从.der更新/生成新的.p12 / .jks
[英]Updating/generating new .p12/.jks from .der
问题描述
Current situation: 
现在的情况:
We do a POST to a certain url using HTTPS/SSL. 我们使用HTTPS / SSL对某个URL进行POST。 For this to work my (former) colleague posted this question: Java HTTPS client certificate authentication 为此,我的(前)同事发布了这个问题: Java HTTPS客户端证书身份验证
So basicly we have a keystore in .p12 format and the truststore is a .jks file. 基本上我们有.p12格式的密钥库,truststore是.jks文件。
We have no control over the server that receives our POST request. 我们无法控制接收POST请求的服务器。
Issue: 问题:
The server admins have provided us with some new .der files because their old certificate was about to expire. 服务器管理员为我们提供了一些新的.der文件,因为他们的旧证书即将过期。
As I'm fairly new to SSL certificates and keytool - and openssl -commands I have no idea how to proceed from here. 由于我对SSL证书和keytool以及openssl命令相当新,我不知道如何从这里开始。
1) Is it necessary to generate new .p12 and .jks files? 1)是否有必要生成新的.p12和.jks文件? Or do I only need to generate a new .jks file? 或者我只需要生成一个新的.jks文件?
2) How do I generate these files from a .der certificate? 2)如何从.der证书生成这些文件? I have found some websites with the most keytool/openssl commands but I haven't been able to successfully generate what I need. 我发现一些网站的keytool/openssl命令最多,但我无法成功生成我需要的东西。
The last command I tried (to no avail) was: 我试过的最后一个命令(无济于事)是:
keytool -storepass dsmserver -keystore c:\temp\newkeystore.jks -importcert -alias "c:\temp\newcert.der" -trustcacerts
2 个解决方案
解决方案1
2 已采纳 2012-04-12 18:47:26
Wait, which certificate expired? 等等,哪个证书过期了? If it was theirs, there shouldn't have been any need to send you a new file (after all, you don't have to update your browser when, say, stackoverflow.com's SSL certificate expires and they install a new one). 如果是他们的,那么就不应该向你发送一个新文件了(毕竟,当stackoverflow.com的SSL证书过期并且他们安装了新证书时,你不必更新你的浏览器)。 If you're doing mutual authentication (client certificate authentication), then there are four certificates involved: your certificate, their certificate, the certificate of the authority that signed your certificate, and the certificate of the authority that signed their certificate. 如果您正在进行相互身份验证(客户端证书身份验证),则涉及四个证书:证书,证书,签署证书的颁发机构的证书以及签署其证书的颁发机构的证书。 They send you their certificate and you check to see that it was properly signed by a certificate authority that you trust (that's what the truststore is for - it's a list of the certificate authorities that you trust to sign certificates from their side). 他们向您发送他们的证书,并且您检查它是否由您信任的证书颁发机构正确签名(这就是信任库所针对的 - 它是您信任的证书颁发机构列表,可以从他们的身边签署证书)。 Subsequently, you send your certificate and they check to see that it was properly signed by a certificate authority that they trust. 随后,您发送证书并检查它是否由他们信任的证书颁发机构正确签名。 (Of course, all of this is automatically done for you behind the scenes in JSSE by the SSL handshake procedure) (当然,所有这些都是通过SSL握手程序在JSSE幕后自动完成的)
Remember, a certificate is a (signed) assertion that such-and-such name is identified by a particular public key. 请记住,证书是(签名)断言,这样的名称由特定公钥标识。 So if their certificate expired, they'll generate a new one, get it signed by a CA that you already trust, and replace the old one with this one. 因此,如果他们的证书已过期,他们将生成一个新证书,由您已经信任的CA签署,并用此证书替换旧证书。 When your software (automatically, as part of the behind-the-scenes SSL handshake) gets the new one, it will check to see who the signer ("issuer") was and if it's in your list of trusted authorities (and properly signed). 当您的软件(自动作为幕后SSL握手的一部分)获得新软件时,它将检查签名者(“发行人”)是谁以及它是否在您的受信任机构列表中(并且已正确签名) )。 If this checks out, you'll accept it automatically. 如果退房,您将自动接受。 They don't need to send you anything out-of-band to make this happen, unless they're changing certificate authorities and you don't already trust the new one. 除非他们正在更改证书颁发机构并且您不相信新的证书颁发机构,否则他们不需要向您发送任何带外事件。 If so, you can use 如果是这样,你可以使用
keytool -import -keystore <truststore> -file <certificate file> -alias <someca>
If, on the other hand, your certificate is the one that expired, then they shouldn't be sending you anything unrequested. 另一方面,如果您的证书是过期的证书,那么他们不应该向您发送任何未经请求的证书。 Instead, you should be generating a CSR via: 相反,您应该通过以下方式生成CSR:
keytool -genkey -alias <myalias> -keystore <keystore>.p12 -storetype pkcs12
keytool -certreq -alias <myalias> -file request.csr -keystore <keystore>.p12 -storetype pkcs12
This will update the keystore with a new private key and create a file named "request.csr" which you should then send to them (or to a CA that's in their truststore) for a signature. 这将使用新的私钥更新密钥库,并创建一个名为“request.csr”的文件,然后您应该将其发送给它们 (或发送到其信任库中的CA)以进行签名。 They will respond with a signed certificate which you will then import back into your keystore using: 他们将使用签名证书进行回复,然后您将使用以下命令将其导入密钥库:
keytool -import -alias <myalias> -file <signed certificate>.cer
If I had to guess, it looks like they tried to perform these three steps for you, and tried to send you the certificate and the corresponding private key, which is invalid - Java will (rightly!) try its best to stop you from importing that because the private key itself was tainted when they sent it over an untrusted channel (e-mail, I presume?) This defeats the purpose of PKI - nobody should ever have access to your private key except for you. 如果我不得不猜测,看起来他们试图为你执行这三个步骤,并试图向你发送证书和相应的私钥,这是无效的 - Java将(正确!)尽力阻止你导入因为当私钥通过不受信任的渠道发送时,它本身就被污染了(电子邮件,我认为?)这违背了PKI的目的 - 除了你之外,没有人能够访问你的私钥。
解决方案2
1 2012-04-12 09:51:11
Download the file from the below link: ImportKey.Java 从以下链接下载文件: ImportKey.Java
Run the following commands: 运行以下命令:
javac ImportKey.java
java ImportKey key.der cert.der
- arg1 is your key and arg2 iscertificate.
Commands will put your keys to Java Key Store. 命令会将您的密钥放到Java密钥库中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.