• If you want to authenticate you need the private key - there is no other option.
• A certificate is a public key with extra properties (like company name, country,...) that is signed by some Certificate authority that guarantees that the attached properties are true.
• .CERfiles are certificates and don't have the private key. The private key is provided with a .PFX keystorefile normally. If you really authenticate is because you already had imported the private key.

• You normally can import .CERcertificates without any problems with

  keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias" 
  

• 如果要进行身份验证，则需要私钥 - 没有其他选择。
• 证书是具有额外属性（如公司名称、国家/地区...）的公钥，由某些证书颁发机构签署，以保证附加属性是真实的。
• .CER文件是证书，没有私钥。私钥.PFX keystore通常随文件一起提供。如果您真的进行身份验证是因为您已经导入了私钥。

• 您通常可以导入.CER证书而不会出现任何问题

  keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias" 
  

You shouldn't have to make any changes to the certificate. Are you sure you are running the right import command?

您不应该对证书进行任何更改。您确定您正在运行正确的导入命令吗？

The following works for me:

以下对我有用：

keytool -import -alias joe -file mycert.cer -keystore mycerts -storepass changeit

where mycert.cer contains:

其中 mycert.cer 包含：

-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgIHK4FgDiVqczANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
...
RLJKd+SjxhLMD2pznKxC/Ztkkcoxaw9u0zVPOPrUtsE/X68Vmv6AEHJ+lWnUaWlf
zLpfMEvelFPYH4NT9mV5wuQ1Pgurf/ydBhPizc0uOCvd6UddJS5rPfVWnuFkgQOk
WmD+yvuojwsL38LPbtrC8SZgPKT3grnLwKu18nm3UN2isuciKPF2spNEFnmCUWDc
MMicbud3twMSO6Zbm3lx6CToNFzP
-----END CERTIFICATE-----

The certificate that you already have is probably the server's certificate, or the certificate used to sign the server's certificate. You will need it so that your web service client can authenticate the server.

您已经拥有的证书可能是服务器的证书，或者用于签署服务器证书的证书。您将需要它，以便您的 Web 服务客户端可以对服务器进行身份验证。

But if additionally you need to perform client authentication with SSL, then you need to get your own certificate, to authenticate your web service client. For this you need to create a certificate request; the process involves creating your own private key, and the corresponding public key, and attaching that public key along with some of your info (email, name, domain name, etc) to a file that's called the certificate request. Then you send that certificate request to the company that's already asked you for it, and they will create your certificate, by signing your public key with their private key, and they'll send you back an X509 file with your certificate, which you can now add to your keystore, and you'll be ready to connect to a web service using SSL requiring client authentication.

但是，如果您还需要使用 SSL 执行客户端身份验证，那么您需要获取自己的证书，以验证您的 Web 服务客户端。为此，您需要创建一个证书请求；该过程包括创建您自己的私钥和相应的公钥，并将该公钥与您的一些信息（电子邮件、姓名、域名等）附加到一个称为证书请求的文件中。然后，您将该证书请求发送给已经向您索要它的公司，他们将通过用他们的私钥签署您的公钥来创建您的证书，并且他们会向您发送带有您的证书的 X509 文件，您可以现在添加到您的密钥库，您就可以使用 SSL 连接到需要客户端身份验证的 Web 服务了。

To generate your certificate request, use "keytool -certreq -alias -file -keypass -keystore ". Send the resulting file to the company that's going to sign it.

要生成您的证书请求，请使用“keytool -certreq -alias -file -keypass -keystore”。将生成的文件发送给将要签署的公司。

When you get back your certificate, run "keytool -importcert -alias -keypass -keystore ".

取回证书后，运行“keytool -importcert -alias -keypass -keystore”。

You may need to used -storepass in both cases if the keystore is protected (which is a good idea).

如果密钥库受到保护（这是个好主意），您可能需要在这两种情况下都使用 -storepass。

Here is the code I've been using for programatically importing .cer files into a new KeyStore.

这是我一直用于以编程方式将 .cer 文件导入新 KeyStore 的代码。

import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
//VERY IMPORTANT.  SOME OF THESE EXIST IN MORE THAN ONE PACKAGE!
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;

//Put everything after here in your function.
KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null);//Make an empty store
InputStream fis = /* insert your file path here */;
BufferedInputStream bis = new BufferedInputStream(fis);

CertificateFactory cf = CertificateFactory.getInstance("X.509");

while (bis.available() > 0) {
    Certificate cert = cf.generateCertificate(bis);
    trustStore.setCertificateEntry("fiddler"+bis.available(), cert);
}

Importing .cercertificate file downloaded from browser (open the url and dig for details) into cacertskeystore in java_home\jre\lib\securityworked for me, as opposed to attemps to generate and use my own keystore.

导入.cer从浏览器下载证书文件（打开详细信息的URL和DIG）到cacerts的密钥存储在java_home\jre\lib\security为我工作，而不是attemps生成和使用自己的密钥库。

1. Go to your java_home\jre\lib\security
2. (Windows) Open admin command line there using cmdand CTRL+SHIFT+ENTER
3. Run keytool to import certificate:
   • (Replace yourAliasNameand path\to\certificate.cerrespectively)

1. 去你的 java_home\jre\lib\security
2. （视窗）打开管理员命令行使用存在cmd和CTRL+ SHIFT+ENTER
3. 运行 keytool 导入证书：
   • （分别替换yourAliasName和path\to\certificate.cer）

 ..\..\bin\keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias yourAliasName -file path\to\certificate.cer

This way you don't have to specify any additional JVM options and the certificate should be recognized by the JRE.

这样您就不必指定任何额外的 JVM 选项，并且证书应该被 JRE 识别。

Here's how this worked for me:

这对我来说是如何工作的：

1. Save as .txt the certificate data in the following format in a text editor

   -----BEGIN CERTIFICATE----- [data serialized by microsoft] -----END CERTIFICATE-----

2. Open chrome browser (this step might work with other browsers too) settings > show advanced settings > HTTPS/SSL > manage certificates Import the .txt in step 1
3. Select and export that certificate in Base-64 encoded format. Save it as .cer
4. Now you can use keytool or Portecle to import it to your java keystore

1. 在文本编辑器中按以下格式将证书数据另存为 .txt

   -----BEGIN CERTIFICATE----- [由微软序列化的数据] -----END CERTIFICATE -----

2. 打开 Chrome 浏览器（此步骤也适用于其他浏览器）设置 > 显示高级设置 > HTTPS/SSL > 管理证书在步骤 1 中导入 .txt
3. 选择并以 Base-64 编码格式导出该证书。将其另存为 .cer
4. 现在您可以使用 keytool 或 Portecle 将其导入您的 java 密钥库

Here's a script I used to batch import a bunch of crt files in the current directory into the java keystore. Just save this to the same folder as your certificate, and run it like so:

这是我用来将当前目录中的一堆crt文件批量导入java keystore的脚本。只需将其保存到与您的证书相同的文件夹中，然后像这样运行它：

./import_all_certs.sh

import_all_certs.sh

import_all_certs.sh

KEYSTORE="$(/usr/libexec/java_home)/jre/lib/security/cacerts";

function running_as_root()
{
  if [ "$EUID" -ne 0 ]
    then echo "NO"
    exit
  fi

  echo "YES"
}

function import_certs_to_java_keystore
{
  for crt in *.crt; do 
    echo prepping $crt 
    keytool -import -file $crt -storepass changeit -noprompt --alias alias__${crt} -keystore $KEYSTORE
    echo 
  done
}

if [ "$(running_as_root)" == "YES" ]
then
  import_certs_to_java_keystore
else
  echo "This script needs to be run as root!"
fi

An open source GUI tool is available at keystore-explorer.org

keystore-explorer.org提供了一个开源 GUI 工具

KeyStore Explorer

KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface.

密钥库资源管理器

KeyStore Explorer 是 Java 命令行实用程序 keytool 和 jarsigner 的开源 GUI 替代品。KeyStore Explorer 通过直观的图形用户界面展示其功能以及更多功能。

Following screens will help (they are from the official site)

以下屏幕会有所帮助（它们来自官方网站）

Default screen that you get by running the command:

通过运行命令获得的默认屏幕：

shantha@shantha:~$./Downloads/kse-521/kse.sh

And go to Examineand Examine a URLoption and then give the web URL that you want to import.

然后转到Examine和Examine a URL选项，然后提供要导入的网址。

The result window will be like below if you give google site link.

如果您提供 google 站点链接，结果窗口将如下所示。

This is one of Use case and rest is up-to the user(all credits go to the keystore-explorer.org)

这是用例之一，其余由用户决定（所有积分都转到keystore-explorer.org）