SSL:使用openSSL创建并使用keytool安装的CSR文件
[英]SSL : CSR file created with openSSL and installing with keytool
问题描述
I have created CSR with the command openSSL and purchased crt files. 
我已经使用命令openSSL创建了CSR,并购买了crt文件。
openssl genrsa -out private-key.pem 2048
openssl req -new -key private-key.pem -out csr.pem
Will it be OK to install this by using keystore command as I have not created CSR file by using keytool (but created using openSSL) ? 是否可以使用keystore命令安装此程序,因为我还没有使用keytool创建CSR文件(而是使用openSSL创建)?
Another question is I have got three files from the trusted certificate generation company. 另一个问题是我从受信任的证书生成公司获得了三个文件。 So how to indentify which one is primary, root, intermediate crt files ? 那么如何确定哪个是主,根,中间crt文件呢? File type(root,intermediate) is not mentioned in the filename itself. 文件名本身未提及文件类型(root,intermediate)。 I have to run following commands on the basis of crt file type. 我必须根据crt文件类型运行以下命令。
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate]
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate]
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]
1 个解决方案
解决方案1
1 2015-08-07 10:24:52
Will it be OK to install this by using keystore command as I have not created CSR file by using keytool (but created using openSSL) ?
You will have to import the private key into the keystore as well. 您还必须将私钥导入密钥库。 Otherwise the keystore will be useless. 否则,密钥库将无用。
There are two ways to do this: 有两种方法可以做到这一点:
- Create a PKCS#12 file with OpenSSL first and then convert this file to JKS with keytool (see here ). 首先使用OpenSSL创建PKCS#12文件,然后使用keytool将该文件转换为JKS(请参见此处 )。
- Use KeyStore Explorer , it has import/export features for OpenSSL formats. 使用KeyStore Explorer ,它具有用于OpenSSL格式的导入/导出功能。 Instructions can be found here . 说明可以在这里找到。
Another question is I have got three files from the trusted certificate generation company.
You have to take a look at the content of the certificates, especially their distinguished names (DNs). 您必须查看证书的内容,尤其是其专有名称(DN)。
- The root CA certificate always has identical SubjectDN and IssuerDN. 根CA证书始终具有相同的SubjectDN和IssuerDN。
- The intermediate CA has root CA's SubjectDN as its IssuerDN and a different SubjectDN. 中间CA具有根CA的SubjectDN作为它的IssuerDN和一个不同的SubjectDN。
- The SSL certificate has the intermediate CA's SubjectDN as its IssuerDN and the domain name as part of its SubjectDN. SSL证书将中间CA的SubjectDN作为其IssuerDN,将域名作为其SubjectDN的一部分。
The OpenSSL command for printing out the SubjectDN and IssuerDN depends on the format of the certificate file (DER or PEM). 用于输出SubjectDN和IssuerDN的OpenSSL命令取决于证书文件的格式(DER或PEM)。 DER is a binary format, PEM is a ASCII format. DER是二进制格式,PEM是ASCII格式。 If you are not sure, try both: 如果不确定,请同时尝试以下两种方法:
openssl x509 -noout -subject -issuer -nameopt RFC2253 -inform DER -in <cert-file>
or 要么
openssl x509 -noout -subject -issuer -nameopt RFC2253 -inform PEM -in <cert-file>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.