随笔-69  评论-0  文章-5  trackbacks-0

一,将pem格式的key文件导入keystore

摘抄备用:http://www.agentbob.info/agentbob/79-AB.html

说明: 经试验证书的pem文件可能通过keytool直接导入keystore中的

Apache Tomcat and many other Java applications expect to retrieve SSL/TLS certificates from a Java Key Store (JKS). Jave Virtual Machines usually come with keytool  to help you create a new key store.

Keytool helps you to:

  • create a new JKS with a new private key
  • generate a Certificate Signung Request (CSR) for the private key in this JKS
  • import a certificate that you received for this CSR into your JKS

Keytool does not let you import an existing private key for which you already have a certificate. So you need to do this yourself, here's how:

Let's assume you have a private key (key.pem) and a certificate (cert.pem), both in PEM format as the file names suggest.

PEM format is 'kind-of-human-readable' and looks like e.g.

-----BEGIN CERTIFICATE-----
Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN
.
. (snip)
.
9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk=
----END CERTIFICATE-----

Convert both, the key and the certificate into DER format using openssl :

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

Now comes the tricky bit, you need something to import these files into the JKS. ImportKey will do this for you, get the ImportKey.java (text/x-java-source, 6.6 kB, info) source or the compiled (Java 1.5 !) ImportKey.class (application/octet-stream, 3.3 kB, info) and run it like

user@host:~$ java ImportKey key.der cert.der
Using keystore-file : /home/user/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey Password:importkey

Now we have a proper JKS containing our private key and certificate in a file called keystore.ImportKey, using 'importkey' as alias and also as password. For any further changes, like changing the password we can use keytool.



二、将私钥导出成pem文件(默认keytool是不能导出私钥的)
import sun.misc.BASE64Encoder;
import java.security.cert.Certificate;
import java.security.*;
import java.io.File;
import java.io.FileInputStream;
 
class ExportPriv {
    
public static void main(String args[]) throws Exception{
    ExportPriv myep 
= new ExportPriv();
    myep.doit();
    }
 
    
public void doit() throws Exception{
 
    KeyStore ks 
= KeyStore.getInstance("JKS");
    String fileName 
= "store.jks";
 
    
char[] passPhrase = "password".toCharArray();
    BASE64Encoder myB64 
= new BASE64Encoder();
    
 
    File certificateFile 
= new File(fileName);
    ks.load(
new FileInputStream(certificateFile), passPhrase);
 
    KeyPair kp 
= getPrivateKey(ks, "alias", passPhrase);
        
    PrivateKey privKey 
= kp.getPrivate();
    
 
    String b64 
= myB64.encode(privKey.getEncoded());
 
    System.out.println(
"-----BEGIN PRIVATE KEY-----");
    System.out.println(b64);
    System.out.println(
"-----END PRIVATE KEY-----");
 
    }
 
// From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html
 
   
public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
        
try {
            
// Get private key
            Key key = keystore.getKey(alias, password);
            
if (key instanceof PrivateKey) {
                
// Get certificate of public key
                Certificate cert = keystore.getCertificate(alias);
    
                
// Get public key
                PublicKey publicKey = cert.getPublicKey();
    
                
// Return a key pair
                return new KeyPair(publicKey, (PrivateKey)key);
            }
        } 
catch (UnrecoverableKeyException e) {
        } 
catch (NoSuchAlgorithmException e) {
        } 
catch (KeyStoreException e) {
        }
        
return null;
    }
 
}
 

posted on 2008-04-17 16:27 liunix 阅读(7987) 评论(0)  编辑  收藏

只有注册用户登录后才能发表评论。


网站导航: