如何将信任证书从.jks转换为.pem?
[英]How to convert trust certificate from .jks to .pem?
问题描述
I have a Java SSL server to which I want my Java SSL client and C++ SSL client to be able to connect. 
我有一个Java SSL服务器,我希望我的Java SSL客户端和C ++ SSL客户端能够连接。 The Java client connects without issues. Java客户端连接没有问题。 Now I want to have my C++ SSL client to be able to connect. 现在我希望我的C ++ SSL客户端能够连接。 So for this purpose ,I imagined, that I want to export the serverpub.jks to an .pem file so that my C++ client can load it into its ssl context. 所以为了这个目的,我想,我想将serverpub.jks导出到.pem文件,以便我的C ++客户端可以将它加载到它的ssl上下文中。 But this is not working. 但这不起作用。
Below is a description of how I created the jks keystores for Java client and server and then how I am trying to export the serverpub.jks to .pem file. 下面是我如何为Java客户端和服务器创建jks密钥库的描述,以及我如何尝试将serverpub.jks导出到.pem文件。
step 1: Generate the Client and Server Keystores 步骤1:生成客户端和服务器密钥库
c:\keytool -genkeypair -alias myserverkeys -keyalg RSA -dname "CN=my Server,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore server.jks -storepass password
c:\keytool -genkeypair -alias myclientkeys -keyalg RSA -dname "CN=my Client,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore myclient.jks -storepass password
step 2: Export the server public certificate and create a seperate keystore 步骤2:导出服务器公共证书并创建单独的密钥库
c:\keytool -exportcert -alias myserverkeys -file serverpub.cer -keystore myserver.jks -storepass spacex
c:\keytool -importcert -keystore serverpub.jks -alias serverpub -file serverpub.cer -storepass password
step 3: Export the client public certificate and create a seperate keystore 步骤3:导出客户端公共证书并创建单独的密钥库
c:\keytool -exportcert -alias myclientkeys -file clientpub.cer -keystore myclient.jks -storepass spacey
c:\keytool -importcert -keystore clientpub.jks -alias clientpub -file clientpub.cer -storepass password
So far so good. 到现在为止还挺好。
Now here is where I run into problems. 现在我遇到了问题。
step 4: Convert serverpub.jks to .pem format 第4步:将serverpub.jks转换为.pem格式
c:\keytool -importkeystore -srckeystore serverpub.jks -destkeystore serverpub.p12 -srcstoretype jks -deststoretype pkcs12
And the reply 答复
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Problem importing entry for alias serverpub: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias serverpub not imported.
Do you want to quit the import process? [no]:
What does this mean? 这是什么意思? What am I doing wrong? 我究竟做错了什么?
step 5: Would have been 第5步:本来可以的
c:\openssl pkcs12 -in serverpub.p12 -out serverpub.pem
But as you can see I couldn't get that far. 但正如你所看到的那样,我无法走得那么远。
I would really appreciate some help understanding how to do this right. 我真的很感激一些帮助,了解如何做到这一点。
Thanks 谢谢
2 个解决方案
解决方案1
8 2016-10-22 16:18:28
Unfortunately keytool explicitly will not let you export from a trust store since they are of the opinion that PEM files do not support the concept of trusted certificate. 不幸的是,keytool显然不允许您从信任存储区导出,因为他们认为PEM文件不支持可信证书的概念。 So I would use the keystore of cer files instead. 所以我会使用cer文件的密钥库。
From a cer:
来自一个cer: openssl x509 -inform der -in serverpub.cer -out serverpub.pemFrom a keystore:
从密钥库: keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12 openssl pkcs12 -in server.p12 -nokeys -out server.cer.pem openssl pkcs12 -in server.p12 -nodes -nocerts -out server.key.pem
or just try 或者只是试试
keytool -exportcert -alias myserverkeys -keystore serverpub.jks -rfc -file serverpub.pem
解决方案2
2 2017-08-29 17:37:26
The following simple single line command will export the certificate to PEM format. 以下简单的单行命令将证书导出为PEM格式。 Yes, you need openssl, keytool alone can't do this. 是的,你需要openssl,单靠keytool无法做到这一点。
keytool -exportcert -alias <CERT-ALIAS> -keystore <KEYSTORE-FILE> | openssl x509 -inform DER >cert.pem
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.