[英]Updating/generating new .p12/.jks from .der
Current situation: 现在的情况:
We do a POST to a certain url using HTTPS/SSL. 我们使用HTTPS / SSL对某个URL进行POST。 For this to work my (former) colleague posted this question: Java HTTPS client certificate authentication
为此,我的(前)同事发布了这个问题: Java HTTPS客户端证书身份验证
So basicly we have a keystore in .p12
format and the truststore is a .jks
file. 基本上我们有
.p12
格式的密钥库,truststore是.jks
文件。
We have no control over the server that receives our POST request. 我们无法控制接收POST请求的服务器。
Issue: 问题:
The server admins have provided us with some new .der
files because their old certificate was about to expire. 服务器管理员为我们提供了一些新的
.der
文件,因为他们的旧证书即将过期。
As I'm fairly new to SSL certificates and keytool
- and openssl
-commands I have no idea how to proceed from here. 由于我对SSL证书和
keytool
以及openssl
命令相当新,我不知道如何从这里开始。
1) Is it necessary to generate new .p12
and .jks
files? 1)是否有必要生成新的
.p12
和.jks
文件? Or do I only need to generate a new .jks
file? 或者我只需要生成一个新的
.jks
文件?
2) How do I generate these files from a .der
certificate? 2)如何从
.der
证书生成这些文件? I have found some websites with the most keytool/openssl
commands but I haven't been able to successfully generate what I need. 我发现一些网站的
keytool/openssl
命令最多,但我无法成功生成我需要的东西。
The last command I tried (to no avail) was: 我试过的最后一个命令(无济于事)是:
keytool -storepass dsmserver -keystore c:\temp\newkeystore.jks -importcert -alias "c:\temp\newcert.der" -trustcacerts
Wait, which certificate expired? 等等,哪个证书过期了? If it was theirs, there shouldn't have been any need to send you a new file (after all, you don't have to update your browser when, say, stackoverflow.com's SSL certificate expires and they install a new one).
如果是他们的,那么就不应该向你发送一个新文件了(毕竟,当stackoverflow.com的SSL证书过期并且他们安装了新证书时,你不必更新你的浏览器)。 If you're doing mutual authentication (client certificate authentication), then there are four certificates involved: your certificate, their certificate, the certificate of the authority that signed your certificate, and the certificate of the authority that signed their certificate.
如果您正在进行相互身份验证(客户端证书身份验证),则涉及四个证书:证书,证书,签署证书的颁发机构的证书以及签署其证书的颁发机构的证书。 They send you their certificate and you check to see that it was properly signed by a certificate authority that you trust (that's what the truststore is for - it's a list of the certificate authorities that you trust to sign certificates from their side).
他们向您发送他们的证书,并且您检查它是否由您信任的证书颁发机构正确签名(这就是信任库所针对的 - 它是您信任的证书颁发机构列表,可以从他们的身边签署证书)。 Subsequently, you send your certificate and they check to see that it was properly signed by a certificate authority that they trust.
随后,您发送证书并检查它是否由他们信任的证书颁发机构正确签名。 (Of course, all of this is automatically done for you behind the scenes in JSSE by the SSL handshake procedure)
(当然,所有这些都是通过SSL握手程序在JSSE幕后自动完成的)
Remember, a certificate is a (signed) assertion that such-and-such name is identified by a particular public key. 请记住,证书是(签名)断言,这样的名称由特定公钥标识。 So if their certificate expired, they'll generate a new one, get it signed by a CA that you already trust, and replace the old one with this one.
因此,如果他们的证书已过期,他们将生成一个新证书,由您已经信任的CA签署,并用此证书替换旧证书。 When your software (automatically, as part of the behind-the-scenes SSL handshake) gets the new one, it will check to see who the signer ("issuer") was and if it's in your list of trusted authorities (and properly signed).
当您的软件(自动作为幕后SSL握手的一部分)获得新软件时,它将检查签名者(“发行人”)是谁以及它是否在您的受信任机构列表中(并且已正确签名) )。 If this checks out, you'll accept it automatically.
如果退房,您将自动接受。 They don't need to send you anything out-of-band to make this happen, unless they're changing certificate authorities and you don't already trust the new one.
除非他们正在更改证书颁发机构并且您不相信新的证书颁发机构,否则他们不需要向您发送任何带外事件。 If so, you can use
如果是这样,你可以使用
keytool -import -keystore <truststore> -file <certificate file> -alias <someca>
If, on the other hand, your certificate is the one that expired, then they shouldn't be sending you anything unrequested. 另一方面,如果您的证书是过期的证书,那么他们不应该向您发送任何未经请求的证书。 Instead, you should be generating a CSR via:
相反,您应该通过以下方式生成CSR:
keytool -genkey -alias <myalias> -keystore <keystore>.p12 -storetype pkcs12
keytool -certreq -alias <myalias> -file request.csr -keystore <keystore>.p12 -storetype pkcs12
This will update the keystore with a new private key and create a file named "request.csr" which you should then send to them (or to a CA that's in their truststore) for a signature. 这将使用新的私钥更新密钥库,并创建一个名为“request.csr”的文件,然后您应该将其发送给它们 (或发送到其信任库中的CA)以进行签名。 They will respond with a signed certificate which you will then import back into your keystore using:
他们将使用签名证书进行回复,然后您将使用以下命令将其导入密钥库:
keytool -import -alias <myalias> -file <signed certificate>.cer
If I had to guess, it looks like they tried to perform these three steps for you, and tried to send you the certificate and the corresponding private key, which is invalid - Java will (rightly!) try its best to stop you from importing that because the private key itself was tainted when they sent it over an untrusted channel (e-mail, I presume?) This defeats the purpose of PKI - nobody should ever have access to your private key except for you. 如果我不得不猜测,看起来他们试图为你执行这三个步骤,并试图向你发送证书和相应的私钥,这是无效的 - Java将(正确!)尽力阻止你导入因为当私钥通过不受信任的渠道发送时,它本身就被污染了(电子邮件,我认为?)这违背了PKI的目的 - 除了你之外,没有人能够访问你的私钥。
Download the file from the below link: ImportKey.Java 从以下链接下载文件: ImportKey.Java
Run the following commands: 运行以下命令:
javac ImportKey.java
java ImportKey key.der cert.der
- arg1 is your key and arg2 iscertificate.
Commands will put your keys to Java Key Store. 命令会将您的密钥放到Java密钥库中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.