq8zLF
nO/mlyfpTHkJrRm1IavqyBq0rUKbTUP7
-----END CERTIFICATE-----
-Bag Attributes
- friendlyName: CN=ElsterRootCA,OU=RootCA,O=Elster,C=DE
+Bag Attributes: <No Attributes>
subject=/C=DE/O=Elster/OU=RootCA/CN=ElsterRootCA
issuer=/C=DE/O=Elster/OU=RootCA/CN=ElsterRootCA
-----BEGIN CERTIFICATE-----
Besides the lost metadata, losing a private key on importhere, seems actually quite problematic to me.
So make certain to test your new PKCS#12, and possibly back up your old one in a safe location!
Tested with
除了丢失的元数据,在这里导入时丢失私钥,对我来说实际上似乎很成问题。所以一定要测试您的新 PKCS#12,并可能将旧的备份到安全的位置!
测试过
$ openssl version
OpenSSL 1.1.0f 25 May 2017
keytool
钥匙工具
keytoolis a key and certificate management utility and is part of the Java JRE, for managing Java's keystore. In this case I use OpenJDK's version.
You might find this (on Linux) as /usr/bin/keytool, or in your Java installation, e.g. at /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/keytool.
keytool是一个密钥和证书管理实用程序,是 Java JRE 的一部分,用于管理 Java 的密钥库。在这种情况下,我使用 OpenJDK 的版本。
您可能会发现它(在 Linux 上)为/usr/bin/keytool,或者在您的 Java 安装中,例如在/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/keytool.
With keytoolyou can change only the container password (keystore password),
without touching any keys inside (which is probably not what you want, though):
随着keytool你只能改变容器密码(密钥存储密码),而不触及内部的任何键(这可能不是你想要的,虽然):
$ keytool -list -storetype pkcs12 -keystore Certificates.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 2 entries
encryptionkey, Jan 1, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): DD:42:1D:23:0E:11:BB:D7:0D:54:B7:10:D0:C6:F5:40:B6:B5:2C:A4
signaturekey, Jan 1, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): 18:F6:3F:FA:29:79:08:18:34:9A:99:CA:B7:47:AD:B0:36:49:A2:EB
Now we change the container password: This overwrites the old file
现在我们更改容器密码: 这会覆盖旧文件
$ keytool -storetype pkcs12 -keystore Certificates.p12 -storepasswd
Enter keystore password:
New keystore password:
Re-enter new keystore password:
And compare the results:
并比较结果:
$ keytool -list -storetype pkcs12 -keystore Certificates.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 2 entries
encryptionkey, Jan 1, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): DD:42:1D:23:0E:11:BB:D7:0D:54:B7:10:D0:C6:F5:40:B6:B5:2C:A4
signaturekey, Jan 1, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): 18:F6:3F:FA:29:79:08:18:34:9A:99:CA:B7:47:AD:B0:36:49:A2:EB
$ openssl pkcs12 -info -in Certificates.p12 -noout
Enter Import Password:
MAC:sha1 Iteration 100000
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
So keytoolupgraded the iteration count, but the key alias information (encryptionkey/signaturekey) and file order in the container has been retained.
所以keytool升级了迭代次数,但是容器中的密钥别名信息(encryptionkey/signaturekey)和文件顺序都被保留了下来。
Note, however, that this only changes the password of the PKCS#12 keystore, it does nottouch the passwords of any encrypted private keys. This is useful if you use PKCS#12 to store different keys with different encryption passphrases. But it also means that you need to remember all of them, and you can no longer export these keys using openssl, as openssl can only handle keys that share the same password as the PKCS#12 container:
但是请注意,这只是改变了PKCS#12密钥库的密码,它并没有触及任何加密私钥的密码。如果您使用 PKCS#12 来存储具有不同加密密码短语的不同密钥,这将非常有用。但这也意味着您需要记住所有这些,并且您不能再使用 openssl 导出这些密钥,因为 openssl 只能处理与 PKCS#12 容器共享相同密码的密钥:
$ openssl pkcs12 -in Certificates.p12 -out temp0.pem
Enter Import Password:
Error outputting keys and certificates
140661347983616:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:535:
140661347983616:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
140661347983616:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94:
You can then only export certificates from this file, using -nokeys:
然后,您只能从此文件导出证书,使用-nokeys:
$ openssl pkcs12 -in Certificates.p12 -out temp0.pem -nokeys
Finally, to actually change the keystore/container password andthe encrypted key password(s) inside (WHICH IS most likely WHAT YOU WANT), you can use this magic invocation:
最后,要实际更改密钥库/容器密码和内部的加密密钥密码(最有可能是您想要的),您可以使用以下魔术调用:
$ keytool -importkeystore \
-srckeystore "${SRCFILE}" -srcstoretype PKCS12 -srcstorepass:file ssp \
-destkeystore "${DSTFILE}" -deststoretype PKCS12 -deststorepass:file dsp -destkeypass:file dsp
Importing keystore Certificates.p12 to Certificates-final.p12...
Entry for alias encryptionkey successfully imported.
Entry for alias signaturekey successfully imported.
Import command completed: 2 entries successfully imported, 0 entries failed or cancelled
$ rm ssp dsp
Where SRCFILEand DSTFILEare your PKCS#12 files respectively, and sspand dspare files that you safely wrote your source- and dest-passphrases to, earlier (keytool can also read from environment variables using :envinstead of :file.
And you can pass the passphrases on the commandline, but remember that that is unsafest and logged in your shell history.)
其中SRCFILE和DSTFILE分别是你的PKCS#12文件,ssp并dsp在文件中,你写安全的源极和dest-密码短语来,早期(密钥工具也可以从使用环境变量中读取:env,而不是:file,你可以通过在命令行上的密码短语,但请记住,这是最不安全的,并且会记录在您的 shell 历史记录中。)
After now having re-created the PKCS#12, you can verify that the metadata and order of the contents was preserved:
在重新创建 PKCS#12 之后,您可以验证元数据和内容的顺序是否被保留:
$ keytool -list -storetype pkcs12 -keystore Certificates-final.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 2 entries
encryptionkey, Jun 17, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): DD:42:1D:23:0E:11:BB:D7:0D:54:B7:10:D0:C6:F5:40:B6:B5:2C:A4
signaturekey, Jun 17, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 18:F6:3F:FA:29:79:08:18:34:9A:99:CA:B7:47:AD:B0:36:49:A2:EB
$ openssl pkcs12 -info -in Certificates-final.p12 -noout
Enter Import Password:
MAC:sha1 Iteration 100000
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
$ openssl pkcs12 -in Certificates-final.p12 -out temp3.pem
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
(again, I have redacted some base64 lines of the PEM for brevity)
(同样,为了简洁起见,我编辑了 PEM 的一些 base64 行)
$ diff -up temp.pem temp3.pem
--- temp.pem
+++ temp3.pem
@@ -1,74 +1,74 @@
Bag Attributes
friendlyName: encryptionkey
- localKeyID: 54 4B 6A 30 42 67 43 63 35 33 6D 7A 30 45 44 47 47 44
+ localKeyID: 54 4B 6A 30 42 67 45 62 39 32 65 75 33 40 45 47 47 42
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI/f7cW8Pvi6MCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECErznPIoMLg5BIIEyImqsql6iZH7
-I+ig1yWIlimEVNmSlgT1klEFnR83b8rIohq4cvX8lcrCs/5POc22023zlHx8dSnB
-+3OxV/uoGIwU3IhXlNb41dt3fF349dbnwJrDcv4Fw3lfc0v2Wl3P1b17P9/LJeUa
-EmmUy4UHQU2THwLQctyD1A==
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI9UYIDREjVVYCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLWYUFhHE9lJBIIEyOIA+7TqLJ+V
+lpHBcm4GIwfiEuCRHBBxHg1QGeEN7MHW5imXe4ktFPlYJFU5jCZeHVyP+mkEEiNL
+PbozodEkdGweAGnpE2+wbOQOl67q+XdICgqRZAosjBUSnBOFYH0Lk8Gr/n0NNrdR
+yohBYL8PfeKyAzL4wKm5hQ==
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: signaturekey
- localKeyID: 54 4B 6A 30 42 67 43 63 35 33 6D 7A 30 45 44 47 41 41
+ localKeyID: 54 4B 6A 30 42 67 45 62 39 32 65 75 33 40 45 46 43 40
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI8VzhkYDa8/oCAggA
-MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECIP5tmyQb2b/BIIEyNGpbxkv286e
-5gjectU9q6yecwP6/w2jGLN3jNwsUN3+3Zn92BRoPKsn5j5WryP4G/mu0QJnLmFM
-Cy92Cu41oUeR+q9ePmj+Z1Tjj//8uq4D5F0wZhcPjnhNqdnENfLxkt+CGywoX25A
-4Ia+Pt5EmZmx9vpca4j13Q==
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIN7z1PFx1ONACAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECFI18ERY6QXpBIIEyIDmBKgCkqbK
+HF9qm8etjBpoyuBtElaNNyeQA9QwYCD2I0vYsPVcOGRE8VO6LmmFXIvx/KcK8rxi
+QSb4K6eM2VcrZqBqw6hHONi5/CkxYQpBcHCLOH+V/CR4i2BHu7pl/JdAIx/7emMX
+ul0+m+zoGCHlpWuOkCSe+A==
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: encryptionkey
- localKeyID: 54 4B 6A 30 42 67 43 63 35 33 6D 7A 30 45 44 47 47 44
+ localKeyID: 54 4B 6A 30 42 67 45 62 39 32 65 75 33 40 45 47 47 42
subject=/serialNumber=991954729C/CN=991954729
issuer=/C=DE/O=Elster/OU=CA/CN=ElsterIdNrSoftCA
-----BEGIN CERTIFICATE-----
@@ -158,7 +158,7 @@ n8L8DNLudrfbsj6m7Ir39fVi634a+v9k
-----END CERTIFICATE-----
Bag Attributes
friendlyName: signaturekey
- localKeyID: 54 4B 6A 30 42 67 43 63 35 33 6D 7A 30 45 44 47 41 41
+ localKeyID: 54 4B 6A 30 42 67 45 62 39 32 65 75 33 40 45 46 43 40
subject=/serialNumber=991954729A/CN=991954729
issuer=/C=DE/O=Elster/OU=CA/CN=ElsterIdNrSoftCA
-----BEGIN CERTIFICATE-----
And we see that the private keys have been re-encrypted (updated timestamp shown by keytool), but compared to openssl's output, this time, aside from the change in iteration count, only the localKeyID has changed.
Everything is still in there, and in the original order. Much better!
并且我们看到私钥已经被重新加密了(keytool 显示了更新的时间戳),但是与openssl 的输出相比,这次除了迭代次数的变化之外,只有localKeyID 发生了变化。
一切都还在那里,并按照原来的顺序。好多了!
Whether that is close enough to the original file, again, depends on your use-case. The upgraded iteration count better protects against brute-force attacks on the keys, but could potentially be fatal if you need to use them with an old Browser or OS which can't handle such high iteration counts. (Since those are of the IE 4.0 and WinNT age, however, this should not be a problem in most cases.)
这是否与原始文件足够接近,同样取决于您的用例。升级的迭代计数可以更好地防止对密钥的蛮力攻击,但如果您需要将它们与无法处理如此高迭代计数的旧浏览器或操作系统一起使用,则可能是致命的。(但是,由于它们是 IE 4.0 和 WinNT 时代的,因此在大多数情况下这应该不是问题。)
Using this procedure with keytool, I could change the password of my PKCS#12 keys in a way that was still useable and valid for my application.
使用此过程和keytool,我可以以对我的应用程序仍然可用和有效的方式更改我的 PKCS#12 密钥的密码。
回答by Ztyx
I just stumbled across thispage. Does it work?
我只是偶然发现了这个页面。它有效吗?
To avoid dead links here is the contents of the blog post:
为了避免死链接,这里是博客文章的内容:
With following procedure you can change your password on an .pfx certificate using openssl.
Export you current certificate to a passwordless pem type: [user@hostname]>openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes Enter Import Password: MAC verified OK
Convert the passwordless pem to a new pfx file with password: [user@hostname]openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem Enter Export Password: Verifying - Enter Export Password:
Remove the temporary file: [user@hostname]rm tmpmycert.pem
Now you are done and can use the new mycert2.pfx file with your new password.
通过以下过程,您可以使用 openssl 更改 .pfx 证书上的密码。
将当前证书导出为无密码 pem 类型:[user@hostname]>openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes 输入导入密码:MAC 验证 OK
将无密码 pem 转换为带有密码的新 pfx 文件:[user@hostname]openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem 输入导出密码:正在验证 - 输入导出密码:
删除临时文件:[user@hostname]rm tmpmycert.pem
现在您已完成并可以使用带有新密码的新 mycert2.pfx 文件。
回答by user1585916
Using keytoolthere is no need to export anything and you won't lose any information. keytoolcan be used to change both passwords (keystore and private key). The key (excuse the pun) here is to change to password of the private key first. Otherwise, if the keystore password is different than the private key, keytoolwill not be able to change the password of the private key.
使用keytool无需导出任何内容,您不会丢失任何信息。keytool可用于更改两个密码(密钥库和私钥)。这里的关键(请原谅双关语)是先更改为私钥的密码。否则,如果keystore 密码与私钥不同,keytool将无法更改私钥的密码。
First change the password of the private key:
keytool -keystore <your.p12> -keypasswd -alias <alias_of_private_key>
首先修改私钥的密码:
keytool -keystore <your.p12> -keypasswd -alias <alias_of_private_key>
Then change the password of the keystore:
keytool -keystore <your.p12> -storepasswd
然后更改密钥库的密码:
keytool -keystore <your.p12> -storepasswd
That's all there is to it.
这里的所有都是它的。
(Note: This method will still modify the iteration count the same way that @nyov's method does.)
(注意:此方法仍会以与@nyov 的方法相同的方式修改迭代计数。)
