jks格式的证书转base64的key格式证书

jks格式的证书转base64的key格式证书

最近发现公司之前申请的SSL证书是tomcat使用的jks格式的私key,但是我现在要放到nginx上使用,所以需要把jks格式的证书转base64的私key格式证书。

网上找了一些资料:

JKS(Java KeyStore)是Java的一个证书仓库,包括授权整数和公钥整数等。JDK提供了一个工具keytool用于管理keystore。转换步骤:

1.使用keytool导出成PKCS12格式:


2. 生成pem证书(包含了key,server证书和ca证书):


3.单独导出key:


4. 单独导出server证书:


5. 单独导出ca证书:

好了,我现在只需要把私key转出来就行,其它的PEM证书已经有了:

1. 先转成p12,这一步好像是成功的。

2. 从p12转到key,这一步出错了。

然后就卡在这了,不停的google,发现一个老外也碰到过类似的问题,他提出了几个思考:

When I was trying to export my private key from the KeyStore file, I encountered an file password issue, which is worth mentioning here.

See the OpenSSL error message displayed below:

So what’s wrong with the PKCS12 file, Test.p12? Why OpenSSL can not decrypt my private key from Test.p12? Here is what I think:

  • In the original KeyStore file, Herong.jks, there are 2 separate passwords used: a. Key password, “HerongJKS”, used to encrypt my private key; b. File password, “HerongJKS”, used to encrypt the entire KeyStore file.
  • In my “keytool -importkeystore” command, I did not specify the source key password. But “keytool” is smart enough to use the source file password to decrypt the private key.
  • Also in my “keytool -importkeystore” command, I did not specify the destination key password. But “keytool” is stupid enough to reuse the source key password as the destination key password. “keytool” generate the destination PKCS12 file, Test.p12, with 2 different passwords: a. Key password, “HerongJKS”, used to encrypt my private key; b. File password, “TestP12”, used to encrypt the entire PKCS12 file.
  • When executed the OpenSSL “pkcs12” command, I only specified the PKCS12 file password, “TestP12”. There is no option for me to specify the key password, which is different than the file password. This is causing “pkcs12” command to fail.

Obviously, to avoid this problem, you have to set the key password and the file password with the same value with “keytool”. See tutorials in previous sections on how to do this.

原文链接:http://www.herongyang.com/PKI/Intermediate-CA-OpenSSL-pkcs12-Decrypt-Error.html

根据他说的几个可能的问题,发现应该是keytool这个工具对相关参数的处理可能有些问题,所以改成下面的参数就行了:

1. 先转成p12

 

2. 从p12转到key,这回没报错了。

 

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

2 + 17 =

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据