将从 Let's Encrypt 获得的 pem 证书转换成 Java Keystore

Table of Contents

好麻烦..

Oracle 的说明见 这里

步骤

我假设你获得了 fullchain.pemprivkey.pem

➜  ~ cd certs
➜  certs ls
fullchain.pem  privkey.pem

1

使用如下命令将证书从 PEM 格式转换为 PKCS12 格式:

  • 在此处请输入你想要的导出密码。
➜  certs openssl pkcs12 -export -out eneCert.pkcs12 -in ./fullchain.pem -inkey ./privkey.pem
Enter Export Password:
Verifying - Enter Export Password:

2

尝试创建一个空的 truststore:

➜  certs keytool -genkey -keyalg RSA -alias endeca -keystore truststore.ks
keytool -delete -alias endeca -keystore truststore.ks
Enter keystore password:  
Keystore password is too short - must be at least 6 characters
Enter keystore password:  
Re-enter new password:
What is your first and last name?
  [Unknown]:  Marshmallow
What is the name of your organizational unit?
  [Unknown]:  Anzupop
What is the name of your organization?
  [Unknown]:  Anzupop
What is the name of your City or Locality?
  [Unknown]:  <redacted>
What is the name of your State or Province?
  [Unknown]:  <redacted>
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=Marshmallow, OU=Anzupop, O=Anzupop, L=<redacted>, ST=<redacted>, C=CN correct?
  [no]:  yes

Enter key password for <endeca>
        (RETURN if same as keystore password):  

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore truststore.ks -destkeystore truststore.ks -deststoretype pkcs12".
Enter keystore password:

3

使用如下命令将受信任的 CA 证书导入到 truststore:

➜  certs keytool -import -v -trustcacerts -alias endeca-ca -file ./fullchain.pem -keystore truststore.ks
Enter keystore password:  
Owner: CN=<redacted>.anzupop.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: <redacted>
Valid from: <redacted>
Certificate fingerprints:
         MD5:  <redacted>
         SHA1: <redacted>
         SHA256: <redacted>
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
<redacted>


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org
,
   accessMethod: caIssuers
   accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
<redacted>

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#5: ObjectId: 2.5.29.32 Criticality=false
<redacted>

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: <redacted>.anzupop.com
]

#9: ObjectId: 2.5.29.14 Criticality=false
<redacted>

Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing truststore.ks]

4

使用如下命令尝试创建一个空的 Java KeyStore

➜  certs keytool -genkey -keyalg RSA -alias endeca -keystore keystore.ks
keytool -delete -alias endeca -keystore keystore.ks
Enter keystore password:  
Re-enter new password:
What is your first and last name?
  [Unknown]:  Marshmallow
What is the name of your organizational unit?
  [Unknown]:  Anzupop
What is the name of your organization?
  [Unknown]:  Anzupop
What is the name of your City or Locality?
  [Unknown]:  <redacted>
What is the name of your State or Province?
  [Unknown]:  <redacted>
What is the two-letter country code for this unit?
  [Unknown]:  CN
Is CN=Marshmallow, OU=Anzupop, O=Anzupop, L=<redacted>, ST=<redacted>, C=CN correct?
  [no]:  yes

Enter key password for <endeca>
        (RETURN if same as keystore password):  

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.ks -destkeystore keystore.ks -deststoretype pkcs12".
Enter keystore password:

5

将你的私钥导入。

➜  certs keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS
Importing keystore eneCert.pkcs12 to keystore.ks...
Enter destination keystore password:  
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore.ks]

Trivia

将生成的 Keystore 在 Oracle Spatial Studio 中配置好以后:

stupid-chrome

clever-edge

Nemo Xiong avatar
Nemo Xiong
ex-Cybersecurity Executor, now a student in Unimelb
comments powered by Disqus