我有一个运行在服务器上的密钥存储库文件keystore,以支持Tomcat TLS/HTTPS服务,供Java Web App用。在这个密钥存储库文件中,有3个证书: 终端证书 (tomcat) 中间CA证书 (my_ssl_ca_v2_b) CA根证书 (my_root_ca) 这是库里面的证书列表。
Plain Text code?
1
2
3
4
5
6
7
8
9
10
11
12
13
C:\Program Files\Java\jre1.8.0_144\bin>keytool.exe -list -keystore C:\mycert\
my.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
tomcat, Oct 10, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3C:15:E8:D0:46:A8:8D:1F:93:52:9D:54:35:48:69:71:ED:49:44:65
my_ssl_ca_v2_b, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 0C:C3:60:CB:C6:91:0A:90:E4:0G:91:BE:3B:A6:D7:5B:C3:7B:8A:0F
my_root_ca, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 6C:23:89:FA:A8:E5:7D:E1:45:BE:75:84:15:E8:D8:41:73:59:FD:19
它一直工作得很好。 但是几天前,文件中的中间CA证书(my_ssl_ca_v2_b)过期了。后来我拿到了新更新的中级CA证书。 现在的问题是: 如何将密钥存储库文件中过期的中间CA证书替换为这个新证书? 我知道我可以使用keytool -delete和-import选项来删除和重新导入中间CA my_ssl_ca_v2_b。 但是,又该如何替换密钥存储库文件中的PrivateKeyEntry(别名tomcat)中的中间CA证书(Certificate[2])呢?如下所示。
Plain Text code?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Alias name: tomcat
Creation date: Oct 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
...
...
Certificate[2]:
Owner: CN=My SSL CA v2 - A, O=eBay Inc, C=US
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 6800000004b4491dd58df45b9b000000000004
Valid from: Wed Oct 14 18:35:33 UTC 2015 until: Wed Oct 14 18:45:33 UTC 2020
...
...
Certificate[3]:
Owner: CN=My Root CA, O=eBay Inc, C=us
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 4500888247008e884cd02d71a035810e
...
我好像不能使用keytool -delete和-import选项来删除和重新导入别名tomcat,因为这样做alias tomcat 就变成了trustedCertEntry, 不是原来的PrivateKeyEntry。 请大家指导 在密钥存储库中替换中间CA证书的具体步骤吗?谢谢!!
解决了: This isn't really a programming or development question, even though you use the result on tomcat, and may get closed. You need to create a file containing the whole chain -- end-entity, intermediate and root certs, in that order, in PEM. If you don't already have the EE cert in PEM you can extract it with keytool -export[cert] -keystore ksfile -alias tomcat -rfc -file eecert. Obviously you have the new intermedate cert that you just got, and if you don't have the root already (and it didn't change) export that also. You can combine the files with cat a b c >d on Unix or COPY a+b+c d on Windows, or use any text editor you like. Then import it to the privatekey entry like keytool -import[cert] -keystore ksfile -alias tomcat -file chainfile.
keytool -exportcert -keystore C:\temps\Cert\ebay.keystore -alias tomcat -rfc -file C:\temps\Cert\eecert.cer
keytool -importcert -keystore C:\temps\Cert\ebay.keystore -alias tomcat -file C:\temps\Cert\chainfile.txt
ref:
https://blog.csdn.net/zlfing/article/details/77648430
