如何找出我的 JVM 使用的密钥库?
我需要将证书导入到我的 JVM 密钥库中。我正在使用以下内容:
keytool -import -alias daldap -file somecert.cer
所以我可能需要将我的呼叫更改为类似以下内容:
keytool -import -alias daldap -file somecert.cer -keystore cacerts –storepass changeit
I need to import a certificate into my JVM keystore. I am using the following:
keytool -import -alias daldap -file somecert.cer
so I would need to probably change my call into something like:
keytool -import -alias daldap -file somecert.cer -keystore cacerts –storepass changeit
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(11)
您的密钥库将位于您的
JAVA_HOME--->;库--->安全--> cacerts。您需要检查 JAVA_HOME 的配置位置,可能是这些位置之一,计算机--->高级 -->环境变量---> JAVA_HOME
您的服务器启动批处理文件。
在导入命令 -keystore cacerts 中(此处给出上述 JRE 的完整路径,而不仅仅是说 cacerts)。
Your keystore will be in your
JAVA_HOME---> lib---> security--> cacerts. You need to check where your JAVA_HOME is configured, possibly one of these places,Computer--->Advanced --> Environment variables---> JAVA_HOME
Your server startup batch files.
In your import command -keystore cacerts (give full path to the above JRE here instead of just saying cacerts).
密钥库位置
每个 keytool 命令都有一个
-keystore选项,用于指定 keytool 管理的密钥库的持久密钥库文件的名称和位置。默认情况下,密钥库存储在用户主目录中名为.keystore的文件中,该文件由“user.home”系统属性确定。给定用户名 uName,“user.home”属性值默认为因此,如果用户名为“cathy”,“user.home”默认为
https://docs.oracle.com/en/java/javase/17/docs/specs/man/keytool.html#importing-a-certificate-for-the-ca
Keystore Location
Each keytool command has a
-keystoreoption for specifying the name and location of the persistent keystore file for the keystore managed by keytool. The keystore is by default stored in a file named.keystorein the user's home directory, as determined by the "user.home" system property. Given user name uName, the "user.home" property value defaults toThus, if the user name is "cathy", "user.home" defaults to
https://docs.oracle.com/en/java/javase/17/docs/specs/man/keytool.html#importing-a-certificate-for-the-ca
Mac OS X 10.12 和 Java 1.8:
$JAVA_HOME/jre/lib/security
/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home
从那里开始:
我在那里有一个 cacerts 密钥库。
要将其指定为 VM 选项:
我并不是说这是正确的方法(为什么 java 不知道在 JAVA_HOME 中查找?),但这是我必须做的才能使其正常工作。
Mac OS X 10.12 with Java 1.8:
$JAVA_HOME/jre/lib/security
/Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home
From there it's in:
I have a cacerts keystore in there.
To specify this as a VM option:
I'm not saying this is the correct way (Why doesn't java know to look within JAVA_HOME?), but this is what I had to do to get it working.
您可以在“Home”目录中找到它:
在 Windows 7 上:
在 Linux (Ubuntu) 上:
You can find it in your "Home" directory:
On Windows 7:
On Linux (Ubuntu):
这对我有用:
#! /bin/bash CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))/../lib/security/cacerts) if keytool -list -keystore $CACERTS -storepass changeit > /dev/null ; then echo $CACERTS else echo 'Can not find cacerts file.' >&2 exit 1 fi仅适用于 Linux。我的 Solaris 没有阅读链接。最后我使用了这个 Perl 脚本:
#! /usr/bin/env perl use strict; use warnings; use Cwd qw(realpath); $_ = realpath((grep {-x && -f} map {"$_/keytool"} split(':', $ENV{PATH}))[0]); die "Can not find keytool" unless defined $_; my $keytool = $_; print "Using '$keytool'.\n"; s/keytool$//; $_ = realpath($_ . '../lib/security/cacerts'); die "Can not find cacerts" unless -f $_; my $cacerts = $_; print "Importing into '$cacerts'.\n"; `$keytool -list -keystore "$cacerts" -storepass changeit`; die "Can not read key container" unless $? == 0; exit if $ARGV[0] eq '-d'; foreach (@ARGV) { my $cert = $_; s/\.[^.]+$//; my $alias = $_; print "Importing '$cert' as '$alias'.\n"; `keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit`; warn "Can not import certificate: $?" unless $? == 0; }This works for me:
#! /bin/bash CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))/../lib/security/cacerts) if keytool -list -keystore $CACERTS -storepass changeit > /dev/null ; then echo $CACERTS else echo 'Can not find cacerts file.' >&2 exit 1 fiOnly for Linux. My Solaris has no readlink. In the end I used this Perl-Script:
#! /usr/bin/env perl use strict; use warnings; use Cwd qw(realpath); $_ = realpath((grep {-x && -f} map {"$_/keytool"} split(':', $ENV{PATH}))[0]); die "Can not find keytool" unless defined $_; my $keytool = $_; print "Using '$keytool'.\n"; s/keytool$//; $_ = realpath($_ . '../lib/security/cacerts'); die "Can not find cacerts" unless -f $_; my $cacerts = $_; print "Importing into '$cacerts'.\n"; `$keytool -list -keystore "$cacerts" -storepass changeit`; die "Can not read key container" unless $? == 0; exit if $ARGV[0] eq '-d'; foreach (@ARGV) { my $cert = $_; s/\.[^.]+$//; my $alias = $_; print "Importing '$cert' as '$alias'.\n"; `keytool -importcert -file "$cert" -alias "$alias" -keystore "$cacerts" -storepass changeit`; warn "Can not import certificate: $?" unless $? == 0; }在 Debian 上,使用 openjdk 版本“1.8.0_212”,我在这里找到了 cacerts:
如果有一个标准命令可以打印出此路径,那么当然会很方便。
On Debian, using openjdk version "1.8.0_212", I found cacerts here:
Sure would be handy if there was a standard command that would print out this path.
正如 DimtryB 提到的,默认情况下密钥库位于用户目录下。但是,如果您尝试更新 cacerts 文件,以便 JVM 可以选择密钥,那么您必须更新 jre/lib 下的 cacerts 文件/安全。您还可以通过执行命令
keytool -list -keystore cacerts来查看密钥,以查看您的证书是否已添加。As DimtryB mentioned, by default the keystore is under the user directory. But if you are trying to update the
cacertsfile, so that the JVM can pick the keys, then you will have to update thecacertsfile underjre/lib/security. You can also view the keys by executing the commandkeytool -list -keystore cacertsto see if your certificate is added.对于我使用官方 OpenJDK 12 Docker 映像来说,Java 密钥库的位置是:
For me using the official OpenJDK 12 Docker image, the location of the Java keystore was:
我在 Ubuntu 20.04 上使用以下命令找到了 JVM 密钥库:
输出:
此目录是指向以下内容的符号链接:
I found the JVM keystore using the following command on Ubuntu 20.04:
Output:
This directory is a symbolic link to:
我们在从 jre 目录运行的 Tomcat 上遇到了此问题,该目录在自动 jre 更新后(几乎完全)被删除,因此运行的 jre 无法再找到 jre.../lib/security/cacerts,因为它不再存在。
重新启动 Tomcat(将配置更改为从不同的 jre 位置运行后)修复了该问题。
We encountered this issue on a Tomcat running from a jre directory that was (almost fully) removed after an automatic jre update, so that the running jre could no longer find jre.../lib/security/cacerts because it no longer existed.
Restarting Tomcat (after changing the configuration to run from the different jre location) fixed the problem.
除了上面的所有答案之外:
如果更新 JRE 目录中的 cacerts 文件没有帮助,请尝试在 JDK 中更新它。
C:\Program Files\Java\jdk1.8.0_192\jre\lib\security
In addition to all answers above:
If updating the cacerts file in JRE directory doesn't help, try to update it in JDK.
C:\Program Files\Java\jdk1.8.0_192\jre\lib\security