将具有多个证书的pem转换为Java密钥库
[英]Converting pem with multiple certificates to java keystore
问题描述
I have been given a pem file which has two certificates in it. 
我得到了一个带有两个证书的pem文件。
The first is the certificate is specific to my company (ie the subject is specific to my company). 首先是证书是针对我公司的(即主题是针对我公司的)。
The second certificate is the certificate for the issuer. 第二个证书是颁发者的证书。
It looks something like this... 看起来像这样...
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: CCAPI Client Certificate
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
<<contents>>
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: CCAPI Client Certificate
subject=MyCompany CN/OU/O/L/ST/C
issuer=Issuer CN/OU/O/L/ST/C
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 02 00 00 00
subject=Issuer CN/OU/O/L/ST/C
issuer=Issuer CN/OU/O/L/ST/C
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----
Firstly I'd like to confirm a couple of things. 首先,我想确认几件事。
Terminology wise is it correct to say I have a pem file with two certificates? 术语上明智的说法是我有一个带有两个证书的pem文件吗? How do I describe the PRIVATE KEY part? 如何描述私钥部分? Is that the public key of the server I am trying to connect to? 这是我要连接的服务器的公钥吗?
And secondly I need to use the keytool command to create a java keystore file (jks) with both certificate and the issue certificate in it. 其次,我需要使用keytool命令来创建一个同时包含证书和颁发证书的Java密钥库文件(jks)。
Can someone help me with the commands to do that. 有人可以通过命令帮助我吗? I'm spent a lot of time googling but there seems to be a lot of varying use cases out there which is confusing me. 我花了大量时间在谷歌上搜索,但是似乎有很多不同的用例,这使我感到困惑。
thanks in advance 提前致谢
2 个解决方案
解决方案1
1 已采纳 2017-12-13 18:12:03
You haven't mentioned why you were given this file, but judging from the content I assume it's for accessing a web site/service via HTTPS client authentication. 您没有提到为什么要提供此文件,但是从内容来看,我认为它是用于通过HTTPS客户端身份验证访问网站/服务的。 The private key (and certificate) is for authenticating against the server. 私钥(和证书)用于针对服务器进行身份验证。 The issuer certificate might be needed for completing a chain to a trusted root certificate on the server (or it might not be needed at all). 可能需要颁发者证书才能完成到服务器上受信任的根证书的链(或者根本不需要)。
This file is not encoded in a very common format, it's basically what happens when OpenSSL writes a PKCS#12 file as PEM. 该文件不是以很常见的格式编码的,基本上就是OpenSSL将PKCS#12文件写为PEM时发生的情况。 The following OpenSSL command would produce a file like this: 以下OpenSSL命令将生成如下文件:
openssl pkcs12 -in keyStore.p12 -out keyStore.pem -nodes
This preserves the metadata from the PKCS#12 format like the IDs and friendlyNames, so you can see that the private key and first certificate belong together. 这样可以保留PKCS#12格式的元数据(例如ID和friendlyNames),因此您可以看到私钥和第一个证书属于同一类。 But it's a bit strange, because... 但这有点奇怪,因为...
- The private key is not encrypted (anymore). 私钥不再加密(不再加密)。
- This format is only useful for further processing in software that uses the OpenSSL library, but not in the Java or Microsoft (IIS, .NET) world. 该格式仅对使用OpenSSL库的软件进行进一步处理有用,而在Java或Microsoft(IIS,.NET)世界中则无效。 A binary PKCS#12 file would have been usable in all environments. 二进制PKCS#12文件在所有环境中都可以使用。
You can convert it back to binary PKCS#12 with the following OpenSSL command: 您可以使用以下OpenSSL命令将其转换回二进制PKCS#12:
openssl pkcs12 -export -in keyStore.pem -out keyStore.p12
From this point on you have a standard PKCS#12 file that you can use directly in Java software or that you can convert with keytool to JKS/JCEKS . 从现在开始,您将拥有一个标准PKCS#12文件,您可以在Java软件中直接使用它,也可以使用keytool将其转换为JKS / JCEKS 。
解决方案2
0 2017-12-12 20:28:20
Strictly speaking, PEM is a container that can keep various types of text-encoded PKI data as well as information text. 严格来说,PEM是一个容器,可以保留各种类型的文本编码的PKI数据以及信息文本。
Quote from specification : 引用规格 :
Textual encoding begins with a line comprising "-----BEGIN ", a label, and "-----", and ends with a line comprising "-----END ", a label, and "-----".
The private key in your PEM file is just a private key. PEM文件中的私钥只是私钥。 There is no need for that key to be in any relation with any of the certificates in the file. 不需要该密钥与文件中的任何证书有任何关系。
The only way to see whether it is the private key for the public key of a certificate is to compare the corresponding public keys. 查看是否是证书的公钥的私钥的唯一方法是比较相应的公钥。 Generate a public key from the private key and compare with the public key from the certificate. 从私钥生成公钥,并与证书中的公钥进行比较。
- Get public key from private key 从私钥获取公钥
Extract the private key to a separate file (put the lines 将私钥提取到一个单独的文件(将各行
-----BEGIN RSA PRIVATE KEY-----
<<contents>>
-----END RSA PRIVATE KEY-----
into a separate privkey.pem file) 进入单独的privkey.pem文件)
In the command line: 在命令行中:
openssl rsa -in privkey.pem -pubout > pubkey.pub
- Get public key from certificate 从证书获取公钥
Put the certificate into a separate file certfile.pem (the lines 将证书放入单独的文件certfile.pem (各行
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----
) )
Invoke openssl again: 再次调用openssl :
openssl x509 -pubkey -noout -in certfile.pem > pubkey2.pem
-noout suppresses printing the certificate -noout禁止打印证书
Then check pubkey.pem and pubkey2.pem . 然后检查pubkey.pem和pubkey2.pem 。
Java key store Java密钥库
There is an article on Oracle site on how to import PEM certificates to JKS. 在Oracle网站上有一篇文章介绍了如何将PEM证书导入JKS。 Did you try it? 你试过了吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.