Keystore PKCS12 提取证书和私钥

首页 / 🐧Linux / 正文

背景:需要把.crt .key 和 keystore相互转换


准备阶段:

  • 需要提取证书和私钥的Keystore文件及密码。
  • Linux 操作系统
  • Keytool和openssl软件

一、 keystore转换.crt和.key

1、使用keytool把keystore转换为PKCS12

keytool -importkeystore -srckeystore [filename].keystore -destkeystore [filename].p12 -srcstoretype JKS -deststoretype PKCS12

示例:

[root@node1 zs]# ls
tomcat.keystore
   
[root@node1 zs]# keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcat.p12 -srcstoretype JKS -deststoretype PKCS12
Importing keystore tomcat.keystore to tomcat.p12...
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
   
[root@node1 zs]# ls
tomcat.keystore  tomcat.p12

2、把PKCS12转换成PEM格式

openssl pkcs12 -in [filename].p12 -out [filename].pem -passin pass:[PASSWORD] -passout
pass:[PASSWORD]

示例:

[root@node1 zs]# openssl pkcs12 -in tomcat.p12 -out tomcat.pem -passin pass:Lsht1xk! -passout pass:Lsht1xk!
MAC verified OK
   
[root@node1 zs]# ls
tomcat.keystore  tomcat.p12  tomcat.pem

3、提取证书

openssl pkcs12 -in keystore.p12 -nokeys -clcerts -out server-ssl.crt
openssl pkcs12 -in keystore.p12 -nokeys -cacerts -out gs_intermediate_ca.crt
cat server-ssl.crt gs_intermediate_ca.crt >server.crt

server-ssl.crt是SSL证书,gs_intermediate_ca.crt是中级证书,两个合并到⼀起才是服务器所需要的证书。

示例:

   [root@node1 zs]# openssl pkcs12 -in tomcat.p12 -nokeys -clcerts -out server-ssl.crt
   Enter Import Password:
   MAC verified OK
   
   [root@node1 zs]# openssl pkcs12 -in tomcat.p12 -nokeys -cacerts -out gs_intermediate_ca.crt
   Enter Import Password:
   MAC verified OK
   
   [root@node1 zs]# cat server-ssl.crt gs_intermediate_ca.crt >server.crt
   
   [root@node1 zs]# ls
   gs_intermediate_ca.crt  server-ssl.crt   tomcat.p12
   server.crt              tomcat.keystore  tomcat.pem

4、提取私钥

openssl pkcs12 -in [filename].p12 -nocerts -nodes -out server.key

示例:

   [root@node1 zs]# openssl pkcs12 -in tomcat.p12 -nocerts -nodes -out server.key
   Enter Import Password:
   MAC verified OK
   
   [root@node1 zs]# ls
   gs_intermediate_ca.crt  server.key      tomcat.keystore  tomcat.pem
   server.crt              server-ssl.crt  tomcat.p12

二、.crt和.key转换为.keystore

1、把.crt和.key转换为.p12格式(如果中级证书和SSL证书没有合并,是两个文件的话,需要合并到一起,如上面第三步所示)

示例:

   [root@node1 keystore]# ls
   server.crt  server.key
   
   [root@node1 keystore]# openssl pkcs12 -export -in server.crt -inkey server.key > server.p12
   Enter Export Password:
   Verifying - Enter Export Password:

2、将.pk12格式证书转换为.keystore格式

示例:

   [root@node1 keystore]# keytool -importkeystore -keyalg EC -srckeystore server.p12 -destkeystore server.keystore -srcstoretype pkcs12
   Importing keystore server.p12 to server.keystore...
   Enter destination keystore password:  
   Re-enter new password: 
   Enter source keystore password:  
   Entry for alias 1 successfully imported.
   Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
   
   Warning:
   The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.keystore -destkeystore server.keystore -deststoretype pkcs12".
   
   [root@node1 keystore]# ls
   server.crt  server.key  server.keystore  server.p12 
打赏
文章目录