如何使用 keytool [to cert store] 在单个文件中导入多个证书?
keytool -importcert 只导入第一个。
问问题
42506 次
7 回答
30
一个 bash 脚本,它将从 PEM 文件中导入所有证书:
#!/bin/bash
PEM_FILE=$1
PASSWORD=$2
KEYSTORE=$3
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
# step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE |
awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
keytool -noprompt -import -trustcacerts \
-alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done
例如:
./jks_import_pem TrustedCAs.PEM changeit truststore.jks
于 2015-05-02T00:47:05.613 回答
12
如果要包含 CA 证书,则应添加该-trustcacerts选项。
如果您在一个 PEM 文件中有多个证书链,则必须拆分该文件。
于 2013-02-02T10:16:50.740 回答
3
您可以简单地使用免费且易于使用的 GUI Tool Keystore Explorer 来导入和管理多个证书。
于 2021-02-02T10:08:20.900 回答
2
我想做同样的事情,但显然只有在您导入密钥时才有可能:
有两种类型的条目 - 密钥条目和受信任的证书条目,只有密钥条目可以包含附加到它的证书“链”。受信任的证书条目都是单个证书条目。
(https://www.java.net/node/674524#comment-709695)
我什至尝试先转换为 PKCS#7 格式,但由于上述原因或我的 keytool 版本太旧,它没有奏效。
所以必须首先将文件拆分为单独的证书:
cat certchain.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > ("cert" n ".pem")}'
( https://serverfault.com/q/391396/58568 )
然后分别导入每一个。
于 2014-08-14T20:49:11.670 回答
1
您可以使用 p11-kit 工具快速完成此操作。唯一的限制是它从 /etc/pki/ca-trust/source/ 读取证书
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors \
--overwrite --purpose server-auth $DEST/java/cacerts
于 2020-04-10T15:04:15.813 回答
0
给出的答案并不是真正的 Ansible 解决方案,更像是替代方案。
我在下面写的内容适用于第一个证书,但它不是循环的。有任何想法吗?
java_install_keystore_cert: true
java_keystore_certs: "{{ apps.jira.keystore_certs }}"
java_keystore_cert_alias: test
apps:
jira:
keystore_certs:
- certName: xyz.xxx.com
certFileName: xyz.xxx.com.pem
- certName: xxx.com
certFileName: xxx.com.pem
- name: Copy SSL certificate to remote server
copy:
src: "{{ java_keystore_certs[0].certFileName }}"
#src: "{{ java_keystore_cert_file }}"
dest: /tmp/
when: java_install_keystore_cert|default(false)
- name: Determine Java cacerts keystore location
find:
paths: "{{ java_home }}/"
patterns: 'cacerts'
recurse: yes
register: cacerts_file
when: java_install_keystore_cert|default(false)
- name: Import SSL certificate to Java cacerts keystore
java_cert:
cert_alias: "{{ java_keystore_cert_alias }}"
#cert_path: "/tmp/{{ java_keystore_cert_file }}"
cert_path: "/tmp/{{ java_keystore_certs[0].certFileName }}"
keystore_path: "{{ cacerts_file.files[0].path }}"
keystore_pass: changeit
executable: "{{ java_home }}/bin/keytool"
state: present
when: java_install_keystore_cert|default(false) and cacerts_file is defined
于 2019-11-26T15:35:04.677 回答
0
我还切换到了一个不仅仅是 Ansible 解决方案......
copy:
src: "{{ java_keystore_cert_file }}"
dest: /tmp/
when: java_install_keystore_cert|default(false)
- name: Determine Java keystore (cacerts) location
find:
paths: "{{ java_home }}/"
patterns: 'cacerts'
recurse: yes
register: cacerts_file
when: java_install_keystore_cert|default(false)
# Not using the java_cert module (anymore) since that imports the first certificate only
# Always use .pem (simply rename .crt or .cert to .pem if needed)
# The .pem file should contain one or more public certificates, no private key(s) or chain
- name: Transfer the import certificate script
copy:
src: files/scripts/importcert.sh
dest: /tmp/importcert.sh
mode: 0700
when: java_install_keystore_cert|default(false) and cacerts_file is defined
- name: Import certificate to Java keystore
command: sh /tmp/importcert.sh "/tmp/{{ java_keystore_cert_file }}" "{{ java_home }}/bin/keytool" changeit "{{ cacerts_file.files[0].path }}"
when: java_install_keystore_cert|default(false) and cacerts_file is defined
#!/bin/bash
PEM_FILE=$1
KEYTOOL=$2
PASSWORD=$3
KEYSTORE=$4
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
# step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE |
awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
$KEYTOOL -noprompt -import -trustcacerts \
-alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done
于 2020-03-11T12:24:44.580 回答