如何将 PKCS#12 字符串转换为证书和 PrivateKey?
[英]How do you convert PKCS#12 String to Certificate and PrivateKey?
问题描述
I am receiving the following String from a certificate stored in Azure Key Vault.
我从存储在 Azure Key Vault 中的证书中收到以下字符串。 I am using the Secret API in order to retrieve both the certificate and the private key related to this cert.我正在使用 Secret API 来检索与此证书相关的证书和私钥。
Initially the certificate was uploaded using a.pfx file to Azure Key vault.最初,证书是使用 .pfx 文件上传到 Azure 密钥库的。 Now I need to create a Certificate and a PrivateKey to allow client authentication to a 3rd party system and I am using the given String retrieved from the API, however I am note sure how to get around that in Java.现在我需要创建一个证书和一个 PrivateKey 以允许对第 3 方系统进行客户端身份验证,并且我正在使用从 API 检索到的给定字符串,但是我注意到如何在 Java 中解决这个问题。
I took some hints from this link in C# however I am pretty certain that this method doesn't work like that in Java.我从 C# 中的这个链接中得到了一些提示,但是我很确定这种方法在 Java 中不起作用。 In particular an X509Certificate or a Certificate in general doesn't hold any information about the PrivateKey in Java, unlike C#, and I am not sure how to extract that information from given String in Java.特别是 X509Certificate 或一般证书不包含有关 Java 中的 PrivateKey 的任何信息,这与 C# 不同,我不知道如何从 ZD523872880E1EA223817A 中的给定字符串中提取该信息。
This works as expected to retrieve the certificate from the String retrieved from the API这可以按预期从从 API 检索的字符串中检索证书
String secret = azureSecret.getValue();
byte[] certkey = Base64.getDecoder().decode(secret);
ByteArrayInputStream inputStream = new ByteArrayInputStream(certkey);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(inputStream);
The azureSecret.getValue() format is like the following however I am not sure how to get PrivateKey out of the given String azureSecret.getValue()格式如下所示,但是我不确定如何从给定的字符串中获取 PrivateKey
MIIKvgIBaaZd6Euf3EYwYdHrIIKYzCC...
1 个解决方案
解决方案1
0 2022-01-28 21:15:58
YES, Java X509Certificate and Certificate is only the certificate.是的,Java X509Certificate和Certificate只是证书。 Instead use KeyStore which can contain multiple entries each of which is either a 'trusted' certificate (for someone else), or a privatekey plus certificate plus other chain cert(s) (if applicable) for yourself, or (not relevant here) a 'secret' (symmetric) key.而是使用KeyStore ,它可以包含多个条目,每个条目要么是“受信任”证书(对于其他人),要么是您自己的私钥加证书加上其他链证书(如果适用),或者(此处不相关) “秘密”(对称)密钥。 PKCS12 is supported as one type of KeyStore along with others not relevant here, so after the base64-decoding you already have do something like: PKCS12 被支持作为一种类型的 KeyStore 以及其他与此处无关的类型,因此在 base64 解码之后,您已经执行了以下操作:
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(inputstreamfromvaultvalue, password);
// then
PrivateKey pkey = (PrivateKey) ks.getKey(alias, password);
// and
Certificate cert = ks.getCertificate(alias); // if you only need the leaf cert
// or
Certificate[] chain = ks.getCertificateChain(alias); // usually
But if you want to do client authentication in TLS/SSL (including HTTPS), you give the JSSE KeyManager the whole keystore object not the individual pieces (privatekey and certificates).但是,如果您想在 TLS/SSL (包括 HTTPS)中进行客户端身份验证,您需要为 JSSE KeyManager 提供整个密钥库 object 而不是单个部分(私钥和证书)。 Similarly to verify the peer in TLS/SSL, you give TrustManager a keystore containing trusted certificates, usually root CAs and often defaulted to a built-in set of public root CAs.与验证 TLS/SSL 中的对等点类似,您为 TrustManager 提供了一个包含受信任证书的密钥库,通常是根 CA,并且通常默认为一组内置的公共根 CA。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.