导入证书或链时 java keytool 命令之间的区别

Difference between java keytool commands when importing certificates or chain

只是想问这个问题 "Clarification" 而不是解决方案:

java keytool 有 -importcert 命令和 -trustcacerts arg。来自官方帮助指南。

Import the Certificate Reply from the CA

After you import a certificate that authenticates the public key of the CA you submitted your certificate signing request to (or there is already such a certificate in the cacerts file), you can import the certificate reply and replace your self-signed certificate with a certificate chain. This chain is the one returned by the CA in response to your request (when the CA reply is a chain), or one constructed (when the CA reply is a single certificate) using the certificate reply and trusted certificates that are already available in the keystore where you import the reply or in the cacerts keystore file.

For example, if you sent your certificate signing request to VeriSign, then you can import the reply with the following, which assumes the returned certificate is named VSMarkJ.cer:

keytool -importcert -trustcacerts -file VSMarkJ.cer

我还阅读了 keytool 文档中的以下内容:

If the reply is a single X.509 certificate, keytool attempts to establish a trust chain, starting at the certificate reply and ending at a self-signed certificate (belonging to a root CA). The certificate reply and the hierarchy of certificates used to authenticate the certificate reply form the new certificate chain of alias. If a trust chain cannot be established, the certificate reply is not imported. In this case, keytool does not print out the certificate and prompt the user to verify it, because it is very hard (if not impossible) for a user to determine the authenticity of the certificate reply.

If the reply is a PKCS#7 formatted certificate chain, the chain is first ordered (with the user certificate first and the self-signed root CA certificate last), before keytool attempts to match the root CA certificate provided in the reply with any of the trusted certificates in the keystore or the "cacerts" keystore file (if the -trustcacerts option was specified). If no match can be found, the information of the root CA certificate is printed out, and the user is prompted to verify it, e.g., by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the root CA itself. The user then has the option of aborting the import operation. If the -noprompt option is given, however, there will be no interaction with the user.

如果我收到包含根 CA 和我的签名证书的证书回复,那么哪一个是我正确导入证书的正确命令(或者以下所有操作是否基于根 CA 可用性):

# Assuming doesn't exist at all
keytool -import -keystore server_keystore.jks -storepass pass -alias rootCA -file ca-cert-file
keytool -import -keystore server_keystore.jks -storepass pass -alias fqdn_name -file signed_server_cert

#Assuming that root CA exists in system-wide cacerts
keytool -import -trustcacerts -keystore server_keystore.jks -storepass pass -alias fqdn_name -file signed_server_cert

对比

# Assuming that the root CA doesn't exist
keytool -importcert -keystore java_home\jre\lib\security\cacerts -storepass changeit -alias someRootCA -file root_ca_cert
keytool -importcert -trustcacerts -keystore server_keystore.jks -storepass pass -alias fqdn_name -file signed_server_cert

对于任何不正确的假设,我们深表歉意,只是试图通过与他人合作来理解:)

此致,

# Assuming doesn't exist at all
keytool -import -keystore server_keystore.jks -storepass pass -alias rootCA -file ca-cert-file
keytool -import -keystore server_keystore.jks -storepass pass -alias fqdn_name -file signed_server_cert

这是要用的。您需要第一个上的 -trustcacerts 选项,或者 'yes' 回复相应的提示。

#Assuming that root CA exists in system-wide cacerts
keytool -import -trustcacerts -keystore server_keystore.jks -storepass pass -alias fqdn_name -file signed_server_cert

如果签署您的证书在cacerts中,这将有效。通常情况并非如此:根证书应该在那里,但他们可能使用比根证书深三步或更多步的证书对其进行签名。

# Assuming that the root CA is a new authority
keytool -importcert -keystore java_home\jre\lib\security\cacerts -storepass changeit -alias someRootCA -file root_ca_cert
keytool -importcert -trustcacerts -keystore server_keystore.jks -storepass pass -alias fqdn_name -file signed_server_cert

理论上看起来不错,但如果 CA 是一个新的权威机构,无论如何都不会有人信任它,所以这是徒劳的。

请注意,当您导入签名证书时,您必须使用与生成密钥对和 CSR 时相同的密钥库文件和别名。这是一个常见的错误来源。