Java 密钥存储可以导入 OpenSSL 生成的密钥对吗?
我使用 openssl 生成认证密钥。这是我的命令:
openssl genrsa -des3 -out enc_key.pem 1024
我导出到 cer 文件,然后使用 java keytool 导入到 java 密钥库(jks)。
密钥库听起来不错。我可以从我的 java 应用程序加载密钥库。
问题是当客户端连接到服务器时(在本例中是FTP服务器,而不是Web服务器,我使用apache mina),发生异常:
javax.net.ssl.SSLHandshakeException:SSL 握手失败。 在 org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433) 在 org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) 在 org.apache.mina.core.filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)
...
由以下原因引起:javax.net.ssl.SSLHandshakeException:没有共同的密码套件 在 com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(来源未知) 在 com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(来源未知) 在 com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(来源未知) 在 com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(来源未知) 在 javax.net.ssl.SSLEngine.wrap(来源未知)
...
由以下原因引起:javax.net.ssl.SSLHandshakeException:没有共同的密码套件 在 com.sun.net.ssl.internal.ssl.Alerts.getSSLException(来源未知) 在 com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(来源未知)
我想问一些事情:
- 我用 openssl 生成的认证密码是什么?我们怎么知道?也许通过命令行 openssl xxx?
- 我转到 http://java. sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA。我将 SSL_RSA_xxx 放入启用的密码套件中,但仍然无法工作(我将 SSL_RSA 放入是因为 SSL 使用 ssl implisit,而 genrsa,只是我认为 genrsa 生成 RSA)。正确吗?
- 有人知道解决办法吗?
- 或者,任何人都知道如何从 openssl 命令行生成标准密钥库,直到可以在 java 应用程序中使用(当然使用密码)。因为现在我可以从 openssl 生成认证并导出密钥库 java,但我不知道我使用的密码是什么以及如何在 java 应用程序中使用。注意:如果密钥库是直接从 java 生成的,我可以运行。现在的问题是 java keytool 是否通过 openssl(以及其他可能)等认证生成密钥库。
任何帮助将不胜感激!谢谢
I generate a certification key with openssl. Here is my command:
openssl genrsa -des3 -out enc_key.pem 1024
I export into cer file, then with java keytool I import into java keystore (jks).
The keystore sounds good. I can load the keystore from my java app.
The problem is when client connect to the server (In this case is FTP server, not web server, and I use apache mina), the exception occured:
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)
...
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
at javax.net.ssl.SSLEngine.wrap(Unknown Source)
...
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
There is a few things that I want to ask:
- What is the cipher of certification that I generate with openssl? How can we know? maybe by command line openssl xxx?
- I go to http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA. And I put SSL_RSA_xxx to enabled cipher suites, but still can't work (I put SSL_RSA because it the SSL is using ssl implisit, and genrsa, just my opinion genrsa is generate RSA). Is it correct?
- Anybody knows the solution?
- Or, anybody knows how to generate the standard keystore from openssl command line until can be used in java app (off course with the cipher). Because right now I can generate the certification from openssl and export keystore java, but I don't know what is the cipher that I used and how I use in the java app. Note: I can run if the keystore is generate directly FROM java. Right now the problem is if the keystore generated by java keytool from certification like openssl (and other maybe).
Any help will be appreciated! Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为什么使用 OpenSSL 生成密钥对?为什么不直接使用
keytool
?genrsa 工具只是生成一个私钥。您如何创建相应的证书?如何将私钥导入 Java 密钥库? (我问,因为
keytool
只能从现有密钥存储导入私钥,并且只能从 Java 6 开始。)我怀疑您的问题是您的密钥存储不包含密钥条目(私钥和相应的证书)。当您使用
keytool
列出密钥库内容时,有多少条目?它们是关键条目还是可信条目?服务器需要访问私钥才能验证自身身份。要导入私钥,请使用Java 6增强的
keytool
。使用 OpenSSL 创建密钥和证书后,使用 OpenSSL 创建 PKCS #12 密钥存储:
然后将此存储转换为 Java 密钥存储:
现在在启用 SSL 的服务器中使用
server.jks
,其中包含证书和私钥。Why are you using OpenSSL to generate the keypair? Why not just use
keytool
?The
genrsa
tool just generates a private key. How are you creating a corresponding certificate? How are you importing the private key into your Java keystore? (I ask, becausekeytool
can only import a private key from an existing key store, and only from Java 6 onward.)I suspect that your problem is that your key store doesn't contain a key entry (private key and corresponding certificate). When you list the keystore contents with
keytool
, how many entries are there? Are they key entries or trusted entries?The server needs access to the private key in order to authenticate itself. To import a private key, use Java 6's enhanced
keytool
.After creating the key and the certificate with OpenSSL, use OpenSSL to create a PKCS #12 key store:
Then convert this store into a Java key store:
Now use
server.jks
in your SSL-enable server, which contains the certificate and the private key.