Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/379.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java keytool在单个文件中导入多个证书_Java_Ssl Certificate - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java keytool在单个文件中导入多个证书

Java keytool在单个文件中导入多个证书

java

Java keytool在单个文件中导入多个证书,java,ssl-certificate,Java,Ssl Certificate,如何使用keytool[到证书存储]在单个文件中导入多个证书 keytool-importcert仅导入第一个证书。如果要包含CA证书,应添加-trustcacerts选项 如果您在一个PEM文件中有多个证书链,您将不得不这样做。我也想做同样的事情,但显然只有在您同时导入密钥时才可能: 有两种类型的条目-密钥条目和可信证书条目, 并且只有密钥条目可以包含证书的“链”,并附加 去吧。受信任的证书条目都是单证书条目 () 我甚至试过了,但是没有成功,或者是因为上面的原因,或者是因为我的keytool

如何使用keytool[到证书存储]在单个文件中导入多个证书

keytool-importcert仅导入第一个证书。

如果要包含CA证书,应添加
-trustcacerts
选项

如果您在一个PEM文件中有多个证书链,您将不得不这样做。

我也想做同样的事情,但显然只有在您同时导入密钥时才可能:

有两种类型的条目-密钥条目和可信证书条目, 并且只有密钥条目可以包含证书的“链”,并附加 去吧。受信任的证书条目都是单证书条目

()

我甚至试过了,但是没有成功,或者是因为上面的原因,或者是因为我的keytool版本太旧了

因此,必须首先将文件拆分为单独的证书:

cat certchain.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > ("cert" n ".pem")}'
()

然后分别导入每个证书。

将从PEM文件导入所有证书的bash脚本:

#!/bin/bash
PEM_FILE=$1
PASSWORD=$2
KEYSTORE=$3
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
#              step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
  ALIAS="${PEM_FILE%.*}-$N"
  cat $PEM_FILE |
    awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    keytool -noprompt -import -trustcacerts \
            -alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done
例如:

./jks_import_pem TrustedCAs.PEM changeit truststore.jks
给出的答案并不是真正可行的解决方案,更像是备选方案

我在下面写的内容适用于第一个证书,但它没有循环。有什么想法吗

    java_install_keystore_cert: true
    java_keystore_certs: "{{ apps.jira.keystore_certs }}"
    java_keystore_cert_alias: test
我还换了一个不只是简单的解决方案

  copy:
    src: "{{ java_keystore_cert_file }}"
    dest: /tmp/
  when: java_install_keystore_cert|default(false)

- name: Determine Java keystore (cacerts) location
  find:
    paths: "{{ java_home }}/"
    patterns: 'cacerts'
    recurse: yes
  register: cacerts_file
  when: java_install_keystore_cert|default(false)

# Not using the java_cert module (anymore) since that imports the first certificate only

# Always use .pem (simply rename .crt or .cert to .pem if needed)
# The .pem file should contain one or more public certificates, no private key(s) or chain
- name: Transfer the import certificate script
  copy:
    src: files/scripts/importcert.sh
    dest: /tmp/importcert.sh
    mode: 0700
  when: java_install_keystore_cert|default(false) and cacerts_file is defined

- name: Import certificate to Java keystore
  command: sh /tmp/importcert.sh "/tmp/{{ java_keystore_cert_file }}" "{{ java_home }}/bin/keytool" changeit "{{ cacerts_file.files[0].path }}"
  when: java_install_keystore_cert|default(false) and cacerts_file is defined
您可以使用p11工具包工具快速完成此操作。 唯一的限制是它从/etc/pki/ca trust/source读取证书/

/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors \
                --overwrite --purpose server-auth $DEST/java/cacerts
您可以简单地使用免费且易于使用的GUI工具
导入和管理多个证书。

它是什么类型的文件?这不是问题-如何从单个文件中添加多个证书?请注意,为了严格正确起见,您需要在字符串连接周围加上括号:
(“cert“n.pem”)
。如果没有它们,awk的某些版本将变得混乱(无论如何,OSX)。 
  copy:
    src: "{{ java_keystore_cert_file }}"
    dest: /tmp/
  when: java_install_keystore_cert|default(false)

- name: Determine Java keystore (cacerts) location
  find:
    paths: "{{ java_home }}/"
    patterns: 'cacerts'
    recurse: yes
  register: cacerts_file
  when: java_install_keystore_cert|default(false)

# Not using the java_cert module (anymore) since that imports the first certificate only

# Always use .pem (simply rename .crt or .cert to .pem if needed)
# The .pem file should contain one or more public certificates, no private key(s) or chain
- name: Transfer the import certificate script
  copy:
    src: files/scripts/importcert.sh
    dest: /tmp/importcert.sh
    mode: 0700
  when: java_install_keystore_cert|default(false) and cacerts_file is defined

- name: Import certificate to Java keystore
  command: sh /tmp/importcert.sh "/tmp/{{ java_keystore_cert_file }}" "{{ java_home }}/bin/keytool" changeit "{{ cacerts_file.files[0].path }}"
  when: java_install_keystore_cert|default(false) and cacerts_file is defined

#!/bin/bash
PEM_FILE=$1
KEYTOOL=$2
PASSWORD=$3
KEYSTORE=$4
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
#              step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
  ALIAS="${PEM_FILE%.*}-$N"
  cat $PEM_FILE |
    awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    $KEYTOOL -noprompt -import -trustcacerts \
            -alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done

/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors \
                --overwrite --purpose server-auth $DEST/java/cacerts