在上文中我们提到了openssl与keytool工具关于证书转换方面的衔接。下面将逐一讲述如何使用openssl 从pkcs12文件中提取文本格式证书、私钥、制作证书链证书文件,以及模拟在只有 证书及私钥的情况下,如何制作出完整的pkcs12文件。
以从www.yuanlangchao.p12中提取pem格式证书为例:
下面这种命令提出的pem格式证书,保留了pkcs12中的证书链,其实证书链就是建立起的本身的证书与CA证书之间的认证关系。
[root@oracle openssl]# openssl pkcs12 -nokeys -in www.yuanlangchao.p12 -passin pass:yuanlangchao -out www.yuanlangchao.com.pem.crt
MAC verified OK
[root@oracle openssl]# cat www.yuanlangchao.com.pem.crt
Bag Attributes
friendlyName: server
localKeyID: 54 69 6D 65 20 31 34 34 32 39 35 34 37 32 30 39 33 38
subject=/C=cn/ST=shanghai/L=shanghai/O=YUAN/OU=YUANLANGCHAO/CN=www.yuanlangchao.com
issuer=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN/OU=YUANLANGCHAO/CN=YUANLANGCHAO
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIES2Au5zANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJD
TjERMA8GA1UECBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMQ0wCwYDVQQK
EwRZVUFOMRUwEwYDVQQLEwxZVUFOTEFOR0NIQU8xFTATBgNVBAMTDFlVQU5MQU5H
Q0hBTzAeFw0xNTA5MjAyMDIyMjZaFw0yNTA5MTcyMDIyMjZaMHgxCzAJBgNVBAYT
AmNuMREwDwYDVQQIEwhzaGFuZ2hhaTERMA8GA1UEBxMIc2hhbmdoYWkxDTALBgNV
BAoTBFlVQU4xFTATBgNVBAsTDFlVQU5MQU5HQ0hBTzEdMBsGA1UEAxMUd3d3Lnl1
YW5sYW5nY2hhby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCP
8wEdwSQGo0sbwuG6gMBqwavRMBS1A0LpLoF4xl/2JcxYpU1KdDYmxMnCebnUwETR
ItdhQ1fQYXcV2JgjvioD02IzPZfeAxQqG9eRVfcCsS8p+L0Hs6cjRqi7DemkooRR
mcJgiIoZLyz1IO2ggt8SpkvCy14Rnq5SiCGzDOQkmTwsrED4rqurOzBgVc5sMc1D
ugiUuRG0PUX97w1MMSdfzfmUpZpKDW40EiASzDCgaawvglVcKkC+UBZUnHIg/jHu
LdOO5phIsUVSbnaYkHMiIeIrcG8wHAUMGmW57J4diXPhAz3pfPpHktx8pAbGCnkY
ucktrhWryYvnDKdR9zzVAgMBAAGjQjBAMB8GA1UdIwQYMBaAFOXsCop9WI4STblA
U98od4yZS95QMB0GA1UdDgQWBBTt91vfyrevLVRndnHUm51jNT6AtzANBgkqhkiG
9w0BAQsFAAOCAQEARyT6UsLiP+ZiRHAglRsXg+dZyj54+JhiZdKeoc5bXvNiwGD1
pmZA/9XS73UNygXMaD01zPgWtZZz6vkHxg+QLZaUVsQTE0uSWZr7ADL+HJwVFt5p
vA8f76FucQkOeHBQjdnaa3WLotEWowJc5f+DoMSu/CTc9LjzbjQjCTvW4pk9Zwrv
2JNGQlzu4OIrGiqVkO9cwTZZMJwZ+5yXX8UNv1gaS+r7Rztr25nkBfLnhXyg7nGX
UySr0HflEezRfzWZmXDrRwTF5O6wd6aJBusMUsZl7KG2UojMBhYcyqC+4mttTkFX
xTQMwKmk6oZOmj3qmtn73dOzrbNPB4hnN/kJ0g==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: CN=YUANLANGCHAO,OU=YUANLANGCHAO,O=YUAN,L=SHANGHAI,ST=SHANGHAI,C=CN
subject=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN/OU=YUANLANGCHAO/CN=YUANLANGCHAO
issuer=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN_HOME/OU=YUAN/CN=YUAN_ROOTCA
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIEHC7zRzANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD
TjERMA8GA1UECBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMRIwEAYDVQQK
DAlZVUFOX0hPTUUxDTALBgNVBAsTBFlVQU4xFDASBgNVBAMMC1lVQU5fUk9PVENB
MB4XDTE1MDkyMDE5NDU1MFoXDTI1MDkxNzE5NDU1MFowcDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFNIQU5HSEFJMREwDwYDVQQHEwhTSEFOR0hBSTENMAsGA1UEChME
WVVBTjEVMBMGA1UECxMMWVVBTkxBTkdDSEFPMRUwEwYDVQQDEwxZVUFOTEFOR0NI
QU8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCieng4vabG7lqylVzL
gGUVaTReuVWNlur/s7jl2HRUchOtp2ItTqEM++ZxqMnh6KvzTglmYk6pxLDRBbDe
H5Da6N+tw7awGm48VcCHjMJcGJIS007I2KvdumyOK8tNvCJ6BaM6SxkYHCfdTavZ
Ty9FFl/2lS4IBvIXqMNQWc9J9mZ69VMU6WOqQKwwtkLDNMeinDRlclWNVGYha357
evKG/wah+jYWFZyWrpUzzRBsuRdWFXaZOY7MvChnRCHrHm4U1ZI4O3eKNLH2XXxI
5QhSnqdo7PH3bvPO0uDPaiqEXSZ2xxMAQdvkb5qxNz3Ew+obHHlZXjoT3suxEAcZ
Q1rDAgMBAAGjUzBRMB8GA1UdIwQYMBaAFKCyP52ihWWzOuLZvDLZ0K2duWv/MA8G
A1UdEwQIMAYBAf8CAQMwHQYDVR0OBBYEFOXsCop9WI4STblAU98od4yZS95QMA0G
CSqGSIb3DQEBCwUAA4IBAQAAWnxiwlJ2IqeHOeKxbPrwCMHiZrofjTfRW1EAaVYp
ObqNpzhMMl68gPoImxABz0DKusEoN3CHuK4KcQ/VRRKGgbDP5wBF4sfdZggn+zPE
78W5GnajebE9+FD1v+I8h1LRrp967u2NhmB+uTrvbEZJsIj5Uzo7Pnc9u95gsUun
tVHQ65pCy+RaAFbN8ostYuVJWa4jZHjlEnFCeJAHIO/GuvYGFPV/C7iHC5Kvoc3E
YJJVhqoDra7EohtKPI+sh5oIplFn6dhY+eTsVDHNaRGN3zQKbB+78c5H8uZRXi1z
iuywShxTaIi6FJ4UItzmRyGdyHKw8aCs5koPE837s+3J
-----END CERTIFICATE-----
而下面这种命令提出的pem格式证书,保留了pkcs12中的证书。
[root@oracle openssl]# openssl pkcs12 -nokeys -clcerts -in www.yuanlangchao.p12 -passin pass:yuanlangchao -out www.yuanlangchao.com.pem_nochain.crt
MAC verified OK
[root@oracle openssl]# cat www.yuanlangchao.com.pem_nochain.crt
Bag Attributes
friendlyName: server
localKeyID: 54 69 6D 65 20 31 34 34 32 39 35 34 37 32 30 39 33 38
subject=/C=cn/ST=shanghai/L=shanghai/O=YUAN/OU=YUANLANGCHAO/CN=www.yuanlangchao.com
issuer=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN/OU=YUANLANGCHAO/CN=YUANLANGCHAO
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIES2Au5zANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJD
TjERMA8GA1UECBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMQ0wCwYDVQQK
EwRZVUFOMRUwEwYDVQQLEwxZVUFOTEFOR0NIQU8xFTATBgNVBAMTDFlVQU5MQU5H
Q0hBTzAeFw0xNTA5MjAyMDIyMjZaFw0yNTA5MTcyMDIyMjZaMHgxCzAJBgNVBAYT
AmNuMREwDwYDVQQIEwhzaGFuZ2hhaTERMA8GA1UEBxMIc2hhbmdoYWkxDTALBgNV
BAoTBFlVQU4xFTATBgNVBAsTDFlVQU5MQU5HQ0hBTzEdMBsGA1UEAxMUd3d3Lnl1
YW5sYW5nY2hhby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCP
8wEdwSQGo0sbwuG6gMBqwavRMBS1A0LpLoF4xl/2JcxYpU1KdDYmxMnCebnUwETR
ItdhQ1fQYXcV2JgjvioD02IzPZfeAxQqG9eRVfcCsS8p+L0Hs6cjRqi7DemkooRR
mcJgiIoZLyz1IO2ggt8SpkvCy14Rnq5SiCGzDOQkmTwsrED4rqurOzBgVc5sMc1D
ugiUuRG0PUX97w1MMSdfzfmUpZpKDW40EiASzDCgaawvglVcKkC+UBZUnHIg/jHu
LdOO5phIsUVSbnaYkHMiIeIrcG8wHAUMGmW57J4diXPhAz3pfPpHktx8pAbGCnkY
ucktrhWryYvnDKdR9zzVAgMBAAGjQjBAMB8GA1UdIwQYMBaAFOXsCop9WI4STblA
U98od4yZS95QMB0GA1UdDgQWBBTt91vfyrevLVRndnHUm51jNT6AtzANBgkqhkiG
9w0BAQsFAAOCAQEARyT6UsLiP+ZiRHAglRsXg+dZyj54+JhiZdKeoc5bXvNiwGD1
pmZA/9XS73UNygXMaD01zPgWtZZz6vkHxg+QLZaUVsQTE0uSWZr7ADL+HJwVFt5p
vA8f76FucQkOeHBQjdnaa3WLotEWowJc5f+DoMSu/CTc9LjzbjQjCTvW4pk9Zwrv
2JNGQlzu4OIrGiqVkO9cwTZZMJwZ+5yXX8UNv1gaS+r7Rztr25nkBfLnhXyg7nGX
UySr0HflEezRfzWZmXDrRwTF5O6wd6aJBusMUsZl7KG2UojMBhYcyqC+4mttTkFX
xTQMwKmk6oZOmj3qmtn73dOzrbNPB4hnN/kJ0g==
-----END CERTIFICATE-----
下面这种命令达到了将pkcs12转换为pem格式的效果。
[root@oracle openssl]# openssl pkcs12 -in www.yuanlangchao.p12 -passin pass:yuanlangchao -out www.yuanlangchao.com.pem -passout pass:yuanlangchao
MAC verified OK
[root@oracle openssl]# cat www.yuanlangchao.com.pem
Bag Attributes
friendlyName: server
localKeyID: 54 69 6D 65 20 31 34 34 32 39 35 34 37 32 30 39 33 38
Key Attributes: Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIu2pte4XBAXcCAggA
MBQGCCqGSIb3DQMHBAiXELBgx1TNzwSCBMjKxpaTJG5JulQ5D6wjLbC/UXGgEHSI
l/37Sz0luALk7UoGLmbpeZnWv+9yJ9Dzy7tEi9wwdhqq5abc/Ea+EJDneCocpQYt
HfDQJumF6jJDO4O87VpTVlmJrsNXWEkLiSXkFWJhxJrnwwA3KuKA1UqBiVtEN/Q5
/mw5w7Kgi3eqzdNh2uzkQyfP+bSMIMeELxLwweQfotLNixANyee1ZMDUVK+SymZU
vmA7LDMQ0nijimslXm7QNIvkWsKTVSEKYXNUhO08jOsc9crJIziYq/C37blwTyQk
MWx6ttz/dmhkR2TEaJShLo0CR+ut2CePJ3EGj8w/XdHA2QIAy1rEbIzmFM0l/iQn
ciG9xGwYcULV476XQ4S4BqKMq1e9/GSL56SB84kzMkH3KyO529rs2i8slrcfaqPo
WaAOkCv81DpDu7zm+az/C+gh6URc5tsVwF5YsdTrPBLLBAZecOAXFuGGY/EH5A2h
V790J5dmuiJpuWkl6GPAj2GCj9iy0cTGfLAIAROmbNrMSEZFTEZhlzXanVUn97Z2
0ENKtehu7PMfEng0EbdOP3fu/rzeYqGKAJN1HcOP7FXmUOaJiPvqMmAsi1sGzv9d
L1DDXx4NQKEsG1LthM8I7Fh/NOMcoUXDYigAF+AK9iDlkjuT2321v7QmUdnPjv/0
s18NF5DlxRHkTZewKRKomBpt8Ls0acyWdeqzQce6aEXPk8f1yA9OMecc3RXWlOwM
ePl9q7jDscqLwdttvs3nQjNqIKx6RgvZcRG8DZIBYluSdA9kAZ5eEWQoqGe7ZcjJ
OzG7G9sMBcgOVo4kdA0qt1/mXzbEqmn701feORy2Ft6SLQknEqZQVcp8GH37a+91
830qX6oILaBZ445/tOb/NssZWx4tJITzsZorcXH/Z92Ey3so6tRL9v/8LdRccrZ6
nlfPzAvcQVDig+9E5VXH3N6np45VTFKetyeK7EWlMZ+KXI9ZFyMQmJDNblOMwm+Y
qefjO7r+Li4EildSvqKIlTpe1pSSO50JRQm9l0un5liCgGezjUqx5911ZuBcyFLm
95ogzqdRwvFXq8Eu6KCZO8buP2q/tkkQgfwHRuf3ATbH8CPquQKrnDdIqOC1hIFB
oATSdRnarC96CYT4MIDlDF00fvjsZMkZoLhsUbripxQDL0PcD24OhbTv7poL6bAd
0uA0SX5xcZVBtCQyxnh1qF25AjQKBa0cl+WXGEHlyEqZ2nlb9qYXGUewZzAYUOki
ZkZMN0H37iCEOGkEuJ6HGU/MnWdNwRWmE2kKYNJiG7rRUSstz9WahonasYk70NFG
W1mHcahZIQAnfPGVtpjO0lRD0Nl9PJNbtCmB4og5sP9jA+zo468ddztb3nVWITeG
V7sPwjK9+Wl3Bj6I5iZcfjByeh38PlWbOTFfoVrGnV+77rzrByRSEs8nKFuBllh6
1LYM5zNuvc3FFmhXKQPAs2dbvFrMGJLxK4672vMe/oTqqst4JFfoS5r68zkWjpwY
Y6ZfdRx9voS4REzvOWGWNjarX+CcBNxboVy+a9dIf17geiZuaZaqAwEwjXn75Tex
HRdROaNNBhPGeH2UPzoB11/e/C/UOnD1uHUVKEO5RWRGTd+TEQDXTvTUyxSSMtp+
sp8=
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: server
localKeyID: 54 69 6D 65 20 31 34 34 32 39 35 34 37 32 30 39 33 38
subject=/C=cn/ST=shanghai/L=shanghai/O=YUAN/OU=YUANLANGCHAO/CN=www.yuanlangchao.com
issuer=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN/OU=YUANLANGCHAO/CN=YUANLANGCHAO
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIES2Au5zANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJD
TjERMA8GA1UECBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMQ0wCwYDVQQK
EwRZVUFOMRUwEwYDVQQLEwxZVUFOTEFOR0NIQU8xFTATBgNVBAMTDFlVQU5MQU5H
Q0hBTzAeFw0xNTA5MjAyMDIyMjZaFw0yNTA5MTcyMDIyMjZaMHgxCzAJBgNVBAYT
AmNuMREwDwYDVQQIEwhzaGFuZ2hhaTERMA8GA1UEBxMIc2hhbmdoYWkxDTALBgNV
BAoTBFlVQU4xFTATBgNVBAsTDFlVQU5MQU5HQ0hBTzEdMBsGA1UEAxMUd3d3Lnl1
YW5sYW5nY2hhby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCP
8wEdwSQGo0sbwuG6gMBqwavRMBS1A0LpLoF4xl/2JcxYpU1KdDYmxMnCebnUwETR
ItdhQ1fQYXcV2JgjvioD02IzPZfeAxQqG9eRVfcCsS8p+L0Hs6cjRqi7DemkooRR
mcJgiIoZLyz1IO2ggt8SpkvCy14Rnq5SiCGzDOQkmTwsrED4rqurOzBgVc5sMc1D
ugiUuRG0PUX97w1MMSdfzfmUpZpKDW40EiASzDCgaawvglVcKkC+UBZUnHIg/jHu
LdOO5phIsUVSbnaYkHMiIeIrcG8wHAUMGmW57J4diXPhAz3pfPpHktx8pAbGCnkY
ucktrhWryYvnDKdR9zzVAgMBAAGjQjBAMB8GA1UdIwQYMBaAFOXsCop9WI4STblA
U98od4yZS95QMB0GA1UdDgQWBBTt91vfyrevLVRndnHUm51jNT6AtzANBgkqhkiG
9w0BAQsFAAOCAQEARyT6UsLiP+ZiRHAglRsXg+dZyj54+JhiZdKeoc5bXvNiwGD1
pmZA/9XS73UNygXMaD01zPgWtZZz6vkHxg+QLZaUVsQTE0uSWZr7ADL+HJwVFt5p
vA8f76FucQkOeHBQjdnaa3WLotEWowJc5f+DoMSu/CTc9LjzbjQjCTvW4pk9Zwrv
2JNGQlzu4OIrGiqVkO9cwTZZMJwZ+5yXX8UNv1gaS+r7Rztr25nkBfLnhXyg7nGX
UySr0HflEezRfzWZmXDrRwTF5O6wd6aJBusMUsZl7KG2UojMBhYcyqC+4mttTkFX
xTQMwKmk6oZOmj3qmtn73dOzrbNPB4hnN/kJ0g==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: CN=YUANLANGCHAO,OU=YUANLANGCHAO,O=YUAN,L=SHANGHAI,ST=SHANGHAI,C=CN
subject=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN/OU=YUANLANGCHAO/CN=YUANLANGCHAO
issuer=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN_HOME/OU=YUAN/CN=YUAN_ROOTCA
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIEHC7zRzANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD
TjERMA8GA1UECBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMRIwEAYDVQQK
DAlZVUFOX0hPTUUxDTALBgNVBAsTBFlVQU4xFDASBgNVBAMMC1lVQU5fUk9PVENB
MB4XDTE1MDkyMDE5NDU1MFoXDTI1MDkxNzE5NDU1MFowcDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFNIQU5HSEFJMREwDwYDVQQHEwhTSEFOR0hBSTENMAsGA1UEChME
WVVBTjEVMBMGA1UECxMMWVVBTkxBTkdDSEFPMRUwEwYDVQQDEwxZVUFOTEFOR0NI
QU8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCieng4vabG7lqylVzL
gGUVaTReuVWNlur/s7jl2HRUchOtp2ItTqEM++ZxqMnh6KvzTglmYk6pxLDRBbDe
H5Da6N+tw7awGm48VcCHjMJcGJIS007I2KvdumyOK8tNvCJ6BaM6SxkYHCfdTavZ
Ty9FFl/2lS4IBvIXqMNQWc9J9mZ69VMU6WOqQKwwtkLDNMeinDRlclWNVGYha357
evKG/wah+jYWFZyWrpUzzRBsuRdWFXaZOY7MvChnRCHrHm4U1ZI4O3eKNLH2XXxI
5QhSnqdo7PH3bvPO0uDPaiqEXSZ2xxMAQdvkb5qxNz3Ew+obHHlZXjoT3suxEAcZ
Q1rDAgMBAAGjUzBRMB8GA1UdIwQYMBaAFKCyP52ihWWzOuLZvDLZ0K2duWv/MA8G
A1UdEwQIMAYBAf8CAQMwHQYDVR0OBBYEFOXsCop9WI4STblAU98od4yZS95QMA0G
CSqGSIb3DQEBCwUAA4IBAQAAWnxiwlJ2IqeHOeKxbPrwCMHiZrofjTfRW1EAaVYp
ObqNpzhMMl68gPoImxABz0DKusEoN3CHuK4KcQ/VRRKGgbDP5wBF4sfdZggn+zPE
78W5GnajebE9+FD1v+I8h1LRrp967u2NhmB+uTrvbEZJsIj5Uzo7Pnc9u95gsUun
tVHQ65pCy+RaAFbN8ostYuVJWa4jZHjlEnFCeJAHIO/GuvYGFPV/C7iHC5Kvoc3E
YJJVhqoDra7EohtKPI+sh5oIplFn6dhY+eTsVDHNaRGN3zQKbB+78c5H8uZRXi1z
iuywShxTaIi6FJ4UItzmRyGdyHKw8aCs5koPE837s+3J
-----END CERTIFICATE-----
有的时候我们需要单独使用到证书的私钥,下面使用openssl工具从www.yuanlangchao.p12中提取私钥。
[root@oracle openssl]# openssl pkcs12 -nodes -nocerts -in www.yuanlangchao.p12 -passin pass:yuanlangchao -out www.yuanlangchao.com.key
MAC verified OK
[root@oracle openssl]# cat www.yuanlangchao.com.key
Bag Attributes
friendlyName: server
localKeyID: 54 69 6D 65 20 31 34 34 32 39 35 34 37 32 30 39 33 38
Key Attributes:
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCP8wEdwSQGo0sb
wuG6gMBqwavRMBS1A0LpLoF4xl/2JcxYpU1KdDYmxMnCebnUwETRItdhQ1fQYXcV
2JgjvioD02IzPZfeAxQqG9eRVfcCsS8p+L0Hs6cjRqi7DemkooRRmcJgiIoZLyz1
IO2ggt8SpkvCy14Rnq5SiCGzDOQkmTwsrED4rqurOzBgVc5sMc1DugiUuRG0PUX9
7w1MMSdfzfmUpZpKDW40EiASzDCgaawvglVcKkC+UBZUnHIg/jHuLdOO5phIsUVS
bnaYkHMiIeIrcG8wHAUMGmW57J4diXPhAz3pfPpHktx8pAbGCnkYucktrhWryYvn
DKdR9zzVAgMBAAECggEAJpv9DqgBK66ctKN+u/FQqtGrbf5Bb5OiXLzWiThcAL9+
ocAkjPXCmH9rxjez+jZfvuBjeHkBkqixsjBYDi4xQrltu2Sn2SpmPC0fkqHGEPjJ
N665tNkg2TtYgmNm6XuVlfVxx0aYE80td8oPMmAnyO7Fn0fAwWUYSJauw0GP56iv
RgkouvMyalTmLQRN+ODfHyVbpIWdixfEwLh1xPjG3iZs2lzSUsCRfvTIL2uUcZvX
zMv6OqcBZ6PmkzrbrLRLQHPg5IgswBPOQcqiqIhnbOJwElyr6FJx1TNFRMiyWbqB
3z1UF00A0m34KVQ/HqHy0GsYrY38hU+kafV8YbgPuQKBgQD79LoPp/8BLgAUG/nA
gvb+d+7UADUuRsdNT8Rwof/LcdDZfM98q7jj117/c1dDeqikryfcVDpJal98bXtK
ABD21r/OSxx00YZH97H1opBvhHfTSyE6Kqxs2wD/bKe3Rm/A58ZnnYbMhVzpUrLP
YbpVS/yfmgb0rwDHQWNWRAYRrwKBgQCSQnvdxsT3oAxLoRgOiN1AN7QYj7hRDXAl
7+OfHqo9ZAXgybi+0LUfgDsiqKoV8AKLlZ6doob2GFsACTAHE1Mea1u1ghtEwR01
I51NRaXWKJMQDwxEw7+pyjSZAv63rUpKD4gcoUnrAdAzFFLnIh7G78BSQhYwsoHY
3gYy3GtOuwKBgQCCz/rSKhzhleqAhk3TP6vRTp92/myeDC1p3GJXQCS4ke0nHf/z
8Ixb7vPpmQ7TgBmS90WwxSJF/653wbfjIcms/q4zAxhRJn+bWeTRbYej/pjf4P/t
XT6MfeA0vUsOgsl+1FdUcJsOEKe+lCs2NL0zj/InQycdXsb+rNpQbZzhDQKBgQCD
SF36wdJHG0guEpmPYlaGr/leGpMtXcyOoPdF+raAiGmmTisgTCJn9igeghq5ukfu
lwxbHmnaOB5mt9h+YWA4a9FT6UckvdrDugYWODAVPTJUNc2jY7mEZFY2CjQtFsUa
GTrpx/Sbl3MUhmerxDqwAsA0ldFpQLHAwfn6aVOAxQKBgQDwDvaend/5EexYS/Tt
hmhSlW7wA+D/OevmFA6yKCoxVlZmuvbQjEy0quQILw2nhQspUVtcyDINUfJXX+Yz
3blmAFoNGfh22YoweRpCfvRhN52KORYxFrcpSifRZ/lPtkebScOctzxTyNdqcec9
5xtYStiqfWCpPl7rh9p5CdMqcg==
-----END PRIVATE KEY-----
[root@oracle openssl]# openssl rsa -in www.yuanlangchao.com.key -out www.yuanlangchao.com.private.key
writing RSA key
[root@oracle openssl]# cat www.yuanlangchao.com.private.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAj/MBHcEkBqNLG8LhuoDAasGr0TAUtQNC6S6BeMZf9iXMWKVN
SnQ2JsTJwnm51MBE0SLXYUNX0GF3FdiYI74qA9NiMz2X3gMUKhvXkVX3ArEvKfi9
B7OnI0aouw3ppKKEUZnCYIiKGS8s9SDtoILfEqZLwsteEZ6uUoghswzkJJk8LKxA
+K6rqzswYFXObDHNQ7oIlLkRtD1F/e8NTDEnX835lKWaSg1uNBIgEswwoGmsL4JV
XCpAvlAWVJxyIP4x7i3TjuaYSLFFUm52mJBzIiHiK3BvMBwFDBplueyeHYlz4QM9
6Xz6R5LcfKQGxgp5GLnJLa4Vq8mL5wynUfc81QIDAQABAoIBACab/Q6oASuunLSj
frvxUKrRq23+QW+Toly81ok4XAC/fqHAJIz1wph/a8Y3s/o2X77gY3h5AZKosbIw
WA4uMUK5bbtkp9kqZjwtH5KhxhD4yTeuubTZINk7WIJjZul7lZX1ccdGmBPNLXfK
DzJgJ8juxZ9HwMFlGEiWrsNBj+eor0YJKLrzMmpU5i0ETfjg3x8lW6SFnYsXxMC4
dcT4xt4mbNpc0lLAkX70yC9rlHGb18zL+jqnAWej5pM626y0S0Bz4OSILMATzkHK
oqiIZ2zicBJcq+hScdUzRUTIslm6gd89VBdNANJt+ClUPx6h8tBrGK2N/IVPpGn1
fGG4D7kCgYEA+/S6D6f/AS4AFBv5wIL2/nfu1AA1LkbHTU/EcKH/y3HQ2XzPfKu4
49de/3NXQ3qopK8n3FQ6SWpffG17SgAQ9ta/zkscdNGGR/ex9aKQb4R300shOiqs
bNsA/2ynt0ZvwOfGZ52GzIVc6VKyz2G6VUv8n5oG9K8Ax0FjVkQGEa8CgYEAkkJ7
3cbE96AMS6EYDojdQDe0GI+4UQ1wJe/jnx6qPWQF4Mm4vtC1H4A7IqiqFfACi5We
naKG9hhbAAkwBxNTHmtbtYIbRMEdNSOdTUWl1iiTEA8MRMO/qco0mQL+t61KSg+I
HKFJ6wHQMxRS5yIexu/AUkIWMLKB2N4GMtxrTrsCgYEAgs/60ioc4ZXqgIZN0z+r
0U6fdv5sngwtadxiV0AkuJHtJx3/8/CMW+7z6ZkO04AZkvdFsMUiRf+ud8G34yHJ
rP6uMwMYUSZ/m1nk0W2Ho/6Y3+D/7V0+jH3gNL1LDoLJftRXVHCbDhCnvpQrNjS9
M4/yJ0MnHV7G/qzaUG2c4Q0CgYEAg0hd+sHSRxtILhKZj2JWhq/5XhqTLV3MjqD3
Rfq2gIhppk4rIEwiZ/YoHoIaubpH7pcMWx5p2jgeZrfYfmFgOGvRU+lHJL3aw7oG
FjgwFT0yVDXNo2O5hGRWNgo0LRbFGhk66cf0m5dzFIZnq8Q6sALANJXRaUCxwMH5
+mlTgMUCgYEA8A72np3f+RHsWEv07YZoUpVu8APg/znr5hQOsigqMVZWZrr20IxM
tKrkCC8Np4ULKVFbXMgyDVHyV1/mM925ZgBaDRn4dtmKMHkaQn70YTedijkWMRa3
KUon0Wf5T7ZHm0nDnLc8U8jXanHnPecbWErYqn1gqT5e64faeQnTKnI=
-----END RSA PRIVATE KEY-----
证书链文件实际上是所有有关的CA的集合,所以我们只需要将YUANLANGCHAO.p12导出不包含证书链、私钥的证书为pem格式,然后合并即可。
[root@oracle openssl]# openssl pkcs12 -nokeys -clcerts -in YUANLANGCHAO.p12 -passin pass:yuanlc123456 -out yuanlangchao.crt
MAC verified OK
[root@oracle openssl]# openssl pkcs12 -nokeys -clcerts -in YUANCA.p12 -passin pass:yuan123456 -out yuanca.crt
MAC verified OK
[root@oracle openssl]# cat yuanlangchao.crt yuanca.crt > yuan_bundle.crt
[root@oracle openssl]# cat yuan_bundle.crt
Bag Attributes
friendlyName: yuanlangchao
localKeyID: 54 69 6D 65 20 31 34 34 32 39 35 36 31 34 38 30 30 32
subject=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN/OU=YUANLANGCHAO/CN=YUANLANGCHAO
issuer=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN_HOME/OU=YUAN/CN=YUAN_ROOTCA
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIEHC7zRzANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD
TjERMA8GA1UECBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMRIwEAYDVQQK
DAlZVUFOX0hPTUUxDTALBgNVBAsTBFlVQU4xFDASBgNVBAMMC1lVQU5fUk9PVENB
MB4XDTE1MDkyMDE5NDU1MFoXDTI1MDkxNzE5NDU1MFowcDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFNIQU5HSEFJMREwDwYDVQQHEwhTSEFOR0hBSTENMAsGA1UEChME
WVVBTjEVMBMGA1UECxMMWVVBTkxBTkdDSEFPMRUwEwYDVQQDEwxZVUFOTEFOR0NI
QU8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCieng4vabG7lqylVzL
gGUVaTReuVWNlur/s7jl2HRUchOtp2ItTqEM++ZxqMnh6KvzTglmYk6pxLDRBbDe
H5Da6N+tw7awGm48VcCHjMJcGJIS007I2KvdumyOK8tNvCJ6BaM6SxkYHCfdTavZ
Ty9FFl/2lS4IBvIXqMNQWc9J9mZ69VMU6WOqQKwwtkLDNMeinDRlclWNVGYha357
evKG/wah+jYWFZyWrpUzzRBsuRdWFXaZOY7MvChnRCHrHm4U1ZI4O3eKNLH2XXxI
5QhSnqdo7PH3bvPO0uDPaiqEXSZ2xxMAQdvkb5qxNz3Ew+obHHlZXjoT3suxEAcZ
Q1rDAgMBAAGjUzBRMB8GA1UdIwQYMBaAFKCyP52ihWWzOuLZvDLZ0K2duWv/MA8G
A1UdEwQIMAYBAf8CAQMwHQYDVR0OBBYEFOXsCop9WI4STblAU98od4yZS95QMA0G
CSqGSIb3DQEBCwUAA4IBAQAAWnxiwlJ2IqeHOeKxbPrwCMHiZrofjTfRW1EAaVYp
ObqNpzhMMl68gPoImxABz0DKusEoN3CHuK4KcQ/VRRKGgbDP5wBF4sfdZggn+zPE
78W5GnajebE9+FD1v+I8h1LRrp967u2NhmB+uTrvbEZJsIj5Uzo7Pnc9u95gsUun
tVHQ65pCy+RaAFbN8ostYuVJWa4jZHjlEnFCeJAHIO/GuvYGFPV/C7iHC5Kvoc3E
YJJVhqoDra7EohtKPI+sh5oIplFn6dhY+eTsVDHNaRGN3zQKbB+78c5H8uZRXi1z
iuywShxTaIi6FJ4UItzmRyGdyHKw8aCs5koPE837s+3J
-----END CERTIFICATE-----
Bag Attributes
friendlyName: yuan_rootca
localKeyID: 54 69 6D 65 20 31 34 34 32 39 35 35 39 39 31 38 39 33
subject=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN_HOME/OU=YUAN/CN=YUAN_ROOTCA
issuer=/C=CN/ST=SHANGHAI/L=SHANGHAI/O=YUAN_HOME/OU=YUAN/CN=YUAN_ROOTCA
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEHjF9GjANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD
TjERMA8GA1UECBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMRIwEAYDVQQK
DAlZVUFOX0hPTUUxDTALBgNVBAsTBFlVQU4xFDASBgNVBAMMC1lVQU5fUk9PVENB
MB4XDTE1MDkyMDE5MjIxMVoXDTI1MDkxNzE5MjIxMVowbDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFNIQU5HSEFJMREwDwYDVQQHEwhTSEFOR0hBSTESMBAGA1UECgwJ
WVVBTl9IT01FMQ0wCwYDVQQLEwRZVUFOMRQwEgYDVQQDDAtZVUFOX1JPT1RDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAISGfoPZ+GGVq67hdKXL+2Wu
VvKi6acv6haEzAvX4atBRCPQPM156Wc288LEAvniW+Re29xxdKjH2GLRvkQ0XMwt
O7eNExOLbICD3ZorPSmOJiWfRj3V/mqKO53xAKPgr55ySxs9kDFBB1uYCEgWJd4q
HBuzoi5rrBo0nCEVz4tbeT9lgkKxHsy/fR6pt2Pl5EkbuVCiJBlr0j38Uw9cu19+
B2TKMibBNhh90ZmgW4WTAzNzqs+lENiZOGzEUl0OL5SH7UxKKpDDpqrRgC+6tjMM
AXAkvN7LkP+7r7iX+B7myYjGYyeYCj/yY7F/Mm7o5McqyklmilvOwNNjbkhpsxUC
AwEAAaMhMB8wHQYDVR0OBBYEFKCyP52ihWWzOuLZvDLZ0K2duWv/MA0GCSqGSIb3
DQEBCwUAA4IBAQA65f6cqcv/S4Bg6WxY8lfUo9mNk+2NKeoC0h5qvgKf+45aJ0yg
IbimkpvxgdabPyOlBK4nsrp+PA0j952G5DEzCmwyzhlxvGgcAMvTW7RlQbxiogiS
W+LMh2LEAYVhitYEPyHe/fYA+31HbI7GMLzPa8vzAldcxCw44RL3K7MUUQ2drWcg
wbKhkldovyBVzzGx+iVN4L4bDf/L1JumOLXN+NscH6kmeeeqavr6KLfyCZ46aca5
0UgRM1/HmQEso5BLKTmE39u4nGj109iehiJZ8so39rgQObkAO1W40Wbn7d7WfTKq
xziK8TM2nDcPz76/p/guqspJXaqfl0OBTG4j
-----END CERTIFICATE-----
笔者在实际的项目中遇到过此类情况:客户技术人员通过其他平台生成的认证请求 向Go Daddy CA机构申请了通配符域名SSL证书 比如 *.yuanlangchao.com
客户技术人员实际给的文件有以下5个,目的是要让证书可以在tomcat上应用。
由于当时笔者对keytool、openssl工具的使用,各证书格式的转换还不熟悉,就通过一些证书网站提供的在线转换工具提交了 crt 及 key 转换成了jks格式的证书,但转换过来的服务器证书因为证书链的问题导致部分浏览器及移动设备无法正常访问。当时迫于研究的时间有限,最后的处理方式是使用tomcat扩展的native包调用openssl通过分开指定 证书、私钥、证书链文件 来达到效果(下篇文章中将详细介绍这种方法)。
先来讲讲如何利用上图中的5个文件来制作出完整的pkcs12文件:(笔者为了方便演示,对后面两个文件重命名了)其实你会发现 没有证书链的证书 _.yuanlangchaochao.crt跟CA返回的 第一个证书文件5bc06******.crt是一样的。也就是说真正可能有用的文件只有下面4个。
其中 gd_bundle-g2-g1.crt、gdig2.crt是ca的证书文件,也就是证书链文件, gd_bundle-g2-g1.crt是包含了g2证书文件的,也就是说真正有用的文件只有3个了;
_.yuanlangchao.key是私钥。
要生成有效完整的pkcs12文件,就必须充分利用这三个文件:
_.yuanlangchao.key
_.yuanlangchao.crt
gd_bundle-g2-g1.crt
这三个文件对应篇中的文件便是:
www.yuanlangchao.com.private.key
www.yuanlangchao.com.pem_nochain.crt
yuan_bundle.crt
具体操作
// 先将上述三个文件合成类openssl可识别的pem格式的文件
[root@oracle openssl]# cat www.yuanlangchao.com.private.key www.yuanlangchao.com.pem_nochain.crt yuan_bundle.crt > wwww.yuanlangchao.com.pem
// 通过不规范的pem格式的文件 导出规范的pkcs12格式的文件,这是openssl工具的强大之处
[root@oracle openssl]# openssl pkcs12 -export -in www.yuanlangchao.com.pem -passin pass:yuanlangchao -out www.yuanlangchao.com.p12 -passout pass:yuanlangchao
// 最后我们看到的www.yuanlangchao.com.p12文件
[root@oracle openssl]# keytool -list -rfc -keystore www.yuanlangchao.com.p12 -storepass yuanlangchao
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: Sep 22, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIES2Au5zANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJDTjERMA8GA1UE
CBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMQ0wCwYDVQQKEwRZVUFOMRUwEwYDVQQLEwxZ
VUFOTEFOR0NIQU8xFTATBgNVBAMTDFlVQU5MQU5HQ0hBTzAeFw0xNTA5MjAyMDIyMjZaFw0yNTA5
MTcyMDIyMjZaMHgxCzAJBgNVBAYTAmNuMREwDwYDVQQIEwhzaGFuZ2hhaTERMA8GA1UEBxMIc2hh
bmdoYWkxDTALBgNVBAoTBFlVQU4xFTATBgNVBAsTDFlVQU5MQU5HQ0hBTzEdMBsGA1UEAxMUd3d3
Lnl1YW5sYW5nY2hhby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCP8wEdwSQG
o0sbwuG6gMBqwavRMBS1A0LpLoF4xl/2JcxYpU1KdDYmxMnCebnUwETRItdhQ1fQYXcV2JgjvioD
02IzPZfeAxQqG9eRVfcCsS8p+L0Hs6cjRqi7DemkooRRmcJgiIoZLyz1IO2ggt8SpkvCy14Rnq5S
iCGzDOQkmTwsrED4rqurOzBgVc5sMc1DugiUuRG0PUX97w1MMSdfzfmUpZpKDW40EiASzDCgaawv
glVcKkC+UBZUnHIg/jHuLdOO5phIsUVSbnaYkHMiIeIrcG8wHAUMGmW57J4diXPhAz3pfPpHktx8
pAbGCnkYucktrhWryYvnDKdR9zzVAgMBAAGjQjBAMB8GA1UdIwQYMBaAFOXsCop9WI4STblAU98o
d4yZS95QMB0GA1UdDgQWBBTt91vfyrevLVRndnHUm51jNT6AtzANBgkqhkiG9w0BAQsFAAOCAQEA
RyT6UsLiP+ZiRHAglRsXg+dZyj54+JhiZdKeoc5bXvNiwGD1pmZA/9XS73UNygXMaD01zPgWtZZz
6vkHxg+QLZaUVsQTE0uSWZr7ADL+HJwVFt5pvA8f76FucQkOeHBQjdnaa3WLotEWowJc5f+DoMSu
/CTc9LjzbjQjCTvW4pk9Zwrv2JNGQlzu4OIrGiqVkO9cwTZZMJwZ+5yXX8UNv1gaS+r7Rztr25nk
BfLnhXyg7nGXUySr0HflEezRfzWZmXDrRwTF5O6wd6aJBusMUsZl7KG2UojMBhYcyqC+4mttTkFX
xTQMwKmk6oZOmj3qmtn73dOzrbNPB4hnN/kJ0g==
-----END CERTIFICATE-----
Certificate[2]:
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIEHC7zRzANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJDTjERMA8GA1UE
CBMIU0hBTkdIQUkxETAPBgNVBAcTCFNIQU5HSEFJMRIwEAYDVQQKDAlZVUFOX0hPTUUxDTALBgNV
BAsTBFlVQU4xFDASBgNVBAMMC1lVQU5fUk9PVENBMB4XDTE1MDkyMDE5NDU1MFoXDTI1MDkxNzE5
NDU1MFowcDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFNIQU5HSEFJMREwDwYDVQQHEwhTSEFOR0hB
STENMAsGA1UEChMEWVVBTjEVMBMGA1UECxMMWVVBTkxBTkdDSEFPMRUwEwYDVQQDEwxZVUFOTEFO
R0NIQU8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCieng4vabG7lqylVzLgGUVaTRe
uVWNlur/s7jl2HRUchOtp2ItTqEM++ZxqMnh6KvzTglmYk6pxLDRBbDeH5Da6N+tw7awGm48VcCH
jMJcGJIS007I2KvdumyOK8tNvCJ6BaM6SxkYHCfdTavZTy9FFl/2lS4IBvIXqMNQWc9J9mZ69VMU
6WOqQKwwtkLDNMeinDRlclWNVGYha357evKG/wah+jYWFZyWrpUzzRBsuRdWFXaZOY7MvChnRCHr
Hm4U1ZI4O3eKNLH2XXxI5QhSnqdo7PH3bvPO0uDPaiqEXSZ2xxMAQdvkb5qxNz3Ew+obHHlZXjoT
3suxEAcZQ1rDAgMBAAGjUzBRMB8GA1UdIwQYMBaAFKCyP52ihWWzOuLZvDLZ0K2duWv/MA8GA1Ud
EwQIMAYBAf8CAQMwHQYDVR0OBBYEFOXsCop9WI4STblAU98od4yZS95QMA0GCSqGSIb3DQEBCwUA
A4IBAQAAWnxiwlJ2IqeHOeKxbPrwCMHiZrofjTfRW1EAaVYpObqNpzhMMl68gPoImxABz0DKusEo
N3CHuK4KcQ/VRRKGgbDP5wBF4sfdZggn+zPE78W5GnajebE9+FD1v+I8h1LRrp967u2NhmB+uTrv
bEZJsIj5Uzo7Pnc9u95gsUuntVHQ65pCy+RaAFbN8ostYuVJWa4jZHjlEnFCeJAHIO/GuvYGFPV/
C7iHC5Kvoc3EYJJVhqoDra7EohtKPI+sh5oIplFn6dhY+eTsVDHNaRGN3zQKbB+78c5H8uZRXi1z
iuywShxTaIi6FJ4UItzmRyGdyHKw8aCs5koPE837s+3J
-----END CERTIFICATE-----
*******************************************
*******************************************
这样一个可用的www.yuanlangchao.com.p12文件就被制作出来了。