我有一台运行glassfish 3.1.2应用服务器的Linux Centos服务器。GlassFish安装的端口4848和8181的默认证书是1024位。我需要用2048位版本替换它们。寻求帮助来创建执行此操作的keytool命令行代码。
我在这里找到了证书:
# keytool -list -keystore keystore.jks
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
glassfish-instance, Feb 7, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): 40:...:46
s1as, Feb 7, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3C:...:FC
答案1
给你,我总是把这个页面加到书签里作为参考,最常见的 Java Keytool 密钥库命令。
因此,您需要先删除该证书,然后才能重新添加。从上面的页面:
从 Java Keytool 密钥库中删除证书
- keytool -delete -alias mydomain -keystore keystore.jks
答案2
我与上面的回复有不同意见。我发现,如果您从现有密钥库创建 CSR,则可以替换证书。您所要做的就是使用与旧证书相同的别名导入新证书。
keytool -importcert -alias old_cert_alias -file new_cert_file.cer -keystore your_key_store.jks
答案3
没有“覆盖”选项。
添加内容时似乎没有“覆盖”或“强制”命令。所以你必须先手动删除。
(您可以查看源代码并搜索“already.exists”。没有覆盖。它直接引发异常。=>https://github.com/openjdk/jdk17u/blob/master/src/java.base/share/classes/sun/security/tools/keytool/Main.java)
没有记录“-genkey”命令或“-importcert”命令的“覆盖”选项。以下是“-genkey”命令的示例。
生成新的信任库:
$ keytool -keystore keystore.p12 -storepass 123456 -genkey -keyalg RSA -noprompt -dname "CN=test.example.com" -v
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
for: CN=test.example.com
[Storing keystore.p12]
✓
覆盖不起作用:
$ keytool -keystore keystore.p12 -storepass 123456 -genkey -keyalg RSA -noprompt -dname "CN=test.example.com" -v
keytool error: java.lang.Exception: Key pair not generated, alias <mykey> already exists
java.lang.Exception: Key pair not generated, alias <mykey> already exists
at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1930)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1171)
at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
✗
$ keytool -keystore keystore.p12 -storepass 123456 -list
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Mar 13, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 99:56:B4:19:E8:02:38:39:C4:01:67:08:EB:37:25:B8:15:CB:23:AE:CE:A1:15:44:0D:B4:B4:17:82:0D:D8:89
✓
因此您必须手动删除:
$ keytool -keystore keystore.p12 -storepass 123456 -delete -alias mykey -v
[Storing keystore.p12]
✓
$ keytool -keystore keystore.p12 -storepass 123456 -delete -alias mykey -v
keytool error: java.lang.Exception: Alias <mykey> does not exist
java.lang.Exception: Alias <mykey> does not exist
at java.base/sun.security.tools.keytool.Main.doDeleteEntry(Main.java:1654)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1149)
at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
✗
$ keytool -keystore keystore.p12 -storepass 123456 -list
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
✓
然后它就可以正常工作了:
$ keytool -keystore keystore.p12 -storepass 123456 -genkey -keyalg RSA -noprompt -dname "CN=test.example.com" -v
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
for: CN=test.example.com
[Storing keystore.p12]
✓
$ keytool -keystore keystore.p12 -storepass 123456 -list
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Mar 13, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 91:DA:5C:EA:AA:65:83:A2:D4:7B:27:5E:44:09:4E:8B:5F:C2:FD:87:94:03:E7:83:18:CD:10:D9:C9:E0:F8:7E
✓