Java 将BKS与keytool一起使用导致无法从应答建立链_Java_Cryptography_Bouncycastle_Keystore_Keytool

Java 将BKS与keytool一起使用导致无法从应答建立链

java cryptography

Java 将BKS与keytool一起使用导致无法从应答建立链,java,cryptography,bouncycastle,keystore,keytool,Java,Cryptography,Bouncycastle,Keystore,Keytool,我正在尝试创建BKS密钥存储，但无法导入证书回复我得到的错误是 keytool错误：java.lang.Exception:无法从回复建立链 java.lang.Exception: Failed to establish chain from reply at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3375) at sun.security.tools.KeyToo

我正在尝试创建BKS密钥存储，但无法导入证书回复

我得到的错误是 keytool错误：java.lang.Exception:无法从回复建立链

java.lang.Exception: Failed to establish chain from reply
            at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3375)
            at sun.security.tools.KeyTool.installReply(KeyTool.java:2583)
            at sun.security.tools.KeyTool.doCommands(KeyTool.java:998)
            at sun.security.tools.KeyTool.run(KeyTool.java:340)
            at sun.security.tools.KeyTool.main(KeyTool.java:333)

BKS密钥存储创建步骤：

步骤1：使用openssl创建根ca密钥和ca证书

openssl req-x509-newkey rsa:2048-sha256-nodes-out cacert.crt-outform PEM-keyout cakey.PEM-config openssl-ca.cnf

步骤2：将ca证书作为信任CRT导入keytool的cacerts密钥库

keytool-importcert-alias root ca-file cacert.crt-keystore cacerts-storepass changeit

步骤3：将证书作为信任CRT导入BKS密钥存储

keytool-importcert-storetype BKS-keystore mykeystore.BKS-alias root ca-file cacert.crt-provider org.bouncycastle.jce.provider.BouncyCastleProvider-keypass bks123-storepass bks123-provider路径bcprov-ext-jdk15on-154.jar

步骤4：生成密钥对

keytool-genkeypair-alias java-client2-key-keyalg RSA-keysize 2048-sigalg sha256with RSA-storetype BKS-keystore mykeystore.BKS-provider org.bouncycastle.jce.provider.BouncyCastleProvider-keypass bks123-storepass bks123-provider路径bcprov-ext-jdk15on-154.jar

步骤5：生成证书请求（CSR）

keytool-certreq-alias java-client2-key-file client2-ugoca.csr-storetype BKS-keystore mykeystore.BKS-provider org.bouncycastle.jce.provider.BouncyCastleProvider-keypass bks123-storepass bks123-provider路径bcprov-ext-jdk15on-154.jar

步骤6：使用在步骤1中创建的自签名根CA对CSR进行签名

openssl x509-请求-365天-在client2-ugoca.csr-CA cacert.crt-CAkey CAkey.pem-set_serial 300661-out java-client2.crt中

步骤7：将签名证书导入密钥存储

keytool-v-importcert-alias java-client2-key-file java-client2.crt-trustcacerts-storetype BKS-keystore mykeystore.BKS-keypass bks123-storepass bks123-provider org.bouncycastle.jce.provider.BouncyCastleProvider-provider路径bcprov-ext-jdk15on-154.jar

注: 能够使用上述步骤创建JavaJKS密钥库

非常感谢您的帮助

第6步之后：我们需要创建包含根CRT的客户端CRT，如下所示

cat java-client2.crt cacert.crt>client\u chain.crt 然后在步骤7：导入client_chain.crt，如下所示

keytool-v-importcert-alias java-client2-key-file client_chain.crt-trustcacerts-storetype BKS-keystore mykeystore.BKS-keypass bks123-storepass bks123-provider org.bouncycastle.jce.provider.BouncyCastleProvider-provider路径bcprov-ext-jdk15on-154.jar