一,将pem格式的key文件导入keystore
摘抄备用:http://www.agentbob.info/agentbob/79-AB.html
说明: 经试验证书的pem文件可能通过keytool直接导入keystore中的
Apache Tomcat and many other Java applications expect to retrieve SSL/TLS
certificates from a Java Key Store (JKS). Jave Virtual Machines usually come
with
keytool
to help you create a new key store.
Keytool helps you to:
- create a new JKS with a new private key
- generate a Certificate Signung Request (CSR) for the private key in this JKS
- import a certificate that you received for this CSR into your JKS
Keytool does not let you import an existing private key for
which you already have a certificate. So you need to do this yourself, here's
how:
Let's assume you have a private key (key.pem) and a
certificate (cert.pem), both in PEM format as the file names
suggest.
PEM format is 'kind-of-human-readable' and looks like e.g.
-----BEGIN CERTIFICATE-----
Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN
.
. (snip)
.
9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk=
----END CERTIFICATE-----
Convert both, the key and the certificate into DER format using
openssl :
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Now comes the tricky bit, you need something to import these files into the
JKS. ImportKey will do this for you, get the
ImportKey.java (text/x-java-source, 6.6 kB, info) source or the compiled (Java 1.5 !)
ImportKey.class (application/octet-stream, 3.3 kB, info) and run it like
user@host:~$ java ImportKey key.der cert.der
Using keystore-file : /home/user/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey Password:importkey
Now we have a proper JKS containing our private key and certificate in a file
called keystore.ImportKey, using 'importkey' as alias and also as password. For
any further changes, like changing the password we can use keytool.
二、将私钥导出成pem文件(默认keytool是不能导出私钥的)
import sun.misc.BASE64Encoder;
import java.security.cert.Certificate;
import java.security.*;
import java.io.File;
import java.io.FileInputStream;
class ExportPriv {
public static void main(String args[]) throws Exception{
ExportPriv myep = new ExportPriv();
myep.doit();
}
public void doit() throws Exception{
KeyStore ks = KeyStore.getInstance("JKS");
String fileName = "store.jks";
char[] passPhrase = "password".toCharArray();
BASE64Encoder myB64 = new BASE64Encoder();
File certificateFile = new File(fileName);
ks.load(new FileInputStream(certificateFile), passPhrase);
KeyPair kp = getPrivateKey(ks, "alias", passPhrase);
PrivateKey privKey = kp.getPrivate();
String b64 = myB64.encode(privKey.getEncoded());
System.out.println("-----BEGIN PRIVATE KEY-----");
System.out.println(b64);
System.out.println("-----END PRIVATE KEY-----");
}
// From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html
public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
try {
// Get private key
Key key = keystore.getKey(alias, password);
if (key instanceof PrivateKey) {
// Get certificate of public key
Certificate cert = keystore.getCertificate(alias);
// Get public key
PublicKey publicKey = cert.getPublicKey();
// Return a key pair
return new KeyPair(publicKey, (PrivateKey)key);
}
} catch (UnrecoverableKeyException e) {
} catch (NoSuchAlgorithmException e) {
} catch (KeyStoreException e) {
}
return null;
}
}
posted on 2008-04-17 16:27
liunix 阅读(7987)
评论(0) 编辑 收藏