[英]How to add SSL certificates to cacerts and keystore?
I created a CSR file using 我使用创建了一个CSR文件
openssl req -nodes -newkey rsa:2048 -keyout yourdomain.key -out yourdomain.csr –sha256
openssl req -nodes -newkey rsa:2048 -keyout yourdomain.key -out yourdomain.csr -sha256
It created a CSR file and a key file. 它创建了一个CSR文件和一个密钥文件。 I submitted the CSR file to a CA.
我将CSR文件提交给了CA. They responded with a single yourdomain.crt a single file.
他们用单个yourdomain.crt回复了一个文件。
I've tried to import the yourdomain.crt to my java's cacert by: 我试图通过以下方式将yourdomain.crt导入到我的java的cacert:
keytool -import -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -file ~/Desktop/user/ yourdomain.crt -alias yourdomain
keytool -import -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts-file~ / Desktop / user / yourdomain.crt -alias yourdomain
And now I am confused on how to generate a Keystore ( jks file ). 现在我对如何生成密钥库( jks文件 )感到困惑。 Do I use the same yourdomain.crt ?
我是否使用相同的yourdomain.crt ? And what is the command that I should use?
我应该使用什么命令?
My spring boot program consists of 我的春季启动计划包括
File trustStoreFile = new File(CACERTS_PATH);
File keyStoreFile = new File(JKS_PATH);
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(keyStoreFile), KEY_PASS.toCharArray());
return SSLContextBuilder.create()
.useProtocol("TLS")
.loadKeyMaterial(ks, KEY_PASS.toCharArray())
.loadTrustMaterial(trustStoreFile, TRUST_PASS.toCharArray())
.build();
So I need a cacerts path which I believe is the cacerts from my jdk, and the password is the one which I typed when prompted for it. 所以我需要一个cacerts路径,我相信是我的jdk的cacerts,密码是我提示时输入的密码。
Now how do I generate a Keystore file for it? 现在我如何为它生成密钥库文件?
And do I need to add the server.ssl properties for Spring boot? 我是否需要为Spring启动添加server.ssl属性?
First, You have to convert yourdomain.crt to .p12 Format, to do so, write following command on openssl terminal 首先,您必须将yourdomain.crt转换为.p12格式,为此,请在openssl终端上编写以下命令
pkcs12 -export -in yourdomain.crt -inkey yourdomain.key -chain -CAfile rootCA.pem -name “localhost” -out my.p12
where, rootCA.pem = you have to create it, for that write following command on openssl, 其中,rootCA.pem =你必须创建它,在openssl上写下面的命令,
step 1 : genrsa -des3 -out rootCA.key 2048 and hit enter
you will get rootCA.key file.
step 2 : req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
yourdomain.key = you have to create it by entering following command on openssl, yourdomain.key =你必须在openssl上输入以下命令来创建它,
req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config
server.csr.cnf
where, server.csr.cnf file contain this and inside it you can write 其中,server.csr.cnf文件包含此内容,您可以在其中编写
authorityKeyIdentifier = keyid, issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1=127.0.0.1
IP.2 = 192.168.1.XX
IP.3 = 192.XXX.XX.XXX
IP.4 = 192.XX.XX.XX and soon
server.csr and server.key file is created. server.csr和server.key文件已创建。
After following all the steps , you will get .p12 format file , now you have to convert .p12 file format to keystore.jks file format, to do so write following command on cmd (open in administration mode) 完成所有步骤后,您将获得.p12格式文件,现在您必须将.p12文件格式转换为keystore.jks文件格式,这样做可以在cmd上编写以下命令(在管理模式下打开)
Keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore my-keystore.jks
-srckeystore my.p12 -srcstoretype PKCS12
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.