将 SAN 添加到 SSL 证书(Java 中)
我想创建一个带有 SAN 字段(主题备用名称)集的自签名证书,但 Java keytool 工具似乎不支持这一点。我最好的选择是什么?这是供 Java 使用的,因此即使使用非 Java 工具创建证书,密钥库仍必须匹配 JKS 格式。
I want to create a self-signed cert with the SAN field (subject alternative name) set but the Java keytool tool does not seem to support that. What is my best option? This is for Java use, so the keystore must still match the JKS format even if a non-Java tool is used to create the cert.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
您可以通过在创建 CSR 时将 SAN 功能添加到命令中来完成此操作:
创建密钥库:
发出 CSR:
http://download.java.net/jdk8/docs/technotes/tools/solaris/keytool.html
You can do this by adding the SAN function to the command when creating the CSR:
Create the Keystore:
Issue the CSR:
http://download.java.net/jdk8/docs/technotes/tools/solaris/keytool.html
您只能使用 JDK7 或更高版本的
keytool来执行此操作。 OpenJDK 7 有它。You can do this only with the JDK7 or later version of
keytool. OpenJDK 7 has it.听起来获取更新的 keytool 可能是最简单的,但您也可以使用 openssl 创建具有备用名称集的证书,然后 将其导入 keytool。
It sounds like getting the more recent keytool might be easiest, but you could also create the certificate with alternate name set using openssl and then import that into keytool.
JDK7的建议是一个很好的建议。与此同时,我可以使用 Bouncy Castle 库来完成此操作。以编程方式而不是使用 keytool 来完成此操作很有教育意义,并且以 jks 格式获取存储很简单。
The JDK7 suggestion is a good one. In the meantime I was able to do it using the Bouncy Castle library. It was educational to do it programmatically instead of with keytool and getting the stores in jks format was straightforward.
您可以使用 http://Ssltools.com/manager 创建 San 证书并将其导出,然后将其导入到密钥库。
keytool -importkeystore -deststorepasschangeit -destkeypasschangeit -destkeystore my-keystore.jks -srckeystore cert-and-key.p12 -srcstoretype PKCS12 -srcstorepass cert-and-key-password -alias 1
You can use http://Ssltools.com/manager to create the San cert and export it and then import it into the keystore.
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my-keystore.jks -srckeystore cert-and-key.p12 -srcstoretype PKCS12 -srcstorepass cert-and-key-password -alias 1