JKS证书基础知识
什么是JKS证书
Java KeyStore
两类JKS文件
the truststore: contains the server certificate information (the certificates it will accept from clients), and
the keystore: manages the client certificate information (the certificates that will be provided to servers)
The truststore and keystore hold SSL certificate information, and are password protected.
创建JKS
$ keytool -keystore ${keystore} -alias myname -dname "${CN}" -validity 365 -genkey -keyalg RSA \
-keypass ${passvalue} -storepass ${passvalue}
此时JKS里面会缺省创建一个entry,这个entry的alias别名就是myname。
另外一种办法,基于某个证书创建JKS文件:
$ keytool -keystore ${keystore} -alias myname -noprompt -import -file ca-cert.pem -storepass ${passvalue}
$ keytool -list -v -storepass ${passvalue} -keystore ${keystore}
Your keystore contains 1 entry
Alias name: myname
Creation date: Dec 14, 2018
Entry type: trustedCertEntry
Owner: CN=cn, O=mycomp, OU=myorg, C=cn
Issuer: CN=cn, O=mycomp, OU=myorg, C=cn
Serial number: c5660c43db84cf9a
这样JKS就不会自动创建缺省entry,而使用参数-file指定的证书作为第一个entry。
查看JKS的内容
$ keytool -list -v -storepass ${passvalue} -keystore ${keystore}
Your keystore contains 1 entry
Alias name: myname
Creation date: Dec 14, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=myname, OU=myorg, O=mycomp, C=cn
Issuer: CN=myname, OU=myorg, O=mycomp, C=cn
Serial number: 2c78a023
Valid from: Fri Dec 14 10:37:24 CST 2018 until: Sat Dec 14 10:37:24 CST 2019
Certificate fingerprints:
MD5: B2:5E:A2:0E:36:CB:97:FA:C6:68:BF:34:CA:05:27:8F
SHA1: 2B:C4:3F:5D:74:FE:85:CD:85:8C:DD:A8:9F:A9:45:4F:6D:AE:C9:84
SHA256: 6D:CB:58:46:49:88:EA:FA:A9:C3:79:FA:9A:C5:6C:DD:F7:A0:3F:B7:40:41:A5:A6:17:56:FF:78:67:FA:7D:CC
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
导入证书到JKS
把一个证书添加到JKS文件里面。
$ keytool -keystore ${keystore} -alias myname2 -import -file ca-cert.pem -noprompt -storepass ${passvalue}
Your keystore contains 2 entries
Alias name: myname
Creation date: Dec 14, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=myname, OU=myorg, O=mycomp, C=cn
Issuer: CN=myname, OU=myorg, O=mycomp, C=cn
Serial number: 3069ae73
Valid from: Fri Dec 14 10:40:00 CST 2018 until: Sat Dec 14 10:40:00 CST 2019
Alias name: myname2
Creation date: Dec 14, 2018
Entry type: trustedCertEntry
Owner: CN=cn, O=mycomp, OU=myorg, C=cn
Issuer: CN=cn, O=mycomp, OU=myorg, C=cn
Serial number: a4d4cd36ad7f538c
Valid from: Fri Dec 14 10:34:51 CST 2018 until: Sat Dec 14 10:34:51 CST 2019
如果参数-noprompt没有提供,则会弹出提示框:Trust this certificate? [no]
如何选择 no:那么证书就不会添加到JKS文件,相当于放弃导入。
如果选择yes:则会导入,和带参数(-noprompt)行为一致。
需要注意的是导入证书,只能导入证书本身,不能导入私钥;其实这就是针对truststore才能导入,因为truststore不包含私钥;而如果要为keystore导入私钥怎么办呢?办法是首先必须把PEM和KEY一起转换成P12格式,然后再导入P12格式文件到keystore文件即可。
从JKS里面导出证书
$ keytool -export -alias myname -file export.der -keystore ${keystore} -storepass ${passvalue}
注意导出的文件cert.export是der格式的;然后需要把der格式转换成pem格式:
$ openssl x509 -inform der -in export.der -out export.pem
如果要导出PEM格式证书则:
$ keytool -export -alias myname -rfc -file export.pem -keystore ${keystore} -storepass ${passvalue}
此时export.pem就是一个PEM格式的证书文件。