本文详细介绍了如何编辑Java密钥库(JKS),从PKCS12文件中移除自签名的根证书颁发机构(CA)证书,同时保留证书链和私钥。首先,将JKS转换为PKCS12,然后使用OpenSSL导出PEM文件,编辑PEM文件删除不需要的证书,再将其导入新的PKCS12文件,最后将PKCS12转换回JKS。这个过程对于确保TLS验证服务的合规性至关重要。
I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. The chain includes the self-signed root CA certificate. Although this is apparently okay by the TLS spec, some validation services warn about it, and it's probably better to leave it off.
How can I edit the keystore to remove just the self-signed root CA certificate, but leave the rest of the chain and the private key intact?
解决方案
First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
Next, export a PEM file with key and certs from the PKCS12 file:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "tomcat", at this point.
openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12
Finally, convert back from PKCS12 to JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
The file new.jks is what you want.
扫一扫
1014
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
