如何从Java密钥库中的证书链中仅删除一个证书
[英]How to remove just one certificate from a certificate chain in a Java keystore
问题描述
I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. 
我有一个Tomcat服务器,其中包含存储在Java密钥库中的HTTPS证书链。 The chain includes the self-signed root CA certificate. 该链包括自签名根CA证书。 Although this is apparently okay by the TLS spec , some validation services warn about it, and it's probably better to leave it off . 虽然TLS规范显然没有问题,但是一些验证服务警告它,并且最好不要这样做 。
How can I edit the keystore to remove just the self-signed root CA certificate, but leave the rest of the chain and the private key intact? 如何编辑密钥库以仅删除自签名的根CA证书,但保留链的其余部分和私钥完整?
2 个解决方案
解决方案1
9 已采纳 2015-07-15 21:04:34
First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry): 首先,将密钥库从JKS转换为PKCS12(此命令和其他命令将需要密码输入):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
Next, export a PEM file with key and certs from the PKCS12 file: 接下来,使用PKCS12文件中的密钥和证书导出PEM文件:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes"). 现在只需使用文本编辑器编辑pemfile.pem并删除有问题的证书(及其之前的“Bag Attributes”)。
Next, load the edited PEM file into a new PKCS12 file. 接下来,将编辑的PEM文件加载到新的PKCS12文件中。 You'll need to give the cert/key the appropriate keystore alias, eg "tomcat", at this point. 此时,您需要为cert / key指定相应的密钥库别名,例如“tomcat”。
openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12
Finally, convert back from PKCS12 to JKS: 最后,从PKCS12转换回JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
The file new.jks is what you want. new.jks文件就是你想要的。
解决方案2
0 2018-08-28 18:40:08
keytool -delete -alias -keystore lib / security / cacerts -storepass changeit
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.