1. Introduction
1.绪论
A Java KeyStore is a container of security certificates that we can use when writing Java code. Java KeyStores hold one or more certificates with their matching private keys and are created using keytool which comes with the JDK.
Java KeyStore是一个安全证书的容器,我们可以在编写Java代码时使用。Java KeyStore保存着一个或多个证书及其匹配的私钥,并使用JDK附带的keytool创建。
In this tutorial, we’ll convert a Java KeyStore into PEM (Privacy-Enhanced Mail) format using a combination of keytool and openssl. The steps will include using keytool to convert the JKS into a PKCS#12 KeyStore, and then openssl to transform the PKCS#12 KeyStore into a PEM file.
在本教程中,我们将使用keytool和openssl的组合将Java KeyStore转换成PEM(隐私增强邮件)格式。步骤包括使用keytool将JKS转换成PKCS#12 KeyStore,然后openssl将PKCS#12 KeyStore转换成PEM文件。
keytool is available with the JDK, and we can download openssl from the OpenSSL website.
keytool随JDK提供,我们可以从OpenSSL网站上下载openssl。
2. File Formats
2.文件格式
Java KeyStores are stored in the JKS file format. It’s a proprietary format that is specifically for use in Java programs. PKCS#12 KeyStores are non-proprietary and are increasing in popularity — from Java 9 onward, PKCS#12 is used as the default KeyStore format over JKS.
Java KeyStores是以JKS文件格式存储的。这是一种专有的格式,专门用于Java程序中。PKCS#12 KeyStores是非专有的,而且越来越受欢迎–从Java 9开始,PKCS#12被用作JKS的默认KeyStore格式。
PEM files are also certificate containers — they encode binary data using Base64, which allows the content to be transmitted more easily through different systems. A PEM file may contain multiple instances, with each instance adhering to two rules:
PEM文件也是证书容器–它们使用Base64对二进制数据进行编码,这样可以使内容更容易通过不同的系统进行传输。一个PEM文件可以包含多个实例,每个实例都要遵守两个规则。
- A one-line header of
-----BEGIN <label>-----
- A one-line footer of
-----END <label>-----
<label> specifies the type of the encoded message, common values being CERTIFICATE and PRIVATE KEY.
<label>指定编码信息的类型,常见的值是CERTIFICATE和PRIVATE KEY。
3. Converting an Entire JKS Into PEM Format
3.将整个JKS转换为PEM格式
Let’s now go through the steps for converting all the certificates and private keys from a JKS into PEM format.
现在我们来看看将JKS中的所有证书和私钥转换为PEM格式的步骤。
3.1. Creating the Java KeyStore
3.1.创建Java KeyStore
We’ll start by creating a JKS with a single RSA key pair:
我们将首先用一个RSA密钥对创建一个JKS。
keytool -genkey -keyalg RSA -v -keystore keystore.jks -alias first-key-pair
We’ll enter a KeyStore password at the prompt and enter information about the key pair.
我们将在提示符下输入KeyStore密码,并输入关于密钥对的信息。
For this example, we’ll create a second key pair as well:
在这个例子中,我们也将创建第二个密钥对。
keytool -genkey -keyalg RSA -v -keystore keystore.jks -alias second-key-pair
3.2. JKS to PKCS#12
3.2 JKS 至 PKCS#12
The first step in the conversion process is to convert the JKS into PKCS#12 using keytool:
转换过程的第一步是使用keytool将JKS转换成PKCS#12。
keytool -importkeystore -srckeystore keystore.jks \
-destkeystore keystore.p12 \
-srcstoretype jks \
-deststoretype pkcs12
Again, we’ll answer the password prompts — one will ask for the password of the original JKS, and the other will ask us to create a password for the resulting PKCS#12 KeyStore.
同样,我们将回答密码提示–一个将要求我们提供原始JKS的密码,另一个将要求我们为产生的PKCS#12 KeyStore创建一个密码。
Let’s check the output of running that command:
让我们检查一下运行该命令的输出。
Entry for alias first-key-pair successfully imported.
Entry for alias second-key-pair successfully imported.
Import command completed: 2 entries successfully imported, 0 entries failed or cancelled
The result is a keystore.p12 KeyStore stored in PKCS#12 format.
结果是一个keystore.p12 KeyStore,以PKCS#12格式存储。
3.3. PKCS#12 to PEM
3.3.PKCS#12到PEM
From here, we’ll use openssl to encode keystore.p12 into a PEM file:
从这里,我们将使用openssl将keystore.p12编码为PEM文件。
openssl pkcs12 -in keystore.p12 -out keystore.pem
The tool will prompt us for the PKCS#12 KeyStore password and a PEM passphrase for each alias. The PEM passphrase is used to encrypt the resulting private key.
该工具将提示我们为每个别名提供PKCS#12 KeyStore密码和一个PEM口令。PEM口令用于加密产生的私钥。
If we don’t want to encrypt the resulting private key, we should instead use:
如果我们不想对产生的私钥进行加密,我们应该使用。
openssl pkcs12 -nodes -in keystore.p12 -out keystore.pem
keystore.pem will contain all of the keys and certificates from the KeyStore. For this example, it contains a private key and a certificate for both the first-key-pair and second-key-pair aliases.
keystore.pem将包含钥匙库的所有钥匙和证书。在这个例子中,它包含了第一个钥匙对和第二个钥匙对别名的私人钥匙和证书。
4. Converting a Single Certificate From a JKS Into PEM
4.将JKS中的单个证书转换为PEM
We can export a single public key certificate out of a JKS and into PEM format using keytool alone:
我们可以单独使用keytool将单个公钥证书从JKS中导出并转换成PEM格式。
keytool -exportcert -alias first-key-pair -keystore keystore.jks -rfc -file first-key-pair-cert.pem
After entering the JKS password at the prompt, we’ll see the output of that command:
在提示符下输入JKS密码后,我们将看到该命令的输出。
Certificate stored in file <first-key-pair-cert.pem>
5. Conclusion
5.总结
We’ve successfully converted an entire JKS into PEM format using keytool, openssl, and the intermediary stage of the PKCS#12 format. We’ve also covered converting a single public key certificate using keytool alone.
我们已经使用keytool、openssl和PKCS#12格式的中间阶段成功地将整个JKS转换成PEM格式。我们还介绍了单独使用keytool转换单个公钥证书的情况。