Converting a PEM File to Java KeyStore Format – 将PEM文件转换为Java KeyStore格式

最后修改: 2021年 8月 1日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In a previous tutorial, we showed how to convert a Java KeyStore (JKS) into PEM format. In this tutorial, we’re going to convert the PEM format to the standard Java KeyStore (JKS) format. A Java KeyStore is a container that stores certificates with their matching private keys.

在之前的教程中,我们展示了如何将将Java KeyStore(JKS)转换成PEM格式。在本教程中,我们将把PEM格式转换为标准的Java KeyStore(JKS)格式。Java KeyStore是一个存储证书及其配套私钥的容器。

We’ll use a combination of keytool and openssl commands to convert from PEM to JKS. The keytool command comes with the JDK (Java Development Kit) and is used to convert from PEM to PKCS12. The second command, openssl, needs to be downloaded, and its role is to convert from PKCS12 to JKS.

我们将使用keytoolopenssl命令的组合,从PEM转换到JKS。keytool命令是JDK(Java开发工具包)自带的,用于从PEM转换到PKCS12。第二个命令,openssl,需要下载,其作用是将PKCS12转换为JKS。

2. File Formats

2.文件格式

JKS is a Java-specific file format that was the default format for KeyStores until Java 8. Starting from Java 9, PKCS#12 is the default KeyStore format. Despite JKS, PKCS#12 is a standardized and language-neutral format for storing encrypted data. The PKCS#12 format is also known as PKCS12 or PFX.

JKS是一种Java特有的文件格式,在Java 8之前是KeyStores的默认格式。从Java 9开始,PKCS#12是默认的KeyStore格式。尽管有JKS,但PKCS#12是一种标准化的、语言中立的格式,用于存储加密的数据。PKCS#12格式也被称为PKCS12或PFX。

PEM (Privacy Enhanced Mail) is also a certificate container format. The PEM files are encoded in Base64. This ensures that data remains intact during translation between different systems.

PEM(隐私增强邮件)也是一种证书容器格式。PEM文件以Base64编码。这可以确保数据在不同系统之间的转换过程中保持完整。

Further, a PEM file can contain one or more instances, each of them being separated by a plain-text header and footer:

此外,一个PEM文件可以包含一个或多个实例,每个实例都由一个纯文本的页眉和页脚分开。

-----BEGIN CERTIFICATE-----

// base64 encoded

-----END CERTIFICATE-----

3. Converting PEM to JKS Format

3.将PEM转换为JKS格式

We’ll now go through the steps to convert all certificates and private keys from PEM to JKS format.

现在,我们将经历将所有证书和私钥从PEM格式转换为JKS格式的步骤。

For the purpose of example, we’re going to create a self-signed certificate.

为了举例说明,我们将创建一个自签名的证书。

3.1. Creating the PEM File

3.1.创建PEM文件

We’ll start by generating two files, key.pem and cert.pem, using openssl:

我们将首先使用openssl生成两个文件,key.pem>和cert.pem>。

openssl req -newkey rsa:2048 -x509 -keyout key.pem -out cert.pem -days 365 

The tool will prompt us to enter a PEM passphrase and other information.

该工具将提示我们输入一个PEM口令和其他信息。

Once we’ve answered all the prompts, the openssl tool outputs two files:

一旦我们回答了所有的提示,openssl工具会输出两个文件。

  • key.pem (the private key)
  • cert.pem (a public certificate)

We’ll use these files to generate our self-signed certificate.

我们将使用这些文件来生成我们的自签名证书

3.2. Generating the PKCS12 Certificate

3.2.生成PKCS12证书

In most cases, the certificate is in Public Key Cryptography Standards #12 (PKCS12) format. Less frequently, we use a Java KeyStore (JKS) format.

在大多数情况下,证书是公钥加密标准12号(PKCS12)格式。较少情况下,我们使用Java KeyStore(JKS)格式。

Let’s convert PEM into a PKCS12 format:

让我们将PEM转换为PKCS12格式

openssl pkcs12 -export -in cert.pem -inkey key.pem -out certificate.p12 -name "certificate"

While the command runs, we’ll be prompted to enter the passphrase that we created previously for key.pem:

当命令运行时,我们会被提示输入我们之前为 key.pem创建的口令。

Enter pass phrase for key.pem:

And then we’ll see the prompt asking for a new password for certificate.p12:

然后我们会看到提示要求为certificate.p12提供一个新密码。

Enter Export Password:

After that, we’ll have a certificate.p12 KeyStore stored in PCKS12 format.

之后,我们会有一个certificate.p12 KeyStore,以PCKS12格式存储。

3.3. PKCS#12 to JKS

3.3.PKCS#12到JKS

The last step is to convert from PKCS12 to JKS format:

最后一步是将PKCS12转换为JKS格式。

keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore cert.jks

As the command executes, it’ll prompt for a new password for the cert.jks file:

当命令执行时,它将提示为 cert.jks文件提供新的密码。

Enter destination keystore password:

And it’ll prompt us for the certificate.p12 password we created earlier:

它将提示我们输入我们先前创建的certificate.p12密码。

Enter source keystore password:

Then, we should see the final output:

然后,我们应该看到最终的输出。

Entry for alias certificate successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

The result is a cert.jks KeyStore stored in JKS format.

其结果是以JKS格式存储的cert.jks KeyStore。

4. Conclusion

4.总结

In this article, we described the steps for converting a PEM file to JKS format, with the help of the intermediate PKCS12 format.

在这篇文章中,我们描述了在中间PKCS12格式的帮助下,将PEM文件转换为JKS格式的步骤。

As helping tools, we used the keytool and openssl commands.

作为帮助工具,我们使用keytoolopenssl命令。