密钥库中的别名可以是 guid 吗?
我有一个关于 Tomcat 6 和证书的问题。问题有点类似于:Tomcat HTTPS 密钥库证书。
我的任务是使用 CA 颁发的 SSL 证书运行 Jira 安装。
为了确保我的工作流程正确,我尝试通过以下方式创建自己的证书(可行):
- 创建“我的”密钥库
- 从“我的”密钥库中提取证书
- 将提取的证书导入 Java 的 \cacerts 密钥库。
该解决方案工作正常 - 可以通过 SSL 访问站点。
我假设可以使用我的 CA 颁发的 pfx 文件形式的证书来完成以下操作。
我使用以下命令创建了一个新的密钥库:
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore \mydest\keystore.jks -deststorepass changeit
当我列出新 keystore.jks 的内容时,我得到一个条目;带有引导的私钥。
我从密钥库中提取证书。 在此操作中我无法指定别名。
我将证书导入到 \cacerts 密钥库中。
然后,我列出 \cacerts 密钥库的浓度并找到我的新条目。该条目没有显示名称,而是显示与初始 (pfx) 密钥库相同的 guid。
我使用新的别名(例如 guid)和密钥库文件更改了 server.xml 文件。
然而,启动 Tomcat 会出现此错误:
别名 {guid} 不识别键条目
问题是:
- guid 可以是键名称吗?
- 如果不是,我做错了什么? :)
我已经尝试了 server.xml 文件中的两个密钥库,但没有成功。
新信息;当我执行此命令时,我可以在 \cacerts 文件中找到有关证书的信息:
keytool -list -v -keystore \cacerts -alias {guid}
所以看来 guid 存在。然而,Tomcat似乎无法找到相同的密钥。
I have a problem in regards to Tomcat 6 and certificates. The problem is somewhat similar to this: Tomcat HTTPS keystore certificate.
My task is to get a Jira installation running with an SSL certificate issued by a CA.
To make sure I have got the workflow right I have tried to create a certificate of my own the following way (this works):
- Create 'my' keystore
- Extract the certificate from the 'my' keystore
- Import the extracted certificate into Java's \cacerts keystore.
This solution works fine - site can be accessed over SSL.
I assume the following can be done with my CA issued certificate, in the form of a pfx file.
I created a new keystore using this command:
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore \mydest\keystore.jks -deststorepass changeit
When I list the contents of the new keystore.jks I get one entry; private key with a guid.
I extract the certificate from the keystore. In this operation I am unable to specify an alias.
I import the certificate into the \cacerts keystore.
I then list the concents of the \cacerts keystore and find my new entry. Instead of having a name, the entry is showing the same guid as from the initial (pfx) keystore.
I alter my server.xml file with the new alias (e.g. guid) and keystore file.
However - starting Tomcat gives this error:
Alias name {guid} does not identify a key entry
Question is:
- Can a guid be a key name?
- If not, what I am doing wrong? :)
I have tried both keystores in the server.xml file, without luck.
New info; when I execute this command I am able to find information regarding the certificate in the \cacerts file:
keytool -list -v -keystore \cacerts -alias {guid}
So it seems that the guid exists. However, Tomcat seems to be unable to find the same key.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
答案是“是”。
我的问题的根源是我的 pfx 文件中的密钥密码错误。使用以下命令,我将密码从原始密码更改为标准密码(我在从 pfx 文件创建的密钥库导出证书之前执行此操作):
然后 Keytool 要求我提供旧密码和新密码。
我可能能够在 server.xml 文件中添加某种配置,例如“keypassword”,但我还没有对此进行研究。
Answer is 'yes'.
The origins of my problem was that I had the wrong password for the key from the pfx file. Using the following command I changed the password from the original one to a the standard password (I did this prior to exporting the certificate from the keystore created from the pfx file):
Keytool then asked me for old password and new password.
I might have been able to add some sort of configuration in the server.xml file like 'keypassword', but I haven't looked into that.