使用 keytool 和 openssl 自动化密钥库
Automating keystore with keytool and openssl
我有这个脚本:
PASSWORD=password123
openssl genrsa -out client2.key 2048
openssl req -new -key client2.key -out client2.csr -subj "/C=/ST=/L=/O=/OU=/CN=/emailAddress=" -passin pass:$PASSWORD -passout pass:$PASSWORD
openssl x509 -req -in client2.csr -CA ./ca/ca.crt -CAkey ./ca/ca.key -CAcreateserial -out client2.crt -days 1825 -sha256
openssl pkcs12 -export -out bundle.p12 -in client2.crt -inkey client2.key -password pass:$PASSWORD
keytool -keystore truststore.jks -import -file ./ca/ca.crt -alias cacert -storepass $PASSWORD -keypass $PASSWORD -noprompt
keytool -destkeystore keystore.jks -importkeystore -srckeystore bundle.p12 -srcstoretype PKCS12 -srcstorepass $PASSWORD -destkeypass $PASSWORD -deststorepass $PASSWORD -srckeypass $PASSWORD
问题出在最后一个命令上,它 returns:
keytool error: java.io.IOException: keystore password was incorrect
并且不明白为什么,因为所有密码始终相同。
尝试手动 运行 导入命令时,像这样...
keytool -v -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 \
-destkeystore keystore.jks -deststoretype JKS -deststorepass password123 \
-srcstorepass password123
我收到以下异常:
Importing keystore bundle.p12 to keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
at java.base/java.security.KeyStore.load(KeyStore.java:1473)
at java.base/sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2318)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1233)
at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.cert.CertificateParsingException: Empty subject DN not allowed in v1 certificate
这表明您的部分问题可能出在您的脚本中
您没有为该主题提供任何价值。如果我解决这个问题:
openssl req -new -key client2.key -out client2.csr -subj "/CN=example-client" \
-passin pass:$PASSWORD -passout pass:$PASSWORD
手动导入命令没有问题:
$ keytool -v -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 \
-destkeystore keystore.jks -deststoretype JKS -deststorepass password123 \
-srcstorepass password123
Importing keystore bundle.p12 to keystore.jks...
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore.jks]
但是脚本中的命令 -- 不同之处在于它包括
-srckeypass 和 -destkeypass -- 仍然失败:
Importing keystore bundle.p12 to keystore.jks...
keytool error: java.lang.Exception: if alias not specified, destalias and srckeypass must not be specified
如果您从脚本中删除 -srckeypass 选项,它将作为
预期。
我有这个脚本:
PASSWORD=password123
openssl genrsa -out client2.key 2048
openssl req -new -key client2.key -out client2.csr -subj "/C=/ST=/L=/O=/OU=/CN=/emailAddress=" -passin pass:$PASSWORD -passout pass:$PASSWORD
openssl x509 -req -in client2.csr -CA ./ca/ca.crt -CAkey ./ca/ca.key -CAcreateserial -out client2.crt -days 1825 -sha256
openssl pkcs12 -export -out bundle.p12 -in client2.crt -inkey client2.key -password pass:$PASSWORD
keytool -keystore truststore.jks -import -file ./ca/ca.crt -alias cacert -storepass $PASSWORD -keypass $PASSWORD -noprompt
keytool -destkeystore keystore.jks -importkeystore -srckeystore bundle.p12 -srcstoretype PKCS12 -srcstorepass $PASSWORD -destkeypass $PASSWORD -deststorepass $PASSWORD -srckeypass $PASSWORD
问题出在最后一个命令上,它 returns:
keytool error: java.io.IOException: keystore password was incorrect
并且不明白为什么,因为所有密码始终相同。
尝试手动 运行 导入命令时,像这样...
keytool -v -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 \
-destkeystore keystore.jks -deststoretype JKS -deststorepass password123 \
-srcstorepass password123
我收到以下异常:
Importing keystore bundle.p12 to keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
at java.base/java.security.KeyStore.load(KeyStore.java:1473)
at java.base/sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2318)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1233)
at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.cert.CertificateParsingException: Empty subject DN not allowed in v1 certificate
这表明您的部分问题可能出在您的脚本中 您没有为该主题提供任何价值。如果我解决这个问题:
openssl req -new -key client2.key -out client2.csr -subj "/CN=example-client" \
-passin pass:$PASSWORD -passout pass:$PASSWORD
手动导入命令没有问题:
$ keytool -v -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 \
-destkeystore keystore.jks -deststoretype JKS -deststorepass password123 \
-srcstorepass password123
Importing keystore bundle.p12 to keystore.jks...
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore.jks]
但是脚本中的命令 -- 不同之处在于它包括
-srckeypass 和 -destkeypass -- 仍然失败:
Importing keystore bundle.p12 to keystore.jks...
keytool error: java.lang.Exception: if alias not specified, destalias and srckeypass must not be specified
如果您从脚本中删除 -srckeypass 选项,它将作为
预期。