Java将pfx证书转换为jks

目的:将已有的pfx证书转换为jks,供tomcat认证用

过程:

    我们可以通过如下java代码将pfx证书转换为jks,代码如下:

package com.yangangus.util;

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Enumeration;

public class ConventPFXToJKS {

    public static final String PKCS12 = "PKCS12";
    public static final String JKS = "JKS";
    public static final String PFX_KEYSTORE_FILE = "D:\\temp\\certs\\wildcard_test_com.pfx";// pfx文件位置
    public static final String PFX_PASSWORD = "pfx_password";// 导出为pfx文件的设的密码
    public static final String JKS_KEYSTORE_FILE = "D:\\temp\\certs\\keystore.jks"; // jks文件位置
    public static final String JKS_PASSWORD = "jks_password";// JKS的密码

    public static void coverTokeyStore() {
        FileInputStream fis = null;
        FileOutputStream out = null;
        try {
            KeyStore inputKeyStore = KeyStore.getInstance("PKCS12");
            fis = new FileInputStream(PFX_KEYSTORE_FILE);
            char[] pfxPassword = null;
            if ((PFX_PASSWORD == null) || PFX_PASSWORD.trim().equals("")) {
                pfxPassword = null;
            } else {
                pfxPassword = PFX_PASSWORD.toCharArray();
            }
            char[] jksPassword = null;
            if ((JKS_PASSWORD == null) || JKS_PASSWORD.trim().equals("")) {
                jksPassword = null;
            } else {
                jksPassword = JKS_PASSWORD.toCharArray();
            }

            inputKeyStore.load(fis, pfxPassword);
            fis.close();
            KeyStore outputKeyStore = KeyStore.getInstance("JKS");
            outputKeyStore.load(null, jksPassword);
            Enumeration enums = inputKeyStore.aliases();
            while (enums.hasMoreElements()) { // we are readin just one
                // certificate.
                String keyAlias = (String) enums.nextElement();
                System.out.println("alias=[" + keyAlias + "]");
                if (inputKeyStore.isKeyEntry(keyAlias)) {
                    Key key = inputKeyStore.getKey(keyAlias, pfxPassword);
                    Certificate[] certChain = inputKeyStore.getCertificateChain(keyAlias);
                    outputKeyStore.setKeyEntry(keyAlias, key, jksPassword, certChain);
                }
            }

            out = new FileOutputStream(JKS_KEYSTORE_FILE);
            outputKeyStore.store(out, jksPassword);
            out.close();
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (fis != null) {
                try {
                    fis.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
            if (out != null) {
                try {
                    out.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
    }

    public static void main(String[] args) {
        // TODO Auto-generated method stub
        coverTokeyStore(); // pfx to jks
    }

}

这样我们就获取到jks了,接下来我们可以用keytool来导出公钥(alias的值在上面java代码运行时会打印出来,替代certificatekey即可):

keytool -export -alias certificatekey -keystore keystore.jks -rfc -file keycert.cer

我们获得证书后,再将证书添加到truststore中,可以运行如下命令(alias的值在上面java代码运行时会打印出来,替代certificatekey即可,file后面的cer是我们上一步导出的公钥):

keytool -import -alias certificatekey -file keycert.cer  -keystore trustkeystore.jks

在运行这个命令过程中会提示输入密码,即你truststore的密码。生成完成后,我们接下来就是配置tomcat。

修改配置tomcat的server.xml,类似如下,配置单向验证,另外ciphers如果不加入,可能类似firefox访问会有问题:

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
               keystorePass="jks_password" keystoreFile="/webapp/keystore.jks"
               truststoreFile="/webapp/trustkeystore.jks" truststorePass="trust_password"/>

配置完成后启动tomcat,用https访问就可以了!

转载于:https://www.cnblogs.com/angusyang/p/6830331.html

你可能感兴趣的:(Java将pfx证书转换为jks)