stackoom
  简体   繁体   中英

SSL : CSR file created with openSSL and installing with keytool

 原文  2015-08-07 07:19:11       java/ tomcat/ ssl/ https/ openssl

Question

I have created CSR with the command openSSL and purchased crt files. 

openssl genrsa -out private-key.pem 2048 
openssl req -new -key private-key.pem -out csr.pem

Will it be OK to install this by using keystore command as I have not created CSR file by using keytool (but created using openSSL) ?

Another question is I have got three files from the trusted certificate generation company. So how to indentify which one is primary, root, intermediate crt files ? File type(root,intermediate) is not mentioned in the filename itself. I have to run following commands on the basis of crt file type. 

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate]

keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate]

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]

1 answers

solution1
 1  2015-08-07 10:24:52

Will it be OK to install this by using keystore command as I have not created CSR file by using keytool (but created using openSSL) ?

You will have to import the private key into the keystore as well. Otherwise the keystore will be useless.

There are two ways to do this:

  1. Create a PKCS#12 file with OpenSSL first and then convert this file to JKS with keytool (see here ).
  2. Use KeyStore Explorer , it has import/export features for OpenSSL formats. Instructions can be found here .

Another question is I have got three files from the trusted certificate generation company. So how to indentify which one is primary, root, intermediate crt files ?

You have to take a look at the content of the certificates, especially their distinguished names (DNs).

  • The root CA certificate always has identical SubjectDN and IssuerDN.
  • The intermediate CA has root CA's SubjectDN as its IssuerDN and a different SubjectDN.
  • The SSL certificate has the intermediate CA's SubjectDN as its IssuerDN and the domain name as part of its SubjectDN.

The OpenSSL command for printing out the SubjectDN and IssuerDN depends on the format of the certificate file (DER or PEM). DER is a binary format, PEM is a ASCII format. If you are not sure, try both: 

openssl x509 -noout -subject -issuer -nameopt RFC2253 -inform DER -in <cert-file>

or 

openssl x509 -noout  -subject -issuer -nameopt RFC2253 -inform PEM -in <cert-file>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java keytool doesn't like OpenSSL CSR Java Keytool for SSL: CSR Aliases, Keys and Keystores Tomcat, OpenSSL, SSL error with keytool: Keystore was tampered with, or password was incorrect Weblogic Import SSL .PFX File via Keytool Add EKU to CSR using Keytool? Get SSL certificate from CSR file Could not find the created file by keytool genkeypair Replace binary in a file (from java keytool csr) using hexdump sed and xxd? Java Keytool stripping away SAN on CSR generation Renew certificate with Java Keytool - reuse old CSR?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM