Tomcat / JKS / Keytool - 重新生成私钥?
[英]Tomcat / JKS / Keytool - regenerate private key?
问题描述
Is it possible to regenerate a private key in a .JKS keystore using keytool or equivalent? 
是否可以使用keytool或等效工具在.JKS密钥库中重新生成私钥?
I've been supplied with a certificate and a JKS keystore, but on importing the cert it looks like the private key that was used to generate the CSR has been deleted. 我已经获得了证书和JKS密钥库,但在导入证书时,看起来已经删除了用于生成CSR的私钥。
I can see how to create a new keystore with a new private key, but this won't then match the CSR or certificate. 我可以看到如何使用新的私钥创建新的密钥库,但这不会与CSR或证书匹配。
3 个解决方案
解决方案1
4 已采纳 2012-08-23 15:39:36
No, that's the whole point of asymmetric cryptography: making it impossible to produce the private key when knowing only the public key (which is contained in the CSR and in the certificate). 不,这就是非对称加密的重点:在仅知道公钥(包含在CSR和证书中)时,无法生成私钥。
If you could re-generate the private key only from the CSR or the certificate, anyone could impersonate the entity to which the certificate has been issued. 如果您只能从CSR或证书重新生成私钥,则任何人都可以模拟已颁发证书的实体。
If you've lost your private key, you'll simply have to create a new key-pair, submit a new CSR and get a new certificate. 如果您丢失了私钥,则只需创建一个新密钥对,提交新的CSR并获取新证书即可。 Some CAs allow this sort of re-keying for free as part of their contract within the duration of the initial certificate. 一些CA允许在初始证书期间免费作为合同的一部分进行此类重新键入。
EDIT: Just to clarify what a CSR is. 编辑:只是为了澄清CSR是什么。
To apply for an X.509 certificate, you must: 要申请X.509证书,您必须:
- Generate a public/private key pair. 生成公钥/私钥对。 By nature, the public key can be publicly distributed, because it's not sufficient to obtain the private key (at least not in a reasonable time). 本质上,公钥可以是公开分发的,因为获取私钥是不够的(至少不是在合理的时间内)。
- Submit that public key with your identity information to the Certification Authority. 将包含您的身份信息的公钥提交给证书颁发机构。 This can be done using: 这可以使用:
- A Certificate Signing Request (CSR, PKCS#10), which contains your public key and the data you would like to be in the certificate (eg the Subject DN you want). 证书签名请求(CSR,PKCS#10),其中包含您的公钥和您希望在证书中的数据(例如您想要的主题DN)。 Although very similar to the data in a certificate, this data should mainly be used by the CA for identifying the request itself, since CAs doing their job properly should check what they put in the certificate, not just turn the CSR into a certificate blindly. 尽管与证书中的数据非常相似,但CA应主要使用此数据来识别请求本身,因为正确执行其工作的CA应检查它们在证书中的内容,而不是盲目地将CSR转换为证书。 The CSR itself is signed using the private key matching the public key in the certificate. 使用与证书中的公钥匹配的私钥对CSR本身进行签名。 It's effectively very similar to a self-signed X.509 certificate (without Issuer information and validity dates), but isn't one. 它实际上非常类似于自签名X.509证书(没有发行人信息和有效日期),但不是一个。
- SPKAC or CRMF for in-browser certificate applications. 用于浏览器内证书应用程序的SPKAC或CRMF。
- A Certificate Signing Request (CSR, PKCS#10), which contains your public key and the data you would like to be in the certificate (eg the Subject DN you want).
- The CA then takes this CSR (or equivalent) and makes the necessary verification outside this process to vet the pieces of information it wants to embed in your certificate, and issues your certificate (by signing it with its own private key). 然后,CA会使用此CSR(或等效的)并在此过程之外进行必要的验证,以审核其要嵌入到您的证书中的信息,并颁发您的证书(通过使用自己的私钥对其进行签名)。 It's effectively vouching for the binding between your public key (extracted from the CSR) and the information it embeds in the certificate (eg your name and/or the domain name for which this cert is). 它有效地保证了您的公钥(从CSR中提取)与其嵌入证书中的信息(例如您的名称和/或该证书所属的域名)之间的绑定。 It sends you back this certificate. 它会将您的证书发回给您。
You then have to use this certificate in conjunction with the private key matching its public key. 然后,您必须将此证书与匹配其公钥的私钥一起使用。 Some tools do this using separate files, it's also possible to import the cert back against the private key entry in a keystore. 有些工具使用单独的文件执行此操作,也可以将证书导入密钥库中的私钥条目。
Having the CSR or the cert without the private key is of no use. 拥有CSR或没有私钥的证书是没有用的。 You can quite easily create a new CSR again, but you'll also need to create a new key pair. 您可以轻松地再次创建新的CSR,但您还需要创建一个新的密钥对。 The most important part of the CSR is the public key, and to have the matching private key. CSR最重要的部分是公钥,并具有匹配的私钥。 You can discard the CSR otherwise. 否则您可以丢弃CSR。
解决方案2
0 2012-08-23 15:26:29
Is it possible to regenerate a private key in a .JKS keystore using keytool or equivalent?
Yes, but regenerate the private key and CSR. 是的,但重新生成私钥和CSR。 The CSR is submitted to the CA where you are provided a new public key. CSR将提交给CA,您将在其中获得新的公钥。
You can reimport to the keystore anytime using the following command:
keytool.exe" -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -file .\certificate.cer
Make sure you also import the certificate to both paths for the newer JDK releases: 确保您还将证书导入到新JDK版本的两个路径:
C:\\Program Files\\Java\\jdk1.6.0_31 C:\\ Program Files \\ Java \\ jdk1.6.0_31
The newer releases also deploy a separate JRE: 较新的版本还部署了一个单独的JRE:
C:\\Program Files\\Java\\jre6 C:\\ Program Files \\ Java \\ jre6
Failure to do so may result in the following exceptions in log: 如果不这样做,可能会导致日志中出现以下异常:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To regenerate your private key and CSR, you can use the following command: 要重新生成私钥和CSR,可以使用以下命令:
$ openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out signing request.csr -config openssl.conf
解决方案3
0 2016-01-27 12:58:39
I had the same trouble (my private key was accidentally deleted from keystore) and there was just one way to recover it: replacing the keystore file (*.jks) with a backup. 我遇到了同样的麻烦(我的私钥被意外地从密钥库中删除)并且只有一种方法可以恢复它:用备份替换密钥库文件(* .jks)。 So I recommend to always make backup with all files related to SSL, and if you delete anything by mistake on keystore just replace the file with an older one. 因此,我建议始终使用与SSL相关的所有文件进行备份,如果在密钥库中错误地删除了任何内容,只需将文件替换为较旧的文件即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.