您可以使用这些步骤将密钥导入到现有的密钥存储库。这些说明结合了这个帖子和其他网站的答案。这些指令对我来说是有效的(java密钥库):

运行

Openssl pkcs12 -export -in你的服务器。CRT -inkey你的钥匙。密钥输出服务器。P12 -name someename -certfile yourca. xmlCRT -caname根

(如果需要，使用-chain选项。这样做对我来说失败了)。 这将要求密码-您必须提供正确的密码，否则将得到一个错误 (标题错误或填充错误等)。

It will ask you to enter a new password - you must enter a password here - enter anything but remember it. (Let us assume you enter Aragorn). This will create the server.p12 file in the pkcs format. Now to import it into the *.jks file run: keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore yourexistingjavakeystore.jks -deststoretype JKS -deststorepass existingjavastorepassword -destkeypass existingjavastorepassword (Very important - do not leave out the deststorepass and the destkeypass parameters.) It will ask you for the src key store password. Enter Aragorn and hit enter. The certificate and key is now imported into your existing java keystore.

我使用了以下两个步骤，我在其他答案的评论/帖子中找到了链接:

第一步:将x.509证书和密钥转换为pkcs12文件

openssl pkcs12 -export -in server.crt -inkey server.key \
               -out server.p12 -name [some-alias] \
               -CAfile ca.crt -caname root

注意:请确保在pkcs12文件上设置了密码-否则在尝试导入pkcs12文件时将会得到一个空指针异常。(以防其他人也有这种头痛)。(谢谢jocull !)

注意2:您可能希望添加-chain选项以保留完整的证书链。(感谢Mafuba)

步骤2:将pkcs12文件转换为Java密钥存储库

keytool -importkeystore \
        -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore \
        -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \
        -alias [some-alias]

完成了

可选步骤零:创建自签名证书

openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

常见问题:我得到错误IOException:密钥库密码不正确

如果您正在使用OpenSSL 3.0和Java8u302更新的JDK，并得到以下错误:

keytool error: java.io.IOException: keystore password was incorrect

您可能会在openssl中发现默认密码的更改。此堆栈溢出回答提供了一个答案。也许可以给托马斯点赞。

还有一点:

#!/bin/bash

# We have:
#
# 1) $KEY : Secret key in PEM format ("-----BEGIN RSA PRIVATE KEY-----") 
# 2) $LEAFCERT : Certificate for secret key obtained from some
#    certification outfit, also in PEM format ("-----BEGIN CERTIFICATE-----")   
# 3) $CHAINCERT : Intermediate certificate linking $LEAFCERT to a trusted
#    Self-Signed Root CA Certificate 
#
# We want to create a fresh Java "keystore" $TARGET_KEYSTORE with the
# password $TARGET_STOREPW, to be used by Tomcat for HTTPS Connector.
#
# The keystore must contain: $KEY, $LEAFCERT, $CHAINCERT
# The Self-Signed Root CA Certificate is obtained by Tomcat from the
# JDK's truststore in /etc/pki/java/cacerts

# The non-APR HTTPS connector (APR uses OpenSSL-like configuration, much
# easier than this) in server.xml looks like this 
# (See: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html):
#
#  <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
#                SSLEnabled="true"
#                maxThreads="150" scheme="https" secure="true"
#                clientAuth="false" sslProtocol="TLS"
#                keystoreFile="/etc/tomcat6/etl-web.keystore.jks"
#                keystorePass="changeit" />
#

# Let's roll:    

TARGET_KEYSTORE=/etc/tomcat6/foo-server.keystore.jks
TARGET_STOREPW=changeit

TLS=/etc/pki/tls

KEY=$TLS/private/httpd/foo-server.example.com.key
LEAFCERT=$TLS/certs/httpd/foo-server.example.com.pem
CHAINCERT=$TLS/certs/httpd/chain.cert.pem

# ----
# Create PKCS#12 file to import using keytool later
# ----

# From https://www.sslshopper.com/ssl-converter.html:
# The PKCS#12 or PFX format is a binary format for storing the server certificate,
# any intermediate certificates, and the private key in one encryptable file. PFX
# files usually have extensions such as .pfx and .p12. PFX files are typically used 
# on Windows machines to import and export certificates and private keys.

TMPPW=$$ # Some random password

PKCS12FILE=`mktemp`

if [[ $? != 0 ]]; then
  echo "Creation of temporary PKCS12 file failed -- exiting" >&2; exit 1
fi

TRANSITFILE=`mktemp`

if [[ $? != 0 ]]; then
  echo "Creation of temporary transit file failed -- exiting" >&2; exit 1
fi

cat "$KEY" "$LEAFCERT" > "$TRANSITFILE"

openssl pkcs12 -export -passout "pass:$TMPPW" -in "$TRANSITFILE" -name etl-web > "$PKCS12FILE"

/bin/rm "$TRANSITFILE"

# Print out result for fun! Bug in doc (I think): "-pass " arg does not work, need "-passin"

openssl pkcs12 -passin "pass:$TMPPW" -passout "pass:$TMPPW" -in "$PKCS12FILE" -info

# ----
# Import contents of PKCS12FILE into a Java keystore. WTF, Sun, what were you thinking?
# ----

if [[ -f "$TARGET_KEYSTORE" ]]; then
  /bin/rm "$TARGET_KEYSTORE"
fi

keytool -importkeystore \
   -deststorepass  "$TARGET_STOREPW" \
   -destkeypass    "$TARGET_STOREPW" \
   -destkeystore   "$TARGET_KEYSTORE" \
   -srckeystore    "$PKCS12FILE" \
   -srcstoretype  PKCS12 \
   -srcstorepass  "$TMPPW" \
   -alias foo-the-server

/bin/rm "$PKCS12FILE"

# ----
# Import the chain certificate. This works empirically, it is not at all clear from the doc whether this is correct
# ----

echo "Importing chain"

TT=-trustcacerts

keytool -import $TT -storepass "$TARGET_STOREPW" -file "$CHAINCERT" -keystore "$TARGET_KEYSTORE" -alias chain

# ----
# Print contents
# ----

echo "Listing result"

keytool -list -storepass "$TARGET_STOREPW" -keystore "$TARGET_KEYSTORE"

如果你有一个PEM文件(例如server.pem)包含:

受信任证书 私钥

然后您可以像这样将证书和密钥导入JKS密钥存储库:

1)将PEM文件中的私钥复制到ascii文件中(例如server.key)

2)将PEM文件中的cert复制到ascii文件中(例如server.crt)

3)将证书和密钥导出到PKCS12文件中:

$ openssl pkcs12 -export -in server.crt -inkey server.key \
                 -out server.p12 -name [some-alias] -CAfile server.pem -caname root

PEM文件可以作为-CAfile选项的参数。 提示输入“导出”密码。 如果在git bash中执行此操作，则在命令的开头添加winpty，以便可以输入导出密码。

4)将PKCS12文件转换为JKS密钥存储库:

$ keytool -importkeystore -deststorepass changeit -destkeypass changeit \
          -destkeystore keystore.jks  -srckeystore server.p12 -srcstoretype PKCS12 \
          -srcstorepass changeit

srcstorepass密码应该与步骤3中的导出密码匹配。

在我的例子中，我有一个pem文件，其中包含两个证书和一个用于相互SSL身份验证的加密私钥。 我的pem文件是这样的:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C8BF220FC76AA5F9
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

以下是我所做的:

将文件拆分为三个单独的文件，这样每个文件只包含一个条目， 以“——BEGIN..”开头，以“——END..”结尾。让我们假设现在有三个文件:cert1。pem cert2。Pem和pkey.pem

pkey进行转换。使用openssl将pem文件转换为DER格式，并执行如下语法:

Openssl pkcs8 -topk8 -nocrypt -in pkey. exepem -out pkey.der -outform DER . pem

注意，如果私钥是加密的，你需要提供一个密码(从原始pem文件的供应商那里获得) 转换为DER格式， Openssl会像这样要求你输入密码:“enter a pass phrase for pkey。pem:“ 如果转换成功，您将得到一个名为“pkey.der”的新文件。

创建一个新的java密钥存储库，并导入私钥和证书:

String keypass = "password";  // this is a new password, you need to come up with to protect your java key store file
String defaultalias = "importkey";
KeyStore ks = KeyStore.getInstance("JKS", "SUN");

// this section does not make much sense to me, 
// but I will leave it intact as this is how it was in the original example I found on internet:   
ks.load( null, keypass.toCharArray());
ks.store( new FileOutputStream ( "mykeystore"  ), keypass.toCharArray());
ks.load( new FileInputStream ( "mykeystore" ),    keypass.toCharArray());
// end of section..


// read the key file from disk and create a PrivateKey

FileInputStream fis = new FileInputStream("pkey.der");
DataInputStream dis = new DataInputStream(fis);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

byte[] key = new byte[bais.available()];
KeyFactory kf = KeyFactory.getInstance("RSA");
bais.read(key, 0, bais.available());
bais.close();

PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
PrivateKey ff = kf.generatePrivate (keysp);


// read the certificates from the files and load them into the key store:

Collection  col_crt1 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert1.pem"));
Collection  col_crt2 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert2.pem"));

Certificate crt1 = (Certificate) col_crt1.iterator().next();
Certificate crt2 = (Certificate) col_crt2.iterator().next();
Certificate[] chain = new Certificate[] { crt1, crt2 };

String alias1 = ((X509Certificate) crt1).getSubjectX500Principal().getName();
String alias2 = ((X509Certificate) crt2).getSubjectX500Principal().getName();

ks.setCertificateEntry(alias1, crt1);
ks.setCertificateEntry(alias2, crt2);

// store the private key
ks.setKeyEntry(defaultalias, ff, keypass.toCharArray(), chain );

// save the key store to a file         
ks.store(new FileOutputStream ( "mykeystore" ),keypass.toCharArray());

(可选)验证新密钥存储库的内容:

keytool -list -keystore mykeystore -storepass password

密钥库类型:JKS密钥库提供者:SUN 您的密钥存储库包含3个条目 cn =…,ou =…,o = . .， 2014年9月2日，trustedCertEntry，证书 fingerprint (SHA1): 2C:B8:… importkey, 2014年9月2日，PrivateKeyEntry，证书指纹 (sha1): 9c: b0:… cn =…,o =…， 2014年9月2日，trustedCertEntry，证书指纹 (sha1): 83:63:…

(可选)在SSL服务器上测试新密钥库中的证书和私钥: (你可能想把调试作为一个虚拟机选项:-Djavax.net.debug=all)

        char[] passw = "password".toCharArray();
        KeyStore ks = KeyStore.getInstance("JKS", "SUN");
        ks.load(new FileInputStream ( "mykeystore" ), passw );

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, passw);

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        TrustManager[] tm = tmf.getTrustManagers();

        SSLContext sclx = SSLContext.getInstance("TLS");
        sclx.init( kmf.getKeyManagers(), tm, null);

        SSLSocketFactory factory = sclx.getSocketFactory();
        SSLSocket socket = (SSLSocket) factory.createSocket( "192.168.1.111", 443 );
        socket.startHandshake();

        //if no exceptions are thrown in the startHandshake method, then everything is fine..

最后注册你的证书与HttpsURLConnection如果计划使用它:

        char[] passw = "password".toCharArray();
        KeyStore ks = KeyStore.getInstance("JKS", "SUN");
        ks.load(new FileInputStream ( "mykeystore" ), passw );

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, passw);

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        TrustManager[] tm = tmf.getTrustManagers();

        SSLContext sclx = SSLContext.getInstance("TLS");
        sclx.init( kmf.getKeyManagers(), tm, null);

        HostnameVerifier hv = new HostnameVerifier()
        {
            public boolean verify(String urlHostName, SSLSession session)
            {
                if (!urlHostName.equalsIgnoreCase(session.getPeerHost()))
                {
                    System.out.println("Warning: URL host '" + urlHostName + "' is different to SSLSession host '" + session.getPeerHost() + "'.");
                }
                return true;
            }
        };

        HttpsURLConnection.setDefaultSSLSocketFactory( sclx.getSocketFactory() );
        HttpsURLConnection.setDefaultHostnameVerifier(hv);

如果您在单个.pem文件中收到了组合的证书和密钥，就像MongoDB Atlas的身份验证一样，那么，

使用文本编辑器打开pem文件，将其拆分为两个文件，例如cert.pem和key。Pem(你可以在文件中很清楚地进行分割)，然后使用openssl命令创建一个单独的p12格式文件，如下所示:

 openssl pkcs12 -export -out server.p12 -name test\
 -in cert.pem -inkey key.pem

我使用的是Java 8，至少在Java 8或更高版本中，生成的p12 (server.p12)现在是keystore文件，因此如果不需要向它添加任何certs，您可以直接使用它，而不需要使用keytool。