如何在密钥库文件中替换过期的中间CA证书?

huangapple go评论78阅读模式
英文:

How can I replace the expired intermediate CA certificate in a keystore file?

问题

如何在密钥库文件中替换新的中间 CA 证书?

嗨,
我在服务器上运行一个密钥库文件,以支持 Tomcat 的 TLS/HTTPS 服务。
在这个密钥库文件中,有 3 个证书 -

  1. 终端证书(tomcat)
  2. 中间 CA 证书(my_ssl_ca_v2_b)
  3. 根 CA 证书(my_root_ca)

以下是证书列表。

C:\Program Files\Java\jre1.8.0_144\bin>keytool.exe -list  -keystore C:\mycert\
my.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
tomcat, Oct 10, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): ...
my_ssl_ca_v2_b, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): ...
my_root_ca, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): ...

一切正常。

几天前,文件中的中间 CA 证书已过期。后来我得到了新的更新的中间 CA 证书。

现在,问题是 - 我如何用新的中间 CA 证书替换密钥库文件中过期的中间 CA 证书?

我知道我可以使用 keytool 的 -delete 和 -import 选项来删除和重新导入中间 CA my_ssl_ca_v2_b。

然而,我如何像下面这样替换密钥库文件中 PrivateKeyEntry(别名为 tomcat)中的中间 CA 证书呢?

**别名: tomcat**
创建日期: Oct 10, 2019
条目类型: PrivateKeyEntry
证书链长度: 3
证书[1]:
...
...
证书[2]:
拥有者: CN=My SSL CA v2 - A, O=eBay Inc, C=US
颁发者: CN=My Root CA, O=eBay Inc, C=us
序列号: 6800000004b4491dd58df45b9b000000000004
**有效期: Wed Oct 14 18:35:33 UTC 2015 到 Wed Oct 14 18:45:33 UTC 2020**
...
...
证书[3]:
拥有者: CN=My Root CA, O=eBay Inc, C=us
颁发者: CN=My Root CA, O=eBay Inc, C=us
序列号: 4500888247008e884cd02d71a035810e

我无法使用 keytool 的 -delete 和 -import 选项来删除并重新导入别名为 tomcat 的终端证书文件,因为那会同时删除私钥,私钥将永远无法恢复。

你能否请教我如何在密钥库中替换中间 CA 证书的确切步骤?非常感谢!

-Jun

英文:

How can I replace a new intermediate CA Certificate in a keystore file?

Hi,
I have a keystore file running on a server to support Tomcat TLS/HTTPS services.
In this keystore file, there are 3 certificates -

  1. end certificate (tomcat)
  2. intermediate CA Certificate (my_ssl_ca_v2_b)
  3. Root CA Certificate (my_root_ca)

Here is the cert list.

C:\Program Files\Java\jre1.8.0_144\bin>keytool.exe -list  -keystore C:\mycert\
my.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
tomcat, Oct 10, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3C:15:E8:D0:46:A8:8D:1F:93:52:9D:54:35:48:69:71:ED:49:44:65
my_ssl_ca_v2_b, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 0C:C3:60:CB:C6:91:0A:90:E4:0G:91:BE:3B:A6:D7:5B:C3:7B:8A:0F
my_root_ca, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 6C:23:89:FA:A8:E5:7D:E1:45:BE:75:84:15:E8:D8:41:73:59:FD:19

It was working fine.

Couple of days before, the intermediate CA Certificate in the file was expired. I got the new updated intermediate CA Certificate later.

Now, the question is - how can I replace the expired intermediate CA Certificate in the keystore file with the new one?

I understand I can use keytool -delete and -import option to delete and re-import the intermediate CA my_ssl_ca_v2_b.

However, how can I replace the intermediate CA cert inside the PrivateKeyEntry (Alias tomcat) in the keystore file as following?

**Alias name: tomcat**
Creation date: Oct 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
...
...
Certificate[2]:
Owner: CN=My SSL CA v2 - A, O=eBay Inc, C=US
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 6800000004b4491dd58df45b9b000000000004
**Valid from: Wed Oct 14 18:35:33 UTC 2015 until: Wed Oct 14 18:45:33 UTC 2020**
...
...
Certificate[3]:
Owner: CN=My Root CA, O=eBay Inc, C=us
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 4500888247008e884cd02d71a035810e

I can't use keytool -delete and -import option to delete and re-import the alias tomcat with the End Cert file because that will delete the private key as well and the private key will never be back.

Can you please teach me the exact steps to replace a intermediate CA Certificate in keystore? Thanks a lot!

-Jun

答案1

得分: 1

这实际上不是一个关于编程或开发的问题,尽管你会在Tomcat上使用结果,并可能会被关闭。

你需要创建一个包含整个证书链的文件,按顺序排列:终端实体证书、中间证书和根证书,格式为PEM。如果你还没有PEM格式的终端实体证书,你可以使用 keytool -export[cert] -keystore ksfile -alias tomcat -rfc -file eecert 命令将其提取出来。显然,你已经有了新的中间证书,如果你还没有根证书(且它没有改变),也导出它。你可以使用Unix上的 cat a b c > d 或Windows上的 COPY a+b+c d 来合并文件,或者使用任何你喜欢的文本编辑器。然后将其导入到私钥条目,类似于 keytool -import[cert] -keystore ksfile -alias tomcat -file chainfile

英文:

This isn't really a programming or development question, even though you use the result on tomcat, and may get closed.

You need to create a file containing the whole chain -- end-entity, intermediate and root certs, in that order, in PEM. If you don't already have the EE cert in PEM you can extract it with keytool -export[cert] -keystore ksfile -alias tomcat -rfc -file eecert. Obviously you have the new intermedate cert that you just got, and if you don't have the root already (and it didn't change) export that also. You can combine the files with cat a b c >d on Unix or COPY a+b+c d on Windows, or use any text editor you like. Then import it to the privatekey entry like keytool -import[cert] -keystore ksfile -alias tomcat -file chainfile.

huangapple
  • 本文由 发表于 2020年10月19日 19:39:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/64426560.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定