linux下keytool生成证书_在Linux浏览器（或Linux命令行）中为Java证书信任库导出SSL证书...

Background:

I am having some trouble consuming a Web Service with ColdFusion 9 (peer not authenticated).

But my questions are more specific...

Question:

How do I export the cert (at the right level) in Chrome (or Linux CLI), and in which format?

Details

I have seen some instructions for exporting a cert from a browser, but they have been for IE (old versions, at that), and I would prefer to use Chrome, because I'm on Linux.

In order to get to the screen shot, below, I:

Click the lock icon next to the URL

"Connection" tab (shows "The identity of this website has been verified by Thawte SSL CA")

Click "Certificate Information Link"

"Details" tab

From there, I am able to export at one of four levels:

Builtin Object Token:Thawte Premium Server CA

thawte Primary Root CA

Thawte SSL CA

sb1.geolearning.com

Which one is appropriate?

Also, Adobe's documentation says "The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.", and Chrome's export dialog offers these options:

Base64-encoded ASCII, single certificate

Base64-encoded ASCII, certificate chain

DER-encoded binary, single certificate

PKCS #7, single certificate

PKCS #7, certificate chain

All Files

I assume "DER-encoded binary, single certificate" is appropriate?

解决方案

With a Browser

The following generated a certificate that I was able to import using keytool:

Level: sb1.geolearning.com

File Type: DER-encoded binary, single certificate

For posterity, here was the command used to import:

sudo keytool -import -keystore /opt/jrun4/jre/lib/security/cacerts -alias "sb1.geolearning.com (Thawte SSL CA)" -storepass changeit -noprompt -trustcacerts -file ~/Downloads/sb1.geolearning.com

Without a Browser

Here's what I'm doing these days (in a Vagrant provisioner). In this script, the keystore is hard-coded, because I'm only using it for Lucee, at the moment; however, the path the the keystore could easily be parameterized. Also, the runfile related code is just so Vagrant doesn't run the script more than once; those lines are superfluous if you're not using the code as a Vagrant provisioner.

The only thing that really differentiates this from the above solution is that this gets the cert via openssl s_client (and cleans it up with sed) instead doing so manually, via a browser.

#!/usr/bin/env bash

set -e

description="Add cert to Lucee's keystore."

while :

do

case $1 in

--provisioned-dir=*)

provisioned_dir=${1#*=} # Delete everything up till "="

shift

;;

--runfile-name=*)

runfile_name=${1#*=} # Delete everything up till "="

shift

;;

--site-host-name=*)

site_host_name=${1#*=} # Delete everything up till "="

shift

;;

-*)

echo "WARN: Unknown option (ignored): $1" >&2

shift

;;

*) # no more options. Stop while loop

break

;;

esac

done

runfile="${provisioned_dir}/${runfile_name}"

if [ -f "${runfile}" ]; then

echo "${description}: Already run."

exit 0

fi

echo "add cert to keystore"

echo -n | \

openssl s_client -connect ${site_host_name}:443 \

| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \

> /tmp/${site_host_name}.cert

/opt/lucee/jdk/jre/bin/keytool \

-import \

-keystore /opt/lucee/lib/lucee-server/context/security/cacerts \

-alias "${site_host_name} (self-signed)" \

-storepass changeit \

-file /tmp/${site_host_name}.cert \

-noprompt \

|| true

touch "${runfile}"