Java keytool:将私钥插入 X.509 证书
Java的keytool是否能够导出包含私钥的X.509证书?
我正在考虑一种场景,其中用户生成证书(其中包含私钥)并将其提供给签名工具。签名工具使用证书中的私钥对目标文件进行签名。最终,私钥从证书中删除,并将证书附加到目标文件以进行分发。
Does Java's keytool have the ability to export an X.509 certificate with a private key in it?
I am considering a scenario in which users generate a certificate (with the private key in it) and supply it to a signing tool. The signing tool uses the private key in the certificate to sign a target file. Eventually, the private key is removed from the certificate and the cert is attached to the target file for distribution.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我还不能发表评论,所以我将使用以下表格:
通常使用 PKCS #12 http://en.wikipedia.org/wiki/PKCS#12 用于存储证书及其私钥。此外,还可以将公钥/私钥对存储在 PCKS #8 容器中并单独发送证书。
如果您有兴趣,我想我有一些用于 PKCS #12 存储的 java 代码示例。
此外,开源 Java 证书颁发机构 EJBCA (http://www.ejbca.org/) 也是一个很好的示例来源。
I can't comment yet, so I'll use this form:
Usually one uses PKCS #12 http://en.wikipedia.org/wiki/PKCS#12 for storing a certificate with its private Key. Also, one can store a public/private key pair in a PCKS #8 Container and ship the certificate separately.
If you're interested, i think i have some java code samples for PKCS #12 storage.
Also, the open source Java Certificate Authority EJBCA (http://www.ejbca.org/) is a great source for examples.
生成的私钥永远不会被其他人出于任何目的使用或共享。
据我所知,签名工具会使用自己的私钥来生成签名来证明您的公钥。例如,您使用 keytool 生成密钥对并向 CA 提交 CSR。 CA 将使用他们自己的 pvt 密钥在您的证书上标记他们的签名。
Private keys generated are never used or shared by others for any purposes.
Signing tools that I know would use their own private key to generate their signature to certify your public key. For e.g. you generate a key pair using keytool and submit a CSR to a CA. CA would use their own pvt key to stamp their signature on your certificate.
keytool(命令行可执行文件)没有导出私钥的选项。但您可以使用 JSA-API 以编程方式执行此操作(但尚未尝试)。
The keytool (the commandline executable) does not have the option to export private keys. But you may use the JSA-API to do it programmatically (haven't tried, though).
密钥及其签名证书通常存储在密钥库容器中,例如 PKCS12 或 Java 的 JKS。还可以将证书和密钥提取到 PEM 格式文件中,以便在 Apache HTTPD 等应用程序中使用。
要从 JKS 文件中提取证书和密钥,需要先将其转换为 PKCS12 格式文件,然后再使用 openssl 提取证书:
Keys and their signed certificates are often stored in keystore containers such as PKCS12 or Java's JKS. It is also possible to extract certificates and keys into PEM format files for use in apps like Apache HTTPD.
To extract certs and keys from a JKS file it's necessary to convert it to PKCS12 format file before extracting the certs with openssl: