当前位置：文江博客话题详情

Java keytool 从 url/port 添加服务器证书的简单方法

发布于 2024-09-18 05:43:48 字数 93 浏览 12 评论 0原文

我有一个带有自签名证书的服务器，但也需要客户端证书身份验证。我在尝试获取原始 CA 服务器证书时遇到了困难，因此我可以将其导入密钥库。有人对如何轻松做到这一点有一些建议吗？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

黯淡〆 2024-09-25 05:43:48

正在研究如何在使用 jenkins cli 时信任证书，并发现
https://issues.jenkins-ci.org/browse/JENKINS-12629 其中有一些秘诀那。

这将为您提供证书：

openssl s_client -connect ${HOST}:${PORT} </dev/null

如果您只对证书部分感兴趣，请通过管道将其剪切到：

| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

并重定向到文件：

> ${HOST}.cert

然后使用 keytool 导入它：

keytool -import -noprompt -trustcacerts -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

一次性：

HOST=myhost.example.com
PORT=443
KEYSTOREFILE=dest_keystore
KEYSTOREPASS=changeme

# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null \
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

# create a keystore and import certificate
keytool -import -noprompt -trustcacerts \
    -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

# verify we've got it.
keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}

Was looking at how to trust a certificate while using jenkins cli, and found
https://issues.jenkins-ci.org/browse/JENKINS-12629 which has some recipe for that.

This will give you the certificate:

openssl s_client -connect ${HOST}:${PORT} </dev/null

if you are interested only in the certificate part, cut it out by piping it to:

| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

and redirect to a file:

> ${HOST}.cert

Then import it using keytool:

keytool -import -noprompt -trustcacerts -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

In one go:

HOST=myhost.example.com
PORT=443
KEYSTOREFILE=dest_keystore
KEYSTOREPASS=changeme

# get the SSL certificate
openssl s_client -connect ${HOST}:${PORT} </dev/null \
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

# create a keystore and import certificate
keytool -import -noprompt -trustcacerts \
    -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

# verify we've got it.
keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}

回复收藏 0 原文

花之痕靓丽 2024-09-25 05:43:48

我使用 openssl，但如果您不愿意，或者您所在的系统（特别是 Windows）没有它，自 2011 年的 java 7 keytool 可以完成整个工作:

 keytool -printcert -sslserver host[:port] -rfc >tempfile
 keytool -import [-noprompt] -alias nm -keystore file [-storepass pw] [-storetype ty] <tempfile 
 # or with noprompt and storepass (so nothing on stdin besides the cert) piping works:
 keytool -printcert -sslserver host[:port] -rfc | keytool -import -noprompt -alias nm -keystore file -storepass pw [-storetype ty]

~~相反，对于 java 9 及以上版本，以及在许多情况下的早期版本，Java 可以使用 PKCS12 文件作为密钥库，而不是传统的 JKS 文件，并且~~ OpenSSL 可以创建一个PKCS12 无需 keytool 的任何帮助：

openssl s_client -connect host:port </dev/null | openssl pkcs12 -export -nokeys [-caname nm] [-passout option] -out p12file
# <NUL on Windows
# default is to prompt for password, but -passout supports several options 
# including actual value, envvar, or file; see the openssl(1ssl) man page

但是（显然我在 2018 年还没有发现）这不能作为“标准”（Oracle/OpenJDK）Java 加密的信任库因为这需要 PKCS12 中的受信任证书具有 OpenSSL 不知道的特殊属性。如果您安装并使用 BouncyCastle 提供程序并指定可能影响（可能会破坏）其他事物的存储类型，并且使用 -caname确实有效代码>. （更正：-caname 不是 -name 或 nm）

I use openssl, but if you prefer not to, or are on a system (particularly Windows) that doesn't have it, since java 7 in 2011 keytool can do the whole job:

 keytool -printcert -sslserver host[:port] -rfc >tempfile
 keytool -import [-noprompt] -alias nm -keystore file [-storepass pw] [-storetype ty] <tempfile 
 # or with noprompt and storepass (so nothing on stdin besides the cert) piping works:
 keytool -printcert -sslserver host[:port] -rfc | keytool -import -noprompt -alias nm -keystore file -storepass pw [-storetype ty]

~~Conversely, for java 9 up always, and for earlier versions in many cases, Java can use a PKCS12 file for a keystore instead of the traditional JKS file, and~~ OpenSSL can create a PKCS12 without any assistance from keytool:

openssl s_client -connect host:port </dev/null | openssl pkcs12 -export -nokeys [-caname nm] [-passout option] -out p12file
# <NUL on Windows
# default is to prompt for password, but -passout supports several options 
# including actual value, envvar, or file; see the openssl(1ssl) man page

BUT (as I apparently hadn't yet found in 2018) this won't work as a truststore with 'standard' (Oracle/OpenJDK) Java crypto because that requires trusted cert(s) in a PKCS12 to have a special attribute OpenSSL doesn't know about. This does work if you install and use the BouncyCastle provider and specify the storetype which can affect (maybe break) other things, AND you specify 'friendly' name(s) with -caname. (corrected: -caname not -name or nm)

回复收藏 0 原文

北方的韩爷 2024-09-25 05:43:48

我发现有几种方法可以做到这一点：

Firefox: Add Exception ->获取证书->查看->详情->导出...
KeyMan (http://www.alphaworks.ibm.com/tech/keyman) 您可以直接从文件中获取 SSL 证书 ->导入菜单
InstallCert（Andreas Sterbenz 的代码）

    java InstallCert [host]:[port] 
    keytool -exportcert -keystore jssecacerts -storepass changeit -file output.cert
    keytool -importcert -keystore [DESTINATION_KEYSTORE] -file output.cert

There were a few ways I found to do this:

Firefox: Add Exception -> Get Certificat -> View -> Details -> Export...
KeyMan (http://www.alphaworks.ibm.com/tech/keyman) You can get SSL cert directly from the File -> Import menu
InstallCert (Code by Andreas Sterbenz)

    java InstallCert [host]:[port] 
    keytool -exportcert -keystore jssecacerts -storepass changeit -file output.cert
    keytool -importcert -keystore [DESTINATION_KEYSTORE] -file output.cert

回复收藏 0 原文

南街女流氓 2024-09-25 05:43:48

您可以使用 Firefox、此网站导出证书有说明。然后使用 keytool 添加证书。

回复收藏 0 原文

叹沉浮 2024-09-25 05:43:48

只需将 dnozay 的答案暴露给函数，以便我们可以同时导入多个证书。

将其保存到 .sh 文件然后运行它。

#!/usr/bin/env sh

KEYSTORE_FILE=/path/to/keystore.jks
KEYSTORE_PASS=changeit


import_cert() {
  local HOST=$1
  local PORT=$2

  if [[ -z $PORT ]]; then
    PORT=443
  fi

  # get the SSL certificate
  openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

  # delete the old alias and then import the new one
  keytool -delete -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS} -alias ${HOST} &> /dev/null

  # create a keystore (or update) and import certificate
  keytool -import -noprompt -trustcacerts \
      -alias ${HOST} -file ${HOST}.cert \
      -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS}

  # remove temp file
  rm ${HOST}.cert
}

# Change your sites here
import_cert stackoverflow.com 443
import_cert www.google.com # default port 443
import_cert 172.217.194.104 443 # google

Just expose dnozay's answer to a function so that we can import multiple certificates at the same time.

Save it to a .sh file then run it.

#!/usr/bin/env sh

KEYSTORE_FILE=/path/to/keystore.jks
KEYSTORE_PASS=changeit


import_cert() {
  local HOST=$1
  local PORT=$2

  if [[ -z $PORT ]]; then
    PORT=443
  fi

  # get the SSL certificate
  openssl s_client -connect ${HOST}:${PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

  # delete the old alias and then import the new one
  keytool -delete -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS} -alias ${HOST} &> /dev/null

  # create a keystore (or update) and import certificate
  keytool -import -noprompt -trustcacerts \
      -alias ${HOST} -file ${HOST}.cert \
      -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASS}

  # remove temp file
  rm ${HOST}.cert
}

# Change your sites here
import_cert stackoverflow.com 443
import_cert www.google.com # default port 443
import_cert 172.217.194.104 443 # google

回复收藏 0 原文

~没有更多了~