如何从 Java 密钥库中的证书链中仅删除一个证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31441070/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to remove just one certificate from a certificate chain in a Java keystore
提问by Robert Tupelo-Schneck
I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. The chain includes the self-signed root CA certificate. Although this is apparently okay by the TLS spec, some validation services warn about it, and it's probably better to leave it off.
我有一个 Tomcat 服务器,带有存储在 Java 密钥库中的 HTTPS 证书链。该链包括自签名根 CA 证书。尽管TLS 规范显然没有问题,但一些验证服务对此发出警告,最好将其关闭。
How can I edit the keystore to remove just the self-signed root CA certificate, but leave the rest of the chain and the private key intact?
如何编辑密钥库以仅删除自签名根 CA 证书,但保持链的其余部分和私钥完好无损?
回答by Robert Tupelo-Schneck
First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
首先,将密钥库从 JKS 转换为 PKCS12(此命令和其他命令需要输入密码):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
Next, export a PEM file with key and certs from the PKCS12 file:
接下来,从 PKCS12 文件中导出带有密钥和证书的 PEM 文件:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
Now simply use a text editor to edit pemfile.pemand remove the offending certificate (and its preceding "Bag Attributes").
现在只需使用文本编辑器来编辑pemfile.pem和删除违规证书(及其前面的“包属性”)。
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "tomcat", at this point.
接下来,将编辑过的 PEM 文件加载到新的 PKCS12 文件中。此时,您需要为证书/密钥提供适当的密钥库别名,例如“tomcat”。
openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12
Finally, convert back from PKCS12 to JKS:
最后,从 PKCS12 转换回 JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
The file new.jksis what you want.
该文件new.jks是您想要的。
回答by BruceWayne
keytool -delete -alias -keystore lib/security/cacerts -storepass changeit
keytool -delete -alias -keystore lib/security/cacerts -storepass changeit
