java keytool在单个文件中导入多个证书

wdebmtf2  于 2023-03-11  发布在  Java
关注(0)|答案(7)|浏览(274)

如何使用keytool [to cert store]在单个文件中导入多个证书?
keytool -importcert只导入第一个。

plicqrtu

plicqrtu1#

将从PEM文件导入所有证书的bash脚本:

#!/bin/bash
PEM_FILE=$1
PASSWORD=$2
KEYSTORE=$3
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
#              step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
  ALIAS="${PEM_FILE%.*}-$N"
  cat $PEM_FILE |
    awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    keytool -noprompt -import -trustcacerts \
            -alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done

例如:

./jks_import_pem TrustedCAs.PEM changeit truststore.jks
fd3cxomn

fd3cxomn2#

如果要包括CA证书,则应添加-trustcacerts选项。
如果一个PEM文件中有多个证书链,则必须拆分该文件。

j7dteeu8

j7dteeu83#

我想做同样的事情,但显然只有当你导入的关键,以及:
有两种类型的条目-密钥条目和可信证书条目,只有密钥条目可以包含附加到它的证书“链”。可信证书条目都是单个证书条目。
(网址:https://www.java.net/node/
我甚至尝试了converting to PKCS#7 format first,但它没有工作,要么是因为上述原因,要么是因为我的keytool版本太旧。
因此,必须首先将文件拆分为单独的证书:

cat certchain.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > ("cert" n ".pem")}'

https://serverfault.com/q/391396/58568
然后分别导入每个文件。

zdwk9cvp

zdwk9cvp4#

您只需使用免费且易于使用的GUI工具Keystore Explorer即可导入和管理多个证书。

u91tlkcl

u91tlkcl5#

您可以使用p11-kit工具,它可以非常快速地完成此操作。唯一的限制是它从/etc/pki/ca-trust/source/读取证书。

/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors \
                --overwrite --purpose server-auth $DEST/java/cacerts
vh0rcniy

vh0rcniy6#

给出的答案并不是真正的Ansible解决方案,更像是替代方案。
我写的下面的作品为第一个证书,但它不是循环。任何想法?

java_install_keystore_cert: true
    java_keystore_certs: "{{ apps.jira.keystore_certs }}"
    java_keystore_cert_alias: test
apps:
  jira:
    keystore_certs:
      - certName: xyz.xxx.com
        certFileName: xyz.xxx.com.pem
      - certName: xxx.com
        certFileName: xxx.com.pem
- name: Copy SSL certificate to remote server
  copy:
    src: "{{ java_keystore_certs[0].certFileName }}"
    #src: "{{ java_keystore_cert_file }}"
    dest: /tmp/
  when: java_install_keystore_cert|default(false)

- name: Determine Java cacerts keystore location
  find:
    paths: "{{ java_home }}/"
    patterns: 'cacerts'
    recurse: yes
  register: cacerts_file
  when: java_install_keystore_cert|default(false)

- name: Import SSL certificate to Java cacerts keystore
  java_cert:
    cert_alias: "{{ java_keystore_cert_alias }}"
    #cert_path: "/tmp/{{ java_keystore_cert_file }}"
    cert_path: "/tmp/{{ java_keystore_certs[0].certFileName }}"
    keystore_path: "{{ cacerts_file.files[0].path }}"
    keystore_pass: changeit
    executable: "{{ java_home }}/bin/keytool"
    state: present
  when: java_install_keystore_cert|default(false) and cacerts_file is defined
vqlkdk9b

vqlkdk9b7#

我还转向了一个不只是Ansible的解决方案......

copy:
    src: "{{ java_keystore_cert_file }}"
    dest: /tmp/
  when: java_install_keystore_cert|default(false)

- name: Determine Java keystore (cacerts) location
  find:
    paths: "{{ java_home }}/"
    patterns: 'cacerts'
    recurse: yes
  register: cacerts_file
  when: java_install_keystore_cert|default(false)

# Not using the java_cert module (anymore) since that imports the first certificate only

# Always use .pem (simply rename .crt or .cert to .pem if needed)
# The .pem file should contain one or more public certificates, no private key(s) or chain
- name: Transfer the import certificate script
  copy:
    src: files/scripts/importcert.sh
    dest: /tmp/importcert.sh
    mode: 0700
  when: java_install_keystore_cert|default(false) and cacerts_file is defined

- name: Import certificate to Java keystore
  command: sh /tmp/importcert.sh "/tmp/{{ java_keystore_cert_file }}" "{{ java_home }}/bin/keytool" changeit "{{ cacerts_file.files[0].path }}"
  when: java_install_keystore_cert|default(false) and cacerts_file is defined
#!/bin/bash
PEM_FILE=$1
KEYTOOL=$2
PASSWORD=$3
KEYSTORE=$4
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)

# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
#              step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
  ALIAS="${PEM_FILE%.*}-$N"
  cat $PEM_FILE |
    awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    $KEYTOOL -noprompt -import -trustcacerts \
            -alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done

相关问题