密钥库密码应该与 PKCS12 证书密码相同吗?
Should keystore password be same as PKCS12 certificate password?
我正在尝试使用 java 中的密钥工具导入 PKCS12 证书。只有当密钥库密码与证书密码相同时,它才能正常工作。密钥库也必须使用 PKCS12 证书密码吗?
来自documentation of keytool(仅列出与该问题相关的选项):
keytool -importkeystore [-srcstorepass srcstorepass] [-deststorepass deststorepass] {-srcalias srcalias {-destalias destalias} [-srckeypass srckeypass]}
[-destkeypass destkeypass] ...
Imports a single entry or all entries from a source keystore to a
destination keystore.
When the -srcalias option is provided, the command imports the single
entry identified by the alias to the destination keystore.
[...] If the source entry is protected by a
password, then srckeypass is used to recover the entry. If srckeypass
is not provided, then the keytool command attempts to use srcstorepass
to recover the entry. If srcstorepass is either not provided or is
incorrect, then the user is prompted for a password. The destination
entry is protected with destkeypass. If destkeypass is not provided,
then the destination entry is protected with the source entry
password. For example, most third-party tools require storepass and
keypass in a PKCS #12 keystore to be the same. In order to create a
PKCS #12 keystore for these tools, always specify a -destkeypass to be
the same as -deststorepass.
If the -srcalias option is not provided, then all entries in the source
keystore are imported into the destination keystore. [...] If the source entry
is protected by a password, then srcstorepass is used
to recover the entry. If srcstorepass is either not provided or is
incorrect, then the user is prompted for a password. [...] The destination entry is
protected with the source entry password.
因此,密钥库是否必须使用 PKCS12 证书密码也取决于将尝试读取密钥库的应用程序。
如果您依靠 Java 系统属性来通知 JSSE 有关密钥库的信息,则没有 属性 用于指定特定的密钥别名或其密码。在这种情况下,您别无选择,只能使密码相同。
我正在尝试使用 java 中的密钥工具导入 PKCS12 证书。只有当密钥库密码与证书密码相同时,它才能正常工作。密钥库也必须使用 PKCS12 证书密码吗?
来自documentation of keytool(仅列出与该问题相关的选项):
keytool -importkeystore [-srcstorepass srcstorepass] [-deststorepass deststorepass] {-srcalias srcalias {-destalias destalias} [-srckeypass srckeypass]} [-destkeypass destkeypass] ...
Imports a single entry or all entries from a source keystore to a destination keystore.
When the -srcalias option is provided, the command imports the single entry identified by the alias to the destination keystore. [...] If the source entry is protected by a password, then srckeypass is used to recover the entry. If srckeypass is not provided, then the keytool command attempts to use srcstorepass to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. The destination entry is protected with destkeypass. If destkeypass is not provided, then the destination entry is protected with the source entry password. For example, most third-party tools require storepass and keypass in a PKCS #12 keystore to be the same. In order to create a PKCS #12 keystore for these tools, always specify a -destkeypass to be the same as -deststorepass.
If the -srcalias option is not provided, then all entries in the source keystore are imported into the destination keystore. [...] If the source entry is protected by a password, then srcstorepass is used to recover the entry. If srcstorepass is either not provided or is incorrect, then the user is prompted for a password. [...] The destination entry is protected with the source entry password.
因此,密钥库是否必须使用 PKCS12 证书密码也取决于将尝试读取密钥库的应用程序。
如果您依靠 Java 系统属性来通知 JSSE 有关密钥库的信息,则没有 属性 用于指定特定的密钥别名或其密码。在这种情况下,您别无选择,只能使密码相同。