如何将JKS转换为Docker Registry cert / key?
[英]How to convert JKS into Docker Registry cert/key?
问题描述
I am trying to set up a secure Docker Registry on two VMs (for HA) and have a question about setting up the SSL. 
我试图在两个虚拟机(用于HA)上设置安全的Docker注册表 ,并且对设置SSL有疑问。 According to that link in the docs, I need to have a certs directory with two files in it: 根据文档中的链接,我需要有一个带有两个文件的certs目录:
-
registry.crt- the CA certregistry.crt-CA证书 -
registry.key- ???registry.key-??? (private key?)(私钥?)
I have been given a Java JKS (keystore) that contains in it a wildcard CA cert that will work for these VMs. 我得到了一个Java JKS(密钥库),其中包含一个通配符CA证书,可用于这些VM。 I was able to successfully export the cert out of the keystore like so: 我能够成功将证书从密钥库中导出,如下所示:
keytool -export -alias certalias -file registry.crt -keystore mycerts.jks
So far so good: I have registry.crt . 到目前为止一切顺利:我有registry.crt 。 However a few related questions/concerns are preventing me from completing this setup: 但是,一些相关的问题/担忧阻止我完成此设置:
- What is the
*.keyfile, how is it different than the cert, and how do I extract it from the JKS?*.key文件是什么,它与cert有什么区别,如何从JKS中提取它? - Where is Docker/Registry expecting this
certsdirectory on each VM?Docker / Registry在每个VM上的哪个certs目录中应该在哪里? Perhaps/home/myuser/?也许/home/myuser/? Is this location configurable?!?这个位置可以配置吗?! - As the link explains, a special additional action is required if your CA cert is an " intermediary " cert. 如该链接所述,如果您的CA证书是“ 中间 ”证书,则需要采取特殊的附加措施。 How can I tell if my cert is intermediary or not? 我怎么知道我的证书是中介的?
1 个解决方案
解决方案1
2 已采纳 2015-09-18 20:32:20
There are really three questions here. 这里确实有三个问题。 You should probably ask different questions. 您可能应该问其他问题。 I don't know the answer to your second one but will answer for the other two. 我不知道第二个答案,但会为其他两个答案。
In simple terms in the context of SSL the client initiates a secure connection using the public key contained in the certificate. 简单来说,在SSL上下文中,客户端使用证书中包含的公钥启动安全连接。 Only the server who possesses the according (private) key can answer and therefore establish the connection. 只有拥有相应(专用)密钥的服务器才能应答并因此建立连接。 (There's a lot more going on.) (还有很多事情要做。)
The short regarding the keystore is: Do yourself a favor and use a tool like KeyStore Explorer . 关于密钥库的简短描述是:帮个忙,并使用KeyStore Explorer之类的工具。 No affiliation, I just like the tool. 没有从属关系,我只是喜欢该工具。 Exporting the private key with keytool is not that simple. 用keytool导出私钥并不是那么简单。 As far as I know you cannot export the private key directly. 据我所知,您不能直接导出私钥。 You can however export to PKCS12 and use other tools like OpenSSL from there : 但是,您可以从那里导出到PKCS12并使用其他工具,例如OpenSSL :
keytool -importkeystore -srckeystore existing-store.jks -destkeystore new-store.p12 -deststoretype PKCS12
If you only have one self-signed certificate (signer is the same as subject), you don't need to worry about intermediaries. 如果只有一个自签名证书(签名者与主题相同),则无需担心中介。 An intermediate certificate means that the certificate signed by the CA that signed your certificate is itself signed by yet another CA. 中间证书意味着由签署您的证书的CA签署的证书本身又由另一个CA签署。
CA 0 (signed by CA 0) - well known certificate, self-signed
\_ CA 1 (signed by CA 0) - intermediate certificate
\_ Your Cert (signed by CA 1)
In order to verify the integrity of your certificate the whole chain must be known to the client. 为了验证证书的完整性,客户必须知道整个链。 Usually only the CAs at the very top are distributed in browsers and operating systems (CA 0) so you need to publish the certificates "in between"—the intermediaries (CA 1). 通常,只有最顶层的CA才分布在浏览器和操作系统中(CA 0),因此您需要在中间“中介”(CA 1)中发布证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.