简短问题
我有一个导入到 tomcat 密钥库的工作 crt 文件,并且我需要一个证书文件和 pem 中的私钥文件来上传到 aws cloudfront。
长问题
我们的 SSL 证书由 go-daddy 颁发,用于 tomcat 的证书,因此我有以下文件:
- 我的域名
- gd_中间件.crt
- gd_bundle.crt
- 我的域名.csr
- tomcat.keystore
tomcat 密钥库在正确配置后可以正常工作。但是该证书是通配符证书,我们还需要将其上传到 aws 以在 cloudfront 中使用。aws cli 上传方法需要 pem 证书文件。我尝试使用 openssl 将其转换为 pem。但是我遇到的第一个问题是转换证书时出现 jdk 错误。其次,我能够转换的任何部分都未通过 openssl 验证。
我的密钥库中有什么
$ keytool -list -keystore tomcat.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
mydomain, Oct 24, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root, Oct 24, 2013, trustedCertEntry,
Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
intermed, Oct 24, 2013, trustedCertEntry,
Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
将密钥库转换为 pem
$ keytool -importkeystore -srckeystore tomcat.keystore -destkeystore intermediate.p12 -deststoretype PKCS12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias mydomain successfully imported.
Problem importing entry for alias root: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias root not imported.
Do you want to quit the import process? [no]: no
Problem importing entry for alias intermed: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias intermed not imported.
Do you want to quit the import process? [no]: no
Import command completed: 1 entries successfully imported, 2 entries failed or cancelled
$ openssl pkcs12 -in intermediate.p12 -out mydomain.pem -nodes
Enter Import Password:
MAC verified OK
$ openssl verify mydomain.pem
mydomain.pem: OU = Domain Control Validated, CN = *.mydomain.com
error 20 at 0 depth lookup:unable to get local issuer certificate
看起来我首先需要解决 jdk 错误。
java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.11.90) (amazon-62.1.11.11.90.55.amzn1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)