如何使用私钥将 .pfx 文件转换为密钥库?

发布于 2024-10-03 13:23:08 字数 246 浏览 10 评论 0原文

我需要签署 Android 应用程序 (.apk)。
我有 .pfx 文件。我通过 Internet Explorer 将其转换为 .cer 文件,然后使用 keytool 将 .cer 转换为 .keystore。然后我尝试使用 jarsigner 签署 .apk 但它说 .keystore 不包含私钥。

我做错了什么?

I need to sign Android application (.apk).
I have .pfx file. I converted it to .cer file via Internet Explorer and then converted .cer to .keystore using keytool. Then I've tried to sign .apk with jarsigner but it says that .keystore doesn't content a private key.

What I'm doing wrong?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

坏尐絯 2024-10-10 13:23:08

使用 JDK 1.6 或更高版本

Justin 在下面的评论中指出,仅使用 keytool 就可以使用以下命令执行此操作(尽管仅在 JDK 1.6 及更高版本中):

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
-destkeystore clientcert.jks -deststoretype JKS

使用 JDK 1.5 或更低版本

OpenSSL 可以做到这一切。 JGuru 上的这个答案是迄今为止我发现的最好的方法。

首先确保您已安装 OpenSSL。正如我在 Mac OS X 中发现的那样,许多操作系统已经安装了它。

以下两个命令将 pfx 文件转换为可以作为 Java PKCS12 密钥存储打开的格式:

openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"

请注意,第二个命令中提供的名称是别名您在新密钥库中的密钥。

您可以使用 Java keytool 实用程序通过以下命令验证密钥存储的内容:

keytool -v -list -keystore mykeystore.p12 -storetype pkcs12

最后,如果需要,您可以通过将上面创建的密钥存储导入到新的密钥存储中,将其转换为 JKS 密钥存储:

keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

Using JDK 1.6 or later

It has been pointed out by Justin in the comments below that keytool alone is capable of doing this using the following command (although only in JDK 1.6 and later):

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
-destkeystore clientcert.jks -deststoretype JKS

Using JDK 1.5 or below

OpenSSL can do it all. This answer on JGuru is the best method that I've found so far.

Firstly make sure that you have OpenSSL installed. Many operating systems already have it installed as I found with Mac OS X.

The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store:

openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"

NOTE that the name provided in the second command is the alias of your key in the new key store.

You can verify the contents of the key store using the Java keytool utility with the following command:

keytool -v -list -keystore mykeystore.p12 -storetype pkcs12

Finally if you need to you can convert this to a JKS key store by importing the key store created above into a new key store:

keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS
少跟Wǒ拽 2024-10-10 13:23:08

我发现页面告诉您如何将 PFX 导入 JKS(Java 密钥库):

keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 
-srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE 
-deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME

I found this page which tells you how to import a PFX to JKS (Java Key Store):

keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 
-srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE 
-deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME
画▽骨i 2024-10-10 13:23:08

jarsigner 可以使用您的 pfx 文件作为密钥库来签署您的 jar。导出时请确保您的 pfx 文件具有私钥和证书链。无需转换为其他格式。诀窍是获取 pfx 文件的别名

 keytool -list -storetype pkcs12 -keystore your_pfx_file -v | grep Alias

一旦有了别名,签名就很容易

jarsigner.exe -storetype pkcs12 -keystore pfx_file jar_file "your alias"

上面两个命令将提示您输入在 pfx 导出时指定的密码。如果您希望密码以明文形式显示,请在 -keystore 开关之前使用 -storepass 开关

签名后,欣赏您的作品:

jarsigner.exe -verify -verbose -certs  yourjarfile

jarsigner can use your pfx file as the keystore for signing your jar. Be sure that your pfx file has the private key and the cert chain when you export it. There is no need to convert to other formats. The trick is to obtain the Alias of your pfx file:

 keytool -list -storetype pkcs12 -keystore your_pfx_file -v | grep Alias

Once you have your alias, signing is easy

jarsigner.exe -storetype pkcs12 -keystore pfx_file jar_file "your alias"

The above two commands will prompt you for the password you specified at pfx export. If you want to have your password hang out in clear text use the -storepass switch before the -keystore switch

Once signed, admire your work:

jarsigner.exe -verify -verbose -certs  yourjarfile
我恋#小黄人 2024-10-10 13:23:08

贾斯汀(上图)是准确的。但是,请记住,根据您从谁那里获取证书(中间 CA、是否涉及根 CA)或 pfx 的创建/导出方式,有时它们可​​能会丢失证书链。导入后,您将拥有 PrivateKeyEntry 类型的证书,但链长度为 1。

要解决此问题,有多种选择。我认为更简单的选择是在 IE 中导入和导出 pfx 文件(选择包含链中的所有证书选项)。 IE 中证书的导入和导出过程应该非常简单,并且在其他地方有详细记录。

导出后,按照 Justin 上面指出的方式导入密钥库。
现在,您将拥有一个带有 PrivateKeyEntry 类型证书且证书链长度超过 1 的密钥库。

如果您不执行上述操作,某些基于 .Net 的 Web 服务客户端会出错(无法建立信任关系)。

Justin(above) is accurate. However, keep in mind that depending on who you get the certificate from (intermediate CA, root CA involved or not) or how the pfx is created/exported, sometimes they could be missing the certificate chain. After Import, You would have a certificate of PrivateKeyEntry type, but with a chain of length of 1.

To fix this, there are several options. The easier option in my mind is to import and export the pfx file in IE(choosing the option of Including all the certificates in the chain). The import and export process of certificates in IE should be very easy and well documented elsewhere.

Once exported, import the keystore as Justin pointed above.
Now, you would have a keystore with certificate of type PrivateKeyEntry and with a certificate chain length of more than 1.

Certain .Net based Web service clients error out(unable to establish trust relationship), if you don't do the above.

倒数 2024-10-10 13:23:08

您的 PFX 文件中应包含私钥。直接从 PFX 文件导出私钥和证书(例如使用 OpenSSL)并将它们导入到 Java 密钥库中。

编辑

更多信息:

  • 此处下载适用于 Windows 的 OpenSSL。
  • 导出私钥:openssl pkcs12 -in filename.pfx -nocerts -out key.pem
  • 导出证书:openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem >
  • 使用 keytool 将私钥和证书导入 Java 密钥库。

Your PFX file should contain the private key within it. Export the private key and certificate directly from your PFX file (e.g. using OpenSSL) and import them into your Java keystore.

Edit

Further information:

  • Download OpenSSL for Windows here.
  • Export private key: openssl pkcs12 -in filename.pfx -nocerts -out key.pem
  • Export certificate: openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
  • Import private key and certificate into Java keystore using keytool.
半世晨晓 2024-10-10 13:23:08

如果您使用 JDK 1.5 或更低版本,则 keytool 实用程序将没有 -importkeystore 选项(请参阅 JDK 1.5 keytool 文档),并且只有通过在具有较新版本的计算机上传输 .pfx 才能使用 MikeD 提供的解决方案JDK(1.6 或更高版本)。

JDK 1.5 或更低版本中的另一个选项(如果您有 Oracle WebLogic 产品)是遵循此 Oracle 文档中的说明:将 PFX 和 PEM 证书格式与密钥库结合使用
它描述了转换为 .pem 格式,如何从该文本格式中提取证书信息,并使用 java utils.ImportPrivateKey 将其导入为 .jks 格式code> 实用程序(这是 WebLogic 产品中包含的实用程序)。

If you work with JDK 1.5 or below the keytool utility will not have the -importkeystore option (see JDK 1.5 keytool documentation) and the solution by MikeD will be available only by transferring the .pfx on a machine with a newer JDK (1.6 or above).

Another option in JDK 1.5 or below (if you have Oracle WebLogic product), is to follow the instructions from this Oracle document: Using PFX and PEM Certificate Formats with Keystores.
It describes the conversion into .pem format, how to extract certificates information from this textual format, and import it into .jks format with java utils.ImportPrivateKey utility (this is an utility included with WebLogic product).

美男兮 2024-10-10 13:23:08

这是我针对 Visual Studio/Xamarin 环境的解决方案。

预期结果:

  • PFX(示例中的 foo.pfx)将导入 JKS 密钥库(示例中的 bar.keystore)。
  • 密钥库将使用新密码(称为“签名密码”)进行保护。
  • 密钥库将包含一个密钥。
  • 单个密钥将有一个别名,其名称与密钥库的名称匹配(示例中的 bar)。
  • 单个密钥将受到签名密码的保护。
  • Xamarin 工具将能够使用密钥库轻松签署应用程序。

请注意,名称和密码不必匹配,但这是常见做法,也是工具所期望的。

keytool 位置:%JAVA_HOME %\bin,例如:

  • C:\Program Files\Android\jdk\microsoft_dist_openjdk_1.8.0.25\bin
  • C:\Program Files (x86)\Java\jre1. 8.0_331\bin

步骤:

  1. 获取内部签名的PFX。 PFX 将临时分配密码。
  2. 从 PFX 导入 JKS 密钥库;出现提示时,为目标密钥库密码提供两次签名密码,并为源密钥库密码提供临时分配的密码。
    keytool -importkeystore -srckeystore foo.pfx -srcstoretype pkcs12 -destkeystore bar.keystore -deststoretype JKS
    

    生成的 JKS 密钥库将具有单个密钥别名“1”,其临时分配的密码与步骤 1 中的 PFX 相同。

  3. 更改密钥别名以匹配密钥库名称;出现提示时,为密钥库密码提供签名密码,并为密钥密码提供临时分配的密码。
    keytool -changealias -alias 1 -destalias bar -keystore bar.keystore
    
  4. 将密钥密码更改为签名密码;出现提示时,为密钥库密码提供签名密码,为旧密钥密码提供临时分配的密码,为新密钥密码提供两次签名密码。
    keytool -keypasswd -keystore bar.keystore -alias bar
    
  5. 确保完成的密钥库位于以下路径或与您的安装类似的路径:
    %LOCALAPPDATA%\Xamarin\Mono for Android\Keystore\bar\bar.keystore
    

验证内容:

  1. 查看原始PFX的内容;出现提示时,为密钥库密码提供临时分配的密码。
    keytool -list -v -keystore foo.pfx -storetype pkcs12
    
  2. 查看生成的keystore内容;出现提示时,提供密钥库密码的签名密码。
    keytool -list -v -keystore bar.keystore
    
  3. 比较步骤 1 和 2 的输出(例如保存到文本文件并执行文件比较)。内容应该相同(即证书链、指纹等;页眉和页脚文本会有所不同)。

现在,在 Visual Studio 中使用 Ad-Hoc 分发选项时,您应该能够查看并使用导入的密钥库。出现提示时提供签名密码。

This is my solution for a Visual Studio/Xamarin environment.

Intended outcomes:

  • The PFX (foo.pfx in the examples) will be imported into JKS keystore (bar.keystore in the examples).
  • The keystore will be protected with a new password (shall be referred to as "signing password").
  • The keystore will contain a single key.
  • The single key will have an alias whose name matches that of the keystore (bar in the examples).
  • The single key will be protected with the signing password.
  • The Xamarin tooling will be able to use the keystore to easily sign apps.

Note that it is not necessary for the names and passwords to match, but this is common practice, as well as what the tooling expects.

keytool location: %JAVA_HOME%\bin, e.g.:

  • C:\Program Files\Android\jdk\microsoft_dist_openjdk_1.8.0.25\bin
  • C:\Program Files (x86)\Java\jre1.8.0_331\bin

Steps:

  1. Obtain internally-signed PFX. PFX will have temporarily assigned password.
  2. Import JKS keystore from PFX; when prompted, supply signing password twice for destination keystore password, and supply temporarily assigned password for source keystore password.
    keytool -importkeystore -srckeystore foo.pfx -srcstoretype pkcs12 -destkeystore bar.keystore -deststoretype JKS
    

    Generated JKS keystore will have a single key alias "1" with same temporarily assigned password as PFX from step 1.

  3. Change key alias to match keystore name; when prompted, supply signing password for keystore password, and temporarily assigned password for key password.
    keytool -changealias -alias 1 -destalias bar -keystore bar.keystore
    
  4. Change key password to signing password; when prompted, supply signing password for keystore password, temporarily assigned password for old key password, and signing password twice for new key password.
    keytool -keypasswd -keystore bar.keystore -alias bar
    
  5. Ensure finished keystore is located at the following path, or similar per your installation:
    %LOCALAPPDATA%\Xamarin\Mono for Android\Keystore\bar\bar.keystore
    

Verify content:

  1. View contents of original PFX; when prompted, supply temporarily assigned password for keystore password.
    keytool -list -v -keystore foo.pfx -storetype pkcs12
    
  2. View contents of generated keystore; when prompted, supply signing password for keystore password.
    keytool -list -v -keystore bar.keystore
    
  3. Compare output from steps 1 and 2 (e.g. save to text file and perform file diff). Content should be identical (i.e. certificate chains, fingerprints, etc.; header and footer text will differ).

You should now be able to see and use the imported keystore when using the Ad-Hoc distribution option in Visual Studio. Provide the signing password when prompted.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文