Java keytool 从 url/port 添加服务器证书的简单方法
[英]Java keytool easy way to add server cert from url/port
问题描述
I have a server with a self signed certificate, but also requires client side cert authentication.
我有一个带有自签名证书的服务器,但也需要客户端证书身份验证。 I am having a rough time trying to get the raw CA server cert so I can import it into a keystore.我在尝试获取原始 CA 服务器证书时遇到了困难,因此我可以将其导入密钥库。 Anyone have some suggestions on how to easily do that?有人对如何轻松做到这一点有一些建议吗? Thanks.谢谢。
5 个解决方案
解决方案1
96 2014-04-18 20:56:45
Was looking at how to trust a certificate while using jenkins cli, and found https://issues.jenkins-ci.org/browse/JENKINS-12629 which has some recipe for that.正在研究如何在使用 jenkins cli 时信任证书,并找到了https://issues.jenkins-ci.org/browse/JENKINS-12629 ,其中有一些秘诀。
This will give you the certificate:这将为您提供证书:
openssl s_client -connect ${HOST}:${PORT} </dev/null
if you are interested only in the certificate part, cut it out by piping it to:如果您只对证书部分感兴趣,请通过管道将其剪切到:
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
and redirect to a file:并重定向到一个文件:
> ${HOST}.cert
Then import it using keytool:然后使用 keytool 导入它:
keytool -import -noprompt -trustcacerts -alias ${HOST} -file ${HOST}.cert \
-keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}
In one go:一口气:
HOST=myhost.example.com
PORT=443
KEYSTOREFILE=dest_keystore
KEYSTOREPASS=changeme
# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert
# create a keystore and import certificate
keytool -import -noprompt -trustcacerts \
-alias ${HOST} -file ${HOST}.cert \
-keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}
# verify we've got it.
keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}
解决方案2
23 2010-09-10 15:41:01
There were a few ways I found to do this:我发现有几种方法可以做到这一点:
- Firefox: Add Exception -> Get Certificat -> View -> Details -> Export... Firefox:添加例外 -> 获取证书 -> 查看 -> 详细信息 -> 导出...
- KeyMan ( http://www.alphaworks.ibm.com/tech/keyman ) You can get SSL cert directly from the File -> Import menu KeyMan ( http://www.alphaworks.ibm.com/tech/keyman ) 您可以直接从 File -> Import 菜单获取 SSL 证书
- InstallCert ( Code by Andreas Sterbenz ) InstallCert( 安德烈亚斯·斯特本兹的代码)
java InstallCert [host]:[port]
keytool -exportcert -keystore jssecacerts -storepass changeit -file output.cert
keytool -importcert -keystore [DESTINATION_KEYSTORE] -file output.cert
解决方案3
23 2018-12-04 17:34:08
I use openssl, but if you prefer not to, or are on a system (particularly Windows) that doesn't have it, since java 7 in 2011 keytool can do the whole job :我使用 openssl,但如果您不喜欢,或者在没有它的系统(特别是 Windows)上,因为 2011 年的 java 7 keytool可以完成整个工作:
keytool -printcert -sslserver host[:port] -rfc >tempfile
keytool -import [-noprompt] -alias nm -keystore file [-storepass pw] [-storetype ty] <tempfile
# or with noprompt and storepass (so nothing on stdin besides the cert) piping works:
keytool -printcert -sslserver host[:port] -rfc | keytool -import -noprompt -alias nm -keystore file -storepass pw [-storetype ty]
Conversely, for java 9 up always, and for earlier versions in many cases, Java can use a PKCS12 file for a keystore instead of the traditional JKS file, and OpenSSL can create a PKCS12 without any assistance from keytool:相反,对于 Java 9 up 和在许多情况下的早期版本,Java 可以使用 PKCS12 文件作为密钥库而不是传统的 JKS 文件, OpenSSL 可以在没有 keytool 的任何帮助的情况下创建 PKCS12 :
openssl s_client -connect host:port </dev/null | openssl pkcs12 -export -nokeys [-name nm] [-passout option] -out p12file
# <NUL on Windows
# default is to prompt for password, but -passout supports several options
# including actual value, envvar, or file; see the openssl(1ssl) man page
解决方案4
4 2010-09-10 14:50:19
解决方案5
4 2018-12-04 16:47:04
Just expose dnozay 's answer to a function so that we can import multiple certificates at the same time.只需将dnozay的答案公开给一个函数,以便我们可以同时导入多个证书。
Save it to a .sh file then run it.将其保存为 .sh 文件,然后运行它。
#!/usr/bin/env sh
KEYSTORE_FILE=/path/to/keystore.jks
KEYSTORE_PASS=changeit
import_cert() {
local HOST=$1
local PORT=$2
if [[ -z $PORT ]]; then
PORT=443
fi
# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert
# delete the old alias and then import the new one
keytool -delete -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS} -alias ${HOST} &> /dev/null
# create a keystore (or update) and import certificate
keytool -import -noprompt -trustcacerts \
-alias ${HOST} -file ${HOST}.cert \
-keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS}
# remove temp file
rm ${HOST}.cert
}
# Change your sites here
import_cert stackoverflow.com 443
import_cert www.google.com # default port 443
import_cert 172.217.194.104 443 # google
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.