我在ActiveMQ配置中有这个:

<sslContext>
        <sslContext keyStore="file:/home/alex/work/amq/broker.ks"  
 keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts" 
 trustStorePassword="password"/>
</sslContext>

我有一对X.509证书和一个密钥文件。

我如何导入这两个,以便在SSL和SSL+stomp连接器中使用它们?所有的例子,我总能自己生成键,但我已经有一个键了。

我试过了

keytool -import  -keystore ./broker.ks -file mycert.crt

但这只导入证书,而不导入密钥文件,并导致

2009-05-25 13:16:24,270 [localhost:61612] ERROR TransportConnector - Could not accept connection : No available certificate or key corresponds to the SSL cipher suites which are enabled.

我已经尝试连接证书和密钥,但得到相同的结果。

如何导入密钥?


当前回答

我使用了以下两个步骤,我在其他答案的评论/帖子中找到了链接:

第一步:将x.509证书和密钥转换为pkcs12文件

openssl pkcs12 -export -in server.crt -inkey server.key \
               -out server.p12 -name [some-alias] \
               -CAfile ca.crt -caname root

注意:请确保在pkcs12文件上设置了密码-否则在尝试导入pkcs12文件时将会得到一个空指针异常。(以防其他人也有这种头痛)。(谢谢jocull !)

注意2:您可能希望添加-chain选项以保留完整的证书链。(感谢Mafuba)

步骤2:将pkcs12文件转换为Java密钥存储库

keytool -importkeystore \
        -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore \
        -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \
        -alias [some-alias]

完成了

可选步骤零:创建自签名证书

openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

常见问题:我得到错误IOException:密钥库密码不正确

如果您正在使用OpenSSL 3.0和Java8u302更新的JDK,并得到以下错误:

keytool error: java.io.IOException: keystore password was incorrect

您可能会在openssl中发现默认密码的更改。此堆栈溢出回答提供了一个答案。也许可以给托马斯点赞。

其他回答

还有一点:

#!/bin/bash

# We have:
#
# 1) $KEY : Secret key in PEM format ("-----BEGIN RSA PRIVATE KEY-----") 
# 2) $LEAFCERT : Certificate for secret key obtained from some
#    certification outfit, also in PEM format ("-----BEGIN CERTIFICATE-----")   
# 3) $CHAINCERT : Intermediate certificate linking $LEAFCERT to a trusted
#    Self-Signed Root CA Certificate 
#
# We want to create a fresh Java "keystore" $TARGET_KEYSTORE with the
# password $TARGET_STOREPW, to be used by Tomcat for HTTPS Connector.
#
# The keystore must contain: $KEY, $LEAFCERT, $CHAINCERT
# The Self-Signed Root CA Certificate is obtained by Tomcat from the
# JDK's truststore in /etc/pki/java/cacerts

# The non-APR HTTPS connector (APR uses OpenSSL-like configuration, much
# easier than this) in server.xml looks like this 
# (See: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html):
#
#  <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
#                SSLEnabled="true"
#                maxThreads="150" scheme="https" secure="true"
#                clientAuth="false" sslProtocol="TLS"
#                keystoreFile="/etc/tomcat6/etl-web.keystore.jks"
#                keystorePass="changeit" />
#

# Let's roll:    

TARGET_KEYSTORE=/etc/tomcat6/foo-server.keystore.jks
TARGET_STOREPW=changeit

TLS=/etc/pki/tls

KEY=$TLS/private/httpd/foo-server.example.com.key
LEAFCERT=$TLS/certs/httpd/foo-server.example.com.pem
CHAINCERT=$TLS/certs/httpd/chain.cert.pem

# ----
# Create PKCS#12 file to import using keytool later
# ----

# From https://www.sslshopper.com/ssl-converter.html:
# The PKCS#12 or PFX format is a binary format for storing the server certificate,
# any intermediate certificates, and the private key in one encryptable file. PFX
# files usually have extensions such as .pfx and .p12. PFX files are typically used 
# on Windows machines to import and export certificates and private keys.

TMPPW=$$ # Some random password

PKCS12FILE=`mktemp`

if [[ $? != 0 ]]; then
  echo "Creation of temporary PKCS12 file failed -- exiting" >&2; exit 1
fi

TRANSITFILE=`mktemp`

if [[ $? != 0 ]]; then
  echo "Creation of temporary transit file failed -- exiting" >&2; exit 1
fi

cat "$KEY" "$LEAFCERT" > "$TRANSITFILE"

openssl pkcs12 -export -passout "pass:$TMPPW" -in "$TRANSITFILE" -name etl-web > "$PKCS12FILE"

/bin/rm "$TRANSITFILE"

# Print out result for fun! Bug in doc (I think): "-pass " arg does not work, need "-passin"

openssl pkcs12 -passin "pass:$TMPPW" -passout "pass:$TMPPW" -in "$PKCS12FILE" -info

# ----
# Import contents of PKCS12FILE into a Java keystore. WTF, Sun, what were you thinking?
# ----

if [[ -f "$TARGET_KEYSTORE" ]]; then
  /bin/rm "$TARGET_KEYSTORE"
fi

keytool -importkeystore \
   -deststorepass  "$TARGET_STOREPW" \
   -destkeypass    "$TARGET_STOREPW" \
   -destkeystore   "$TARGET_KEYSTORE" \
   -srckeystore    "$PKCS12FILE" \
   -srcstoretype  PKCS12 \
   -srcstorepass  "$TMPPW" \
   -alias foo-the-server

/bin/rm "$PKCS12FILE"

# ----
# Import the chain certificate. This works empirically, it is not at all clear from the doc whether this is correct
# ----

echo "Importing chain"

TT=-trustcacerts

keytool -import $TT -storepass "$TARGET_STOREPW" -file "$CHAINCERT" -keystore "$TARGET_KEYSTORE" -alias chain

# ----
# Print contents
# ----

echo "Listing result"

keytool -list -storepass "$TARGET_STOREPW" -keystore "$TARGET_KEYSTORE"

信不信由你,keytool并没有提供像将私钥导入keystore这样的基本功能。您可以尝试将PKSC12文件与私钥合并到keystore中:

keytool -importkeystore \
  -deststorepass storepassword \
  -destkeypass keypassword \
  -destkeystore my-keystore.jks \
  -srckeystore cert-and-key.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass p12password \
  -alias 1

或者使用IBM的更友好的KeyMan来处理密钥库,而不是keytool。

如果你有一个PEM文件(例如server.pem)包含:

受信任证书 私钥

然后您可以像这样将证书和密钥导入JKS密钥存储库:

1)将PEM文件中的私钥复制到ascii文件中(例如server.key)

2)将PEM文件中的cert复制到ascii文件中(例如server.crt)

3)将证书和密钥导出到PKCS12文件中:

$ openssl pkcs12 -export -in server.crt -inkey server.key \
                 -out server.p12 -name [some-alias] -CAfile server.pem -caname root

PEM文件可以作为-CAfile选项的参数。 提示输入“导出”密码。 如果在git bash中执行此操作,则在命令的开头添加winpty,以便可以输入导出密码。

4)将PKCS12文件转换为JKS密钥存储库:

$ keytool -importkeystore -deststorepass changeit -destkeypass changeit \
          -destkeystore keystore.jks  -srckeystore server.p12 -srcstoretype PKCS12 \
          -srcstorepass changeit

srcstorepass密码应该与步骤3中的导出密码匹配。

只需创建一个PKCS12密钥库,Java现在可以直接使用它了。事实上,如果您列出一个java风格的密钥存储库,keytool本身就会提醒您PKCS12现在是首选格式。

openssl pkcs12 -export -in server.crt -inkey server.key \
               -out server.p12 -name [some-alias] \
               -CAfile ca.crt -caname root -chain

您应该已经收到了所有三个文件(服务器。crt,服务器。密钥,ca.crt)从您的证书提供者。我不确定“-caname root”实际上是什么意思,但它似乎必须这样指定。

在Java代码中,确保指定了正确的密钥库类型。

KeyStore.getInstance("PKCS12")

我通过这种方式在NanoHTTPD中获得了comodo.com颁发的SSL证书。

是的,keytool没有导入私钥的功能,这确实是一个可悲的事实。

在最后,我使用了这里描述的解决方案