将 Thawte 试用证书导入 Java 密钥库

发布于 2024-08-28 09:44:27 字数 968 浏览 14 评论 0原文

我正在尝试使用 SSL 配置 Tomcat 服务器。我已经生成了一个密钥对:

$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore keys

接下来,我生成了一个证书签名请求:

$ keytool -certreq -keyalg RSA -alias tomcat -keystore keys -file tomcat.csr

然后,我将 tomcat.csr 的内容复制粘贴到 Thawte 网站上的表单中,请求试用 SSL 证书。作为回报,我得到了两个用 -----BEGIN ... -----END 分隔的证书,我将其保存在 tomcat.crtthawte 下.crt。 (Thawte 将第二个证书称为“Thawte Test CA Root”证书)。

当我尝试导入它们中的任何一个时,它都会失败:

$ keytool -importcert -alias tomcat -file tomcat.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply

$ keytool -importcert -alias thawte -file thawtetest.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate

-trustcacerts 选项添加到这些命令中的任何一个也不会改变任何内容。

知道我在这里做错了什么吗?

I'm trying to configure a Tomcat server with SSL. I've generated a keypair thus:

$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore keys

Next I generate a certificate signing request:

$ keytool -certreq -keyalg RSA -alias tomcat -keystore keys -file tomcat.csr

Then I copy-paste the contents of tomcat.csr into a form on Thawte's website, asking for a trial SSL certificate. In return I get two certificates delimited with -----BEGIN ... -----END, that I save under tomcat.crt and thawte.crt. (Thawte calls the second certificate a 'Thawte Test CA Root' certificate).

When I try to import either of them it fails:

$ keytool -importcert -alias tomcat -file tomcat.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply

$ keytool -importcert -alias thawte -file thawtetest.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate

Adding the -trustcacerts option to either of these commands doesn't change anything either.

Any idea what I am doing wrong here?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

以可爱出名 2024-09-04 09:44:27

我终于明白这是怎么回事了。事实证明,我从 Thawte 获得的回复格式为 PKCS#7,而 keytool 期望以 X.509 格式进行认证。

openssl 可用于将证书从一种格式转换为另一种格式:

$ openssl pkcs7 -in thawtetest.crt -print_certs |
  openssl x509 > thawtetest.x509

现在您可以使用 keytool 导入 thawtetest.x509,并在后面导入 tomcat.crt它。

I finally understood what was going on here. It turns out that the replies that I got from Thawte are formatted as PKCS#7, whereas keytool expects certificated in the X.509 format.

openssl can be used to convert certificates from one format to another:

$ openssl pkcs7 -in thawtetest.crt -print_certs |
  openssl x509 > thawtetest.x509

Now you can import thawtetest.x509 with keytool, and tomcat.crt right behind it.

空心空情空意 2024-09-04 09:44:27

只要您使用的是更新版本,您就应该能够使用 keytool 导入 PKCS#7 链。将证书导出到不同的文件中也可以,但如果您运行的是最新版本的 keytool,则导入 PKCS#7 文件本身应该没有问题。

You should be able to import PKCS#7 chains using keytool, so long as you're using a more recent version. Exporting the certs into distinct files will work, too, but if you're running a recent version of keytool there should be no problem importing the PKCS#7 file itself.

朮生 2024-09-04 09:44:27

遇到同样的麻烦后,我发现这篇文章对我有帮助出去。我将收到的试用证书放入一个文件中,并使用 keytool 进行导入,确保我使用的别名(keytool -alias param)不同(即与我创建证书时使用的别名不同)请求)。这是一个奇怪的错误消息,因为它根本不喜欢您尝试导入相同的别名。

Having run into the same trouble I found this post which helped me out. I put the trial certificates I received into a single file and used keytool to import making sure the ALIAS (keytool -alias param) I used was different (ie not the same alias I used when creating the certificates for the request). It is a bizarre error message given it simply doesn't like you trying to import to the same alias.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文