1. Overview
1.概述
The SSL protocol is usually the preferred choice whenever applications need to communicate with clients over the network. Together with encryption of data, SSL makes it mandatory for an application, like a browser, to exchange asymmetric keys during the handshake in order to establish a secure connection.
SSL协议通常是应用程序需要通过网络与客户端通信时的首选。与数据加密一起,SSL使应用程序(如浏览器)必须在握手期间交换非对称密钥,以便建立安全连接。
Generally, applications share the asymmetric keys in X.509 certificates format. Therefore, before SSL handshaking, clients must import such certificates into their truststore files.
一般来说,应用程序以X.509证书格式共享非对称密钥。因此,在SSL握手之前,客户端必须将此类证书导入其信任库文件中。
In this article, we’ll discuss a few tools that we can use to import certificates in .cer format into the client’s truststore.
在这篇文章中,我们将讨论一些工具,我们可以用这些工具将.cer格式的证书导入到客户端的信任库中。
2. The keytool Command
2.钥匙工具命令
The JDK distribution provides a keytool utility that we can use to manage Java keystores (JKS). The most important purpose of this command is to generate self-signed X.509 certificates for testing SSL communication between a client and a server.
JDK 发行版提供了一个keytool工具,我们可以用它来管理Java 密钥存储(JKS)。这个命令最重要的目的是生成自签名的X.509证书,用于测试客户端和服务器之间的SSL通信。
We can also import self-signed or CA-signed certificates into a JKS file and use it as a truststore:
我们也可以将自签名或CA签名的证书导入JKS文件,并将其作为信任仓库使用。
keytool -importcert -alias trustme -file baeldung.cer -keystore cacerts
Enter keystore password:
Trust this certificate? [no]: yes
Certificate was added to keystoreHere, we’ve imported a self-signed baeldung.cer certificate using the keytool command. We can import this certificate into any Java keystore. For example, the one shown here is adding the certificate in the cacerts keystore in the JDK.
在这里,我们使用keytool命令导入了一个自签的baeldung.cer证书。我们可以把这个证书导入任何Java密钥库。例如,这里显示的是在JDK的cacertskeystore中添加证书。
If we now list the certificates in the keystore, we’ll see an alias trustme:
如果我们现在列出钥匙库中的证书,我们会看到一个别名trustme。
keytool -list -keystore cacerts
trustme, Oct 31, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 04:40:6C:B0:06:65:EE:80:9A:90:A5:E9:DA:19:05:4A:AA:F2:CF:A43. The openssl Command
3.openssl命令
Until now, we’ve only discussed importing the certificates into a JKS file. Such keystores can only be used with Java applications. If we have to implement an SSL library in other languages or use the same certificate across multiple language platforms, we’re more likely to use PKCS12 keystores.
到目前为止,我们只讨论了将证书导入JKS文件的问题。这种密钥库只能用于Java 应用程序。如果我们必须在其他语言中实现SSL库或在多个语言平台上使用同一证书,我们更有可能使用PKCS12密钥存储。
To import a certificate into a PKCS12 keystore, we can also use openssl :
要将证书导入PKCS12密钥库,我们也可以使用openssl。
openssl pkcs12 -export -in baeldung.cer -inkey baeldung.key -out baeldung.keystore -name trustmeThis command will import a certificate named baeldung.cer into a keystore baeldung.keystore with an alias trustme.
这个命令将导入一个名为baeldung.cer的证书到一个别名为baeldung.keystore的钥匙库。trustme。
We can see the imported certificate in the keystore:
我们可以在钥匙库中看到导入的证书。
openssl pkcs12 -info -in baeldung.keystore
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
friendlyName: trustme
localKeyID: F4 36 4E 19 E4 E4 E7 65 74 56 FB 50 40 02 68 8B EC F0 4D B3
subject=C = IN, ST = DE, L = DC, O = BA, OU = AU, CN = baeldung.com
issuer=C = IN, ST = DE, L = DC, O = BA, OU = AU, CN = baeldung.com
-----BEGIN CERTIFICATE-----
MIIFkTCCA3mgAwIBAgIUL/OjGExnppeZkiNNh0i2+TPHaCQwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAkRFMQswCQYDVQQHDAJEQzELMAkG
A1UECgwCQkExCzAJBgNVBAsMAkFVMRUwEwYDVQQDDAxiYWVsZHVuZy5jb20wHhcN
MjAxMTAzMTIwMjI5WhcNMjExMTAzMTIwMjI5WjBYMQswCQYDVQQGEwJJTjELMAkG
A1UECAwCREUxCzAJBgNVBAcMAkRDMQswCQYDVQQKDAJCQTELMAkGA1UECwwCQVUx
FTATBgNVBAMMDGJhZWxkdW5nLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAK/XF/xmqQRJlTx2Vtq70x1KFwkHJEcZOyFbQP7O9RgicvMTAnbZtKpS
BSVjwroklIr4OVK4wmwdaTnlIm22CsFrbn+iBVL00tVs+sBYEcgO5nphVWGFbvHl
Q3PO4vTedSyH1qIyYrrhAn8wYvzdmr2g6tRwBX8K5H948Zb32Xbp5r9aR5M2i8Qz
fc0QasJUM5b71TNt8Qcsru3pFKj5hUMBTNrGCQrr6vrADTcG0YHuVSMeJId7f67h
l0vEY0BmRPnWNwGe+Sg/jqOWH9WWvkk/umkEQNWCQZaXZNZZ8jl5WMKFnmA7sPQ+
UjZPabNOTxhz6fJv5nJu7aMS/6tUWO0SdQ+ctO3HgR42wtBPoEOOuFMP6OqHI4hf
CXFTYg6aLwxFJP7LngfRvETgzVlsb9L/m++JBeoWRqpWaQUEgxDYJGFGA5dwQJaf
f24d042i44X0WqBBoWLjSQd/JFVH5MF17waiYpxFBOgpz3XEM/1j+juJPVut2k96
3ecgR54iKILbibizPUojn7t3AFT1Ug8exdefHdf+QsL8/L5+8/xOYkp/pnglQJJl
W0Lq4Sh9LWiux9XVdY6n2UYf/crgLSHatVkPa26cysdXhiiEPn4yYr2AdYVf0Xr5
W5PULufdi0HW2Eja/TfeXoBQtkdidqP8SMW+DwqafX80s37bZZBvAgMBAAGjUzBR
MB0GA1UdDgQWBBQPHIpCFhAy3kGAbzHpXMjXCMVQRzAfBgNVHSMEGDAWgBQPHIpC
FhAy3kGAbzHpXMjXCMVQRzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4ICAQBzOK52I7lDX+7CHy6cQ8PnLZjAD4S5qC1P9dMy50E9N6Tmw2TiPbWl9CnU
7a/kVO6xDJDmNMnqRbHmlZclJaTFv6naXSX27PdIWjhwAfLjNa+FO9JNwMgiP25I
ISVjyrA3HwbhFnMs5FyBW9hbxfQ+X2Q2ooa+J3TKU7FImuDRKF3Sdb63+/j0go8S
5/TsoYpQxg86xbWf6IYGYwegd2SPSWUZ0HQSobZ7fRA7Y0EyPKgyqsBbmDtJ+X1g
P8Kep4N1oocc7ZkkX4pNfXTgXib9fUkKMAfRJz8w62z8I1OM61bciW7V2VSp/Y5p
iTihyuwO0aHG+YTnsr3qFrSFQLQUjCeBvx+euQelsGm8W9xM9YfASXiaEwCmb9PO
i/umD70J1e0HFDay9FW6mMoCCEBTZIF9ARqzhHgg9fi9iH2ctrsxadFAlOTFp5+/
p+nxrencfvc4CP6aHoqkE45HpMBoNDAxRMVd/FRzIG2as0q5At873MNFXP6WxmQV
4KGIhteNLyrXk82yHdHfm1EENTI7OEst/Fc8O3fFy9wn0OvoHIuCv1FVCq4Gnjmq
vNnBnGldrYruCNvj5KT6U14FFdK/5Zng0nSky4oMTs49zt392bdYi31SHWeATdw/
PscFRdig2stoI8ku6R+K7XvmseGzPmUW4K2IWU0zdRP2a4YyvA==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
friendlyName: trustme
localKeyID: F4 36 4E 19 E4 E4 E7 65 74 56 FB 50 40 02 68 8B EC F0 4D B3
Key Attributes: <No Attributes>So, we’ve successfully imported our certificate into the PKCS12 keystore. As a result, this keystore can now be used as a truststore file in SSL client applications like HTTP client libraries. Likewise, this file can also be used as a keystore in SSL server applications like Tomcat.
因此,我们已经成功地将我们的证书导入到PKCS12密钥库中。因此,这个钥匙库现在可以作为SSL客户端应用程序(如HTTP客户端库)的信任库文件使用。同样地,这个文件也可以作为SSL服务器应用程序中的密钥库,如Tomcat。
4. Conclusion
4.总结
In this article, we discussed two popular SSL tools for managing digital certificates — OpenSSL and Java Keytool. We further used the keytool and openssl commands to import a certificate in .cer format into JKS and PKCS12 files, respectively.
在这篇文章中,我们讨论了两个用于管理数字证书的流行SSL工具–OpenSSL和Java Keytool。我们进一步使用keytool和openssl命令,分别将.cer格式的证书导入JKS和PKCS12文件。