问题描述

我有一个CA以PKCS＃7格式发出CERT。它里面有证书（链接）。
Keytool无法识别PKCS7格式。我试过OpenSSL工具将PKCS7格式证书转换为PEM格式，它失败。我收到一条错误消息无法加载PKCS7对象。

I have a CA issued CERT in PKCS#7 format. It has certificates (chained) within it.Keytool does not recognize the PKCS7 format. I have tried OpenSSL tool to convert PKCS7 format certificate to PEM format and it fails. I receive an error message "Unable to load PKCS7 object".

如何将PKCS7证书链导入我的JKS？

How do I import the PKCS7 cert chain to my JKS?

推荐答案

您可以在 命令：

As you can read in the keytool reference for -importcert command:

keytool可以导入X.509 v1，v2和v3证书，PKCS＃ 7格式的证书链。

keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type.

尝试导入PKCS7证书。

Try to import the PKCS7 cert as it is.

虽然，它并不总是工作。如果您遇到问题，请尝试执行以下操作（使用OpenSSL）：

Though, it doesn't always work. If you have problems, try to do the following (using OpenSSL):

1. 将其包含的所有证书打印到PEM文件

1. Print all the certs it contains to a PEM file

OpenSSL> pkcs7 -in initial_file.p7b -inform DER -print_certs -outform PEM -out certs_chain.pem

打开新的PEM文件 ----- BEGIN CERTIFICATE ----- 和之间的所有内容 certs_chain.pem ----- END CERTIFICATE ----- 边界（只保留边界内的编码内容，证书本身）并保存。

Open the new PEM file (certs_chain.pem) with an editor and delete everything outside -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- boundaries (keep only the encoded content within the boundaries, the certificates themselves) and save it.

现在，使用 certs_chain.pem 作为 cert_file