堆栈内存溢出
  简体   繁体   English

java keytool可以导出CSR但不能导入

[英]java keytool can export CSR but no import

 原文  2011-03-16 08:32:18       java/ tomcat/ ssl/ https

问题描述

I read 我读

http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

It says that we can export a CSR file, but no import feature. 它说我们可以导出CSR文件,但没有导入功能。

I understand that when we create a CSR file, we pass it to the CA, the CA generates the certs to match our CSR and then we import it back again. 我了解当我们创建CSR文件时,我们将其传递给CA,CA生成证书以匹配我们的CSR,然后我们再次将其导入。

Because the CSR is from the keystore, the certs will match the keystore. 由于CSR来自密钥库,因此证书将与密钥库匹配。 No problems with imports. 进口没问题。

However, what about this. 但是,这个怎么样。

  1. create a keystore 创建一个密钥库
  2. create a CSR based on the keystore 基于密钥库创建CSR
  3. send CSR to CA 将CSR发送给CA.
  4. got certs from CA 获得了CA的证书
  5. somehow lost the key store 不知何故失去了钥匙店
  6. generate a new key store 生成一个新的密钥库
  7. import the certs 导入证书
  8. fail to import because this keystore has a different CSR 无法导入,因为此密钥库具有不同的CSR
  9. try to figure out how to create a keystore based on the old CSR file that matches the certs from the CA 尝试找出如何根据与CA的证书匹配的旧CSR文件创建密钥库
  10. stumped 难倒

1 个解决方案

解决方案1
 6 已采纳  2011-03-16 13:16:47

I have been in the same situation. 我一直处于同样的境地。

If you have lost your key store, this means you have also lost the private key. 如果您丢失了密钥库,这意味着您也丢失了私钥。 Of course this private key is not in the CSR in plain text (It is sent to the CA after all!). 当然这个私钥不在纯文本的CSR中(毕竟它被发送到CA!)。 There is no way of restoring it when the only thing you have is the CSR. 当你唯一拥有的是CSR时,没有办法恢复它。

The CSR is generated for one specific private key. 为一个特定私钥生成CSR。 In case of a loss the only thing you can do is create a new CSR (with the new key store and new private key - don't lose it this time...) and pay another 200 or so bucks for a CA to sign it. 在丢失的情况下,您唯一能做的就是创建一个新的CSR(使用新的密钥存储区和新的私钥 - 这次不要丢失它......)并支付另外200个左右的CA来签署它。 :/ :/

Yeah, my boss was not happy with me. 是的,我的老板对我不满意。 :) You should really make a backup of the key store in some safe place. :)你应该在一个安全的地方真正备份密钥库。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Java Keytool剥离SAN生成CSR - Java Keytool stripping away SAN on CSR generation 使用Java Keytool续订证书 - 重用旧的CSR? - Renew certificate with Java Keytool - reuse old CSR? Java keytool不喜欢OpenSSL CSR - Java keytool doesn't like OpenSSL CSR 适用于SSL的Java Keytool:CSR别名,密钥和密钥库 - Java Keytool for SSL: CSR Aliases, Keys and Keystores Java Keytool CSR错误,即使存在密钥库 - Java Keytool CSR error even when keystore exists 使用Keytool将EKU添加到CSR? - Add EKU to CSR using Keytool? keytool导入证书和Java系统属性 - keytool import certificate and java system property 无法从keytool在JVM中导入证书 - Can not import a certificate in JVM from keytool 使用hexdump sed和xxd替换文件中的二进制文件(来自java keytool csr)? - Replace binary in a file (from java keytool csr) using hexdump sed and xxd? SSL:使用openSSL创建并使用keytool安装的CSR文件 - SSL : CSR file created with openSSL and installing with keytool
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM