Java Keytool CSR错误,即使存在密钥库
[英]Java Keytool CSR error even when keystore exists
问题描述
I would like to securely exchange data between my own servers and these will not leave the internal domain. 
我想在自己的服务器之间安全地交换数据,并且这些服务器不会离开内部域。 For this, I would like to: 为此,我想:
Generate keys for keystore.
为密钥库生成密钥。 Generate a CSR using Keytool, specify the key above.
使用Keytool生成CSR,在上方指定密钥。 Import the response into my default
cacertsfile so that I can refer to that as my truststore.将响应导入到我的默认cacerts文件中,以便可以将其称为我的信任库。
So: 所以:
- First I generated keypair using the following (default Encryption algorithm): 首先,我使用以下内容(默认的加密算法)生成了密钥对:
keytool -genkeypair -alias mykeys -keystore mykeystore.jks -keypass changeit -storepass changeit -keysize 1024 -noprompt
- Then, I create a CSR using the following command: 然后,我使用以下命令创建CSR:
keytool -certreq -alias myinternalcert -keystore mykeystore.jks -storepass changeit -file myinternalcert.csr
It throws the following error: 它引发以下错误:
keytool error: java.lang.Exception: Alias <myinternalcert> does not exist
I tried to seek examples in Oracle's blog and looks like this is the way to correctly generate a CSR - but for my case it's all errors :) 我试图在Oracle博客中查找示例,看起来这是正确生成CSR的方法-但就我而言,这全是错误:)
The only thing i understand about the SSL so far is: 到目前为止,我对SSL唯一了解的是:
Keystore - I want to authenticate myself to another server/client and my private key is in my keystore.
密钥库-我想向另一台服务器/客户端进行身份验证,并且我的私钥在密钥库中。 I will also use this to sign my certificates. 我还将使用它来签署我的证书。 Trust store - this is to determine whether the information the information I am receiving is from a legit source ie do I trust them.
信任库-这用于确定我接收的信息是否来自合法来源,即我是否信任它们。 I store certificates here. 我在这里存储证书。
2 个解决方案
解决方案1
0 2017-08-02 11:32:35
- You need to use the same alias when creating the CSR and importing the signed certificate that you used when generating the keypair. 创建CSR并导入生成密钥对时使用的签名证书时,需要使用相同的别名。
- You should import the signed-certificate response into your keystore. 您应该将签名证书响应导入到密钥库中。 Not your truststore. 不是您的信任库。 You don't trust the signed certificate, you own it, and it therefore belongs in your keystore . 您不信任签名证书,而是拥有它,因此它属于您的密钥库 。 Your truststore is for other certificates that you trust. 您的信任库用于您信任的其他证书。
解决方案2
-1 2017-08-02 11:26:34
Okay - My own fault. 好-我的错
Actually the alias is the same alias created for keystore . 实际上, alias与为keystore创建的alias相同。 thanks to this post on Digital Ocean 感谢数字海洋上的这篇文章
The keytool -certreq -help doesn't really print out clear information: keytool -certreq -help不会真正打印出清晰的信息:
Options: 选项:
-alias <alias> alias name of the entry to process (should have been "Alias of the keystore entry being used")
-sigalg <sigalg> signature algorithm name
-file <filename> output file name
-keypass <arg> key password
-keystore <keystore> keystore name
-dname <dname> distinguished name
-storepass <arg> keystore password
-storetype <storetype> keystore type
-providername <providername> provider name
-providerclass <providerclass> provider class name
-providerarg <arg> provider argument
-providerpath <pathlist> provider classpath
-v verbose output
-protected password through protected mechanism
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.