问题描述
我正在尝试使用 SSL 配置 Tomcat 服务器.我已经生成了一个密钥对:
I'm trying to configure a Tomcat server with SSL. I've generated a keypair thus:
$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore keys
接下来我生成一个证书签名请求:
Next I generate a certificate signing request:
$ keytool -certreq -keyalg RSA -alias tomcat -keystore keys -file tomcat.csr
然后我将 tomcat.csr
的内容复制粘贴到 Thawte 网站上的表格中,要求提供试用 SSL 证书.作为回报,我得到两个以 -----BEGIN ... -----END
分隔的证书,我保存在 tomcat.crt
和 thawte 下.crt
.(Thawte 将第二个证书称为Thawte 测试 CA 根"证书).
Then I copy-paste the contents of tomcat.csr
into a form on Thawte's website, asking for a trial SSL certificate. In return I get two certificates delimited with -----BEGIN ... -----END
, that I save under tomcat.crt
and thawte.crt
. (Thawte calls the second certificate a 'Thawte Test CA Root' certificate).
当我尝试导入其中任何一个时都失败了:
When I try to import either of them it fails:
$ keytool -importcert -alias tomcat -file tomcat.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply
$ keytool -importcert -alias thawte -file thawtetest.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate
向其中任何一个命令添加 -trustcacerts
选项也不会改变任何内容.
Adding the -trustcacerts
option to either of these commands doesn't change anything either.
知道我在这里做错了什么吗?
Any idea what I am doing wrong here?
推荐答案
我终于明白这里发生了什么.事实证明,我从 Thawte 得到的答复格式为 PKCS#7,而 keytool
期望以 X.509 格式进行认证.
I finally understood what was going on here. It turns out that the replies that I got from Thawte are formatted as PKCS#7, whereas keytool
expects certificated in the X.509 format.
openssl
可用于将证书从一种格式转换为另一种格式:
openssl
can be used to convert certificates from one format to another:
$ openssl pkcs7 -in thawtetest.crt -print_certs |
openssl x509 > thawtetest.x509
现在您可以使用 keytool 导入 thawtetest.x509
,并在其后面导入 tomcat.crt
.
Now you can import thawtetest.x509
with keytool, and tomcat.crt
right behind it.
这篇关于将 Thawte 试用证书导入 Java 密钥库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!