背景:需要把.crt .key 和 keystore相互转换
准备阶段:
- 需要提取证书和私钥的Keystore文件及密码。
- Linux 操作系统
- Keytool和openssl软件
一、 keystore转换.crt和.key
1、使用keytool把keystore转换为PKCS12
keytool -importkeystore -srckeystore [filename].keystore -destkeystore [filename].p12 -srcstoretype JKS -deststoretype PKCS12
示例:
[root@node1 zs]# ls
tomcat.keystore
[root@node1 zs]# keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcat.p12 -srcstoretype JKS -deststoretype PKCS12
Importing keystore tomcat.keystore to tomcat.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias tomcat successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[root@node1 zs]# ls
tomcat.keystore tomcat.p12
2、把PKCS12转换成PEM格式
openssl pkcs12 -in [filename].p12 -out [filename].pem -passin pass:[PASSWORD] -passout
pass:[PASSWORD]
示例:
[root@node1 zs]# openssl pkcs12 -in tomcat.p12 -out tomcat.pem -passin pass:Lsht1xk! -passout pass:Lsht1xk!
MAC verified OK
[root@node1 zs]# ls
tomcat.keystore tomcat.p12 tomcat.pem
3、提取证书
openssl pkcs12 -in keystore.p12 -nokeys -clcerts -out server-ssl.crt
openssl pkcs12 -in keystore.p12 -nokeys -cacerts -out gs_intermediate_ca.crt
cat server-ssl.crt gs_intermediate_ca.crt >server.crt
server-ssl.crt是SSL证书,gs_intermediate_ca.crt是中级证书,两个合并到⼀起才是服务器所需要的证书。
示例:
[root@node1 zs]# openssl pkcs12 -in tomcat.p12 -nokeys -clcerts -out server-ssl.crt
Enter Import Password:
MAC verified OK
[root@node1 zs]# openssl pkcs12 -in tomcat.p12 -nokeys -cacerts -out gs_intermediate_ca.crt
Enter Import Password:
MAC verified OK
[root@node1 zs]# cat server-ssl.crt gs_intermediate_ca.crt >server.crt
[root@node1 zs]# ls
gs_intermediate_ca.crt server-ssl.crt tomcat.p12
server.crt tomcat.keystore tomcat.pem
4、提取私钥
openssl pkcs12 -in [filename].p12 -nocerts -nodes -out server.key
示例:
[root@node1 zs]# openssl pkcs12 -in tomcat.p12 -nocerts -nodes -out server.key
Enter Import Password:
MAC verified OK
[root@node1 zs]# ls
gs_intermediate_ca.crt server.key tomcat.keystore tomcat.pem
server.crt server-ssl.crt tomcat.p12
二、.crt和.key转换为.keystore
1、把.crt和.key转换为.p12格式(如果中级证书和SSL证书没有合并,是两个文件的话,需要合并到一起,如上面第三步所示)
示例:
[root@node1 keystore]# ls
server.crt server.key
[root@node1 keystore]# openssl pkcs12 -export -in server.crt -inkey server.key > server.p12
Enter Export Password:
Verifying - Enter Export Password:
2、将.pk12格式证书转换为.keystore格式
示例:
[root@node1 keystore]# keytool -importkeystore -keyalg EC -srckeystore server.p12 -destkeystore server.keystore -srcstoretype pkcs12
Importing keystore server.p12 to server.keystore...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.keystore -destkeystore server.keystore -deststoretype pkcs12".
[root@node1 keystore]# ls
server.crt server.key server.keystore server.p12
请问 这是什么程序源码啊