将 Thawte 试用证书导入 Java 密钥库
我正在尝试使用 SSL 配置 Tomcat 服务器。我已经生成了一个密钥对:
$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore keys
接下来,我生成了一个证书签名请求:
$ keytool -certreq -keyalg RSA -alias tomcat -keystore keys -file tomcat.csr
然后,我将 tomcat.csr 的内容复制粘贴到 Thawte 网站上的表单中,请求试用 SSL 证书。作为回报,我得到了两个用 -----BEGIN ... -----END 分隔的证书,我将其保存在 tomcat.crt 和 thawte 下.crt。 (Thawte 将第二个证书称为“Thawte Test CA Root”证书)。
当我尝试导入它们中的任何一个时,它都会失败:
$ keytool -importcert -alias tomcat -file tomcat.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply
$ keytool -importcert -alias thawte -file thawtetest.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate
将 -trustcacerts 选项添加到这些命令中的任何一个也不会改变任何内容。
知道我在这里做错了什么吗?
I'm trying to configure a Tomcat server with SSL. I've generated a keypair thus:
$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore keys
Next I generate a certificate signing request:
$ keytool -certreq -keyalg RSA -alias tomcat -keystore keys -file tomcat.csr
Then I copy-paste the contents of tomcat.csr into a form on Thawte's website, asking for a trial SSL certificate. In return I get two certificates delimited with -----BEGIN ... -----END, that I save under tomcat.crt and thawte.crt. (Thawte calls the second certificate a 'Thawte Test CA Root' certificate).
When I try to import either of them it fails:
$ keytool -importcert -alias tomcat -file tomcat.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply
$ keytool -importcert -alias thawte -file thawtetest.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate
Adding the -trustcacerts option to either of these commands doesn't change anything either.
Any idea what I am doing wrong here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我终于明白这是怎么回事了。事实证明,我从 Thawte 获得的回复格式为 PKCS#7,而
keytool期望以 X.509 格式进行认证。openssl可用于将证书从一种格式转换为另一种格式:现在您可以使用 keytool 导入
thawtetest.x509,并在后面导入tomcat.crt它。I finally understood what was going on here. It turns out that the replies that I got from Thawte are formatted as PKCS#7, whereas
keytoolexpects certificated in the X.509 format.opensslcan be used to convert certificates from one format to another:Now you can import
thawtetest.x509with keytool, andtomcat.crtright behind it.只要您使用的是更新版本,您就应该能够使用 keytool 导入 PKCS#7 链。将证书导出到不同的文件中也可以,但如果您运行的是最新版本的 keytool,则导入 PKCS#7 文件本身应该没有问题。
You should be able to import PKCS#7 chains using keytool, so long as you're using a more recent version. Exporting the certs into distinct files will work, too, but if you're running a recent version of keytool there should be no problem importing the PKCS#7 file itself.
遇到同样的麻烦后,我发现这篇文章对我有帮助出去。我将收到的试用证书放入一个文件中,并使用 keytool 进行导入,确保我使用的别名(keytool -alias param)不同(即与我创建证书时使用的别名不同)请求)。这是一个奇怪的错误消息,因为它根本不喜欢您尝试导入相同的别名。
Having run into the same trouble I found this post which helped me out. I put the trial certificates I received into a single file and used keytool to import making sure the ALIAS (keytool -alias param) I used was different (ie not the same alias I used when creating the certificates for the request). It is a bizarre error message given it simply doesn't like you trying to import to the same alias.