英文:
How to resolve keytool error: java.lang.Exception: Input not an X.509 certificate
问题
我从以下安全网址获取公钥证书:
openssl s_client -showcerts -verify 5 -connect portal.myshop.com:9043 < /dev/null | openssl x509 -pubkey -noout>/home/app/portalpublic.crt
然后使用以下命令将公钥证书添加到信任存储中:
keytool -import -alias portalpubliccert -file /home/app/portalpublic.crt -storetype JKS -keystore cacerts
然而,我在执行此操作时遇到以下错误:
输入密钥库密码:
keytool 错误: java.lang.Exception: 输入不是 X.509 证书
请问您如何解决这个问题?
cat -ev /home/app/portalpublic.crt
-----BEGIN PUBLIC KEY-----$
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6iAD/I9U2kKAqEokzEkA$
b2QmPQb73A/bA9YD+I+pqEkqtwQmpe6Oiu3+mx2ppA/NXG2QqNb4IfpVEgRrQygG$
6giuhMikPRq6PQ7wywfxWaPkJDDcrLg7Dn8v3l5XgpeaFZN1KSGMDpdrsEpSlxFS$
ZaxDKUfySyjppsC9GV4Lv1IXET5sSmfYw2RqCkO/Q8zcItVkzjZIBw8Y/eVrloGm$
AnQj89cLJbDFq2VogVjMGdOSGQc7cQ0ZZAyrv0XV4hKpi9taiNNXv0ZKWuvk1oFo$
GyfildXPnVKORxSx6d865kj93fCsEXlLjJ1c8xHVr992hEWlWVthByqpTB7DVccj$
xQIDAQAB$
-----END PUBLIC KEY-----$
英文:
I get the public cert from secure URL as below:
openssl s_client -showcerts -verify 5 -connect portal.myshop.com:9043 < /dev/null | openssl x509 -pubkey -noout>/home/app/portalpublic.crt
and then add the public cert to trust store using the below command:
keytool -import -alias portalpubliccert -file /home/app/portalpublic.crt -storetype JKS -keystore cacerts
However, i get the below error in doing so:
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate
Can you please suggest how can i fix this issue ?
cat -ev /home/app/portalpublic.crt
-----BEGIN PUBLIC KEY-----$
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6iAD/I9U2kKAqEokzEkA$
b2QmPQb73A/bA9YD+I+pqEkqtwQmpe6Oiu3+mx2ppA/NXG2QqNb4IfpVEgRrQygG$
6giuhMikPRq6PQ7wywfxWaPkJDDcrLg7Dn8v3l5XgpeaFZN1KSGMDpdrsEpSlxFS$
ZaxDKUfySyjppsC9GV4Lv1IXET5sSmfYw2RqCkO/Q8zcItVkzjZIBw8Y/eVrloGm$
AnQj89cLJbDFq2VogVjMGdOSGQc7cQ0ZZAyrv0XV4hKpi9taiNNXv0ZKWuvk1oFo$
GyfildXPnVKORxSx6d865kj93fCsEXlLjJ1c8xHVr992hEWlWVthByqpTB7DVccj$
xQIDAQAB$
-----END PUBLIC KEY-----$
答案1
得分: 1
Meta: 这不是一个编程或开发问题,也不是一个疑问,现在很可能会被关闭。这可能更适合在security.SX或superuser上进行讨论。
我从以下安全URL获取了公共证书:
openssl s_client ... | openssl x509 -pubkey ...
**不,你没有获取证书。你获取的是公钥,而不是证书。公钥仅仅是一个公钥,不是证书,而证书不仅仅是公钥,尽管证书(在这里的类型)_包含_了公钥。此外,你并没有从一个URL获取它。你是从一个域名获得的,或者更确切地说,从一个域名所在的主机获取的。域名并不是URL;_一些_URL(并非全部!)_包含_一个域名,但它们是不同的东西。
keytool -import ... -file ...
keytool -import[cert]需要一个证书。公钥不是证书。这就是为什么错误消息说输入不是证书的原因--因为它确实不是证书。
Java密钥库可以将X.509/PKIX类型的证书作为trustedCertEntry存储,但它无法存储裸的公钥。如果你想要在密钥库中存储来自给定URL的证书,请获取证书并导入--而不是公钥。如果由于某种原因你只想存储公钥,但如果它与证书中的其他信息没有关联,那基本上是无用的,请不要使用Java密钥库,也不要使用keytool。
英文:
Meta: this is not a programming or development problem, issue or question, and nowadays is likely to be closed. It would probably be suitable on security.SX or superuser.
> I get the public cert from secure URL as below:
> openssl s_client ... | openssl x509 -pubkey ...
NO YOU DIDN'T. You got the public key not the cert. The publickey is only a publickey and is not a cert, and a cert is not just a publickey although a cert (of the type here) contains a publickey. Also, you didn't get it 'from a URL'. You got it from a domain name, or more exactly from the host at or apparently at a domain name. A domain name is not a URL; some URLs (not all!) contain a domain name, but they are different things.
> keytool -import ... -file ...
keytool -import[cert] requires a certificate. A publickey is not a certificate. That's why the error message says the input is not a certificate -- because it isn't.
A Java keystore can store a certificate, specifically an X.509/PKIX-type certificate, as a trustedCertEntry, but it cannot store a bare publickey. If you want to store a certificate from the given URL in a keystore, get and then import the certificate -- NOT the publickey. If for some reason you want to store only the publickey, which is basically useless if it's not linked to the other information in the certificate, don't use a Java keystore and don't use keytool.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论