[英]Tomcat / JKS / Keytool - regenerate private key?
Is it possible to regenerate a private key in a .JKS keystore using keytool or equivalent? 是否可以使用keytool或等效工具在.JKS密钥库中重新生成私钥?
I've been supplied with a certificate and a JKS keystore, but on importing the cert it looks like the private key that was used to generate the CSR has been deleted. 我已经获得了证书和JKS密钥库,但在导入证书时,看起来已经删除了用于生成CSR的私钥。
I can see how to create a new keystore with a new private key, but this won't then match the CSR or certificate. 我可以看到如何使用新的私钥创建新的密钥库,但这不会与CSR或证书匹配。
No, that's the whole point of asymmetric cryptography: making it impossible to produce the private key when knowing only the public key (which is contained in the CSR and in the certificate). 不,这就是非对称加密的重点:在仅知道公钥(包含在CSR和证书中)时,无法生成私钥。
If you could re-generate the private key only from the CSR or the certificate, anyone could impersonate the entity to which the certificate has been issued. 如果您只能从CSR或证书重新生成私钥,则任何人都可以模拟已颁发证书的实体。
If you've lost your private key, you'll simply have to create a new key-pair, submit a new CSR and get a new certificate. 如果您丢失了私钥,则只需创建一个新密钥对,提交新的CSR并获取新证书即可。 Some CAs allow this sort of re-keying for free as part of their contract within the duration of the initial certificate.
一些CA允许在初始证书期间免费作为合同的一部分进行此类重新键入。
EDIT: Just to clarify what a CSR is. 编辑:只是为了澄清CSR是什么。
To apply for an X.509 certificate, you must: 要申请X.509证书,您必须:
You then have to use this certificate in conjunction with the private key matching its public key. 然后,您必须将此证书与匹配其公钥的私钥一起使用。 Some tools do this using separate files, it's also possible to import the cert back against the private key entry in a keystore.
有些工具使用单独的文件执行此操作,也可以将证书导入密钥库中的私钥条目。
Having the CSR or the cert without the private key is of no use. 拥有CSR或没有私钥的证书是没有用的。 You can quite easily create a new CSR again, but you'll also need to create a new key pair.
您可以轻松地再次创建新的CSR,但您还需要创建一个新的密钥对。 The most important part of the CSR is the public key, and to have the matching private key.
CSR最重要的部分是公钥,并具有匹配的私钥。 You can discard the CSR otherwise.
否则您可以丢弃CSR。
Is it possible to regenerate a private key in a .JKS keystore using keytool or equivalent?
是否可以使用keytool或等效工具在.JKS密钥库中重新生成私钥?
Yes, but regenerate the private key and CSR. 是的,但重新生成私钥和CSR。 The CSR is submitted to the CA where you are provided a new public key.
CSR将提交给CA,您将在其中获得新的公钥。
You can reimport to the keystore anytime using the following command:
您可以使用以下命令随时重新导入密钥库:
keytool.exe" -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -file .\certificate.cer
Make sure you also import the certificate to both paths for the newer JDK releases: 确保您还将证书导入到新JDK版本的两个路径:
C:\\Program Files\\Java\\jdk1.6.0_31 C:\\ Program Files \\ Java \\ jdk1.6.0_31
The newer releases also deploy a separate JRE: 较新的版本还部署了一个单独的JRE:
C:\\Program Files\\Java\\jre6 C:\\ Program Files \\ Java \\ jre6
Failure to do so may result in the following exceptions in log: 如果不这样做,可能会导致日志中出现以下异常:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To regenerate your private key and CSR, you can use the following command: 要重新生成私钥和CSR,可以使用以下命令:
$ openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out signing request.csr -config openssl.conf
I had the same trouble (my private key was accidentally deleted from keystore) and there was just one way to recover it: replacing the keystore file (*.jks) with a backup. 我遇到了同样的麻烦(我的私钥被意外地从密钥库中删除)并且只有一种方法可以恢复它:用备份替换密钥库文件(* .jks)。 So I recommend to always make backup with all files related to SSL, and if you delete anything by mistake on keystore just replace the file with an older one.
因此,我建议始终使用与SSL相关的所有文件进行备份,如果在密钥库中错误地删除了任何内容,只需将文件替换为较旧的文件即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.