Fatal编程技术网
  • certificate/
  • Certificate 如何使用keytool在PKCS12密钥库中创建证书?

Certificate 如何使用keytool在PKCS12密钥库中创建证书?

certificate

Certificate 如何使用keytool在PKCS12密钥库中创建证书?,certificate,ssl-certificate,keytool,pkcs#12,Certificate,Ssl Certificate,Keytool,Pkcs#12,我想用keytool程序将证书创建为PKCS12密钥库格式 密钥库具有扩展名.pfx 如何实现这一点?如果密钥库是PKCS12类型(.pfx),则必须使用-storetype PKCS12指定它(为了可读性增加了换行符): keytool-genkey-alias -密钥库 -存储类型PKCS12 -keyalg RSA -商店通行证 -有效期730 -键值2048 问题关键的补充答案 对于JDK 8(1.8.0_121-b13),如果删除-storetype pkcs12,则不会出现异常,但是

我想用keytool程序将证书创建为PKCS12密钥库格式

密钥库具有扩展名
.pfx

如何实现这一点?

如果密钥库是PKCS12类型(
.pfx
),则必须使用
-storetype PKCS12
指定它(为了可读性增加了换行符):

keytool-genkey-alias
-密钥库
-存储类型PKCS12
-keyalg RSA
-商店通行证
-有效期730
-键值2048
问题关键的补充答案

对于JDK 8(1.8.0_121-b13),如果删除
-storetype pkcs12
,则不会出现异常,但是
keytool
会创建一个
JKS
密钥库,而
.pfx
扩展被忽略

它还要求提供PKCS12不支持的
-keypass-mykeypassword

%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -keystore keystore.pfx -keypass mykeypassword -storepass mystorepassword -v

(translated)
Generating keypair (Type EC, 256 Bit) and self-signed certificate (SHA256withECDSA) with a validity of 365 days
    for: CN=CN, OU=OU, O=O, C=C
[keystore.pfx saved]
列出内容:

%JAVA_HOME%/bin/keytool -list -keystore keystore.pfx -storepass mystorepassword 

(translated)
Keystore-Type: JKS
Keystore-Provider: SUN

Keystore contains 1 entry.

mykey, 25.04.2017, PrivateKeyEntry,
Certificate-Fingerprint (SHA1): A1:6C:5F:8F:43:37:1A:B6:43:69:08:DE:6B:B9:4D:DB:05:C9:D5:84

%JAVA_HOME%/bin/keytool -list -keystore keystore.pkx -storepass mystorepassword

(translated)
Keystore-Type: JKS // ??
Keystore-Provider: SUN

Keystore contains 1 entry

mykey, 25.04.2017, PrivateKeyEntry,
Certificate Fingerprint (SHA1): EA:C2:36:C6:55:69:CB:32:22:C7:14:83:67:47:D2:7E:06:8E:13:14
你看,这是一个Java密钥库

下一个问题是,即使在
-list
密钥库时指定
-storetype pkcs12
,keytool仍会将该存储库显示为JKS密钥库

让我们试试:

%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -storetype pkcs12 -keystore keystore.pkx -keypass mykeypassword -storepass mystorepassword -v

(translated)
Warning: No support for different keystore and key password for PKCS12 keystores. The value of -keypass will be ignored.
Generating keypair (Type EC, 256 Bit) and self signed certificate (SHA256withECDSA) with a validity of 365 Days
        für: CN=CN, OU=OU, O=O, C=C
[keystore.pkx saved]
现在列出内容:

%JAVA_HOME%/bin/keytool -list -keystore keystore.pfx -storepass mystorepassword 

(translated)
Keystore-Type: JKS
Keystore-Provider: SUN

Keystore contains 1 entry.

mykey, 25.04.2017, PrivateKeyEntry,
Certificate-Fingerprint (SHA1): A1:6C:5F:8F:43:37:1A:B6:43:69:08:DE:6B:B9:4D:DB:05:C9:D5:84

%JAVA_HOME%/bin/keytool -list -keystore keystore.pkx -storepass mystorepassword

(translated)
Keystore-Type: JKS // ??
Keystore-Provider: SUN

Keystore contains 1 entry

mykey, 25.04.2017, PrivateKeyEntry,
Certificate Fingerprint (SHA1): EA:C2:36:C6:55:69:CB:32:22:C7:14:83:67:47:D2:7E:06:8E:13:14
问题的关键在于,如果密钥库具有扩展名.pfx,则必须添加选项-storetype PKCS12,而不使用此选项keytool会抛出错误。使用
keytool-list
时,请确保附加
-storetype PKCS12
以查看结果中的
密钥库类型:PKCS12
,而不是
密钥库类型:JKS
。看见