将 SSL 证书上传到 AWS -- 将证书转换为 PEM

tag-icon tag-icon ssl amazon-web-services openssl amazon-cloudfront
将 SSL 证书上传到 AWS -- 将证书转换为 PEM

简短问题

我有一个导入到 tomcat 密钥库的工作 crt 文件,并且我需要一个证书文件和 pem 中的私钥文件来上传到 aws cloudfront。

长问题

我们的 SSL 证书由 go-daddy 颁发,用于 tomcat 的证书,因此我有以下文件:

  • 我的域名
  • gd_中间件.crt
  • gd_bundle.crt
  • 我的域名.csr
  • tomcat.keystore

tomcat 密钥库在正确配置后可以正常工作。但是该证书是通配符证书,我们还需要将其上传到 aws 以在 cloudfront 中使用。aws cli 上传方法需要 pem 证书文件。我尝试使用 openssl 将其转换为 pem。但是我遇到的第一个问题是转换证书时出现 jdk 错误。其次,我能够转换的任何部分都未通过 openssl 验证。

我的密钥库中有什么

    $ keytool -list -keystore tomcat.keystore
    Enter keystore password:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 3 entries

    mydomain, Oct 24, 2013, PrivateKeyEntry,
    Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    root, Oct 24, 2013, trustedCertEntry,
    Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    intermed, Oct 24, 2013, trustedCertEntry,
    Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

将密钥库转换为 pem

    $ keytool -importkeystore -srckeystore tomcat.keystore -destkeystore intermediate.p12 -deststoretype PKCS12
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
    Entry for alias mydomain successfully imported.
    Problem importing entry for alias root: java.security.KeyStoreException: TrustedCertEntry not supported.
    Entry for alias root not imported.
    Do you want to quit the import process? [no]:  no
    Problem importing entry for alias intermed: java.security.KeyStoreException: TrustedCertEntry not supported.
    Entry for alias intermed not imported.
    Do you want to quit the import process? [no]:  no
    Import command completed:  1 entries successfully imported, 2 entries failed or cancelled

    $ openssl pkcs12 -in intermediate.p12 -out mydomain.pem -nodes
    Enter Import Password:
    MAC verified OK

    $ openssl verify mydomain.pem
    mydomain.pem: OU = Domain Control Validated, CN = *.mydomain.com
    error 20 at 0 depth lookup:unable to get local issuer certificate

看起来我首先需要解决 jdk 错误。

    java -version
    java version "1.6.0_24"
    OpenJDK Runtime Environment (IcedTea6 1.11.11.90) (amazon-62.1.11.11.90.55.amzn1-x86_64)
    OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

相关内容