windows系统的根证书放置在注册表中:KEY_LOCAL_MACHINE-SOFTWARE-Microsoft-SystemCertificate-ROOT-Certificate
java信任的根证书放置位置在:
D:\Program Files\Java\jdk1.6.0_24\jre\lib\security\cacerts
在此目录下用 keytool -list -keystore cacerts 显示所有证书,默认密码changeit
导入操作系统的证书可以通过IE将操作系统中的root证书导出成.cer格式的文件,再通过keytool工具导入JDK的证书库:
keytool -import -file oracle.cer -alias oracle
Enter keystore password:
...
导入后通过证书指纹来验证下库中的证书:
D:\Program Files\Java\jdk1.6.0_24\jre\lib\security>keytool -list -keystore cacerts|findstr DB:23
Enter keystore password: changeit
Certificate fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83
keytool可以直接在命令行输出.cer证书的内容:
keytool -printcert -file "oracle.cer"
keystore中有几种Entry,其
KeyStore.Entry
|-KeyStore.PrivateKeyEntry
|-KeyStore.TrustedCertificateEntry
|-KeyStore.SecretKeyEntry
PrivateKeyEntry保存私钥和对应的证书链。其实就是非对称算法的公钥和私钥。
TrustedCertificateEntry保存受信任的证书。
SecretKeyEntry保存一个SecretKey,其保存的是一个对称算法的密钥。
KeyStore有几种类型,常用的就是JKS,JCEKS。 JKS是keystore的默认类型,但这个类型只能存储公私钥和证书,如果还需要存储secret key,只能用JCEKS:
keytool -genseckey -alias seckey -keyalg DES -storetype jceks
查询时也要强制指定类型,因为默认类型是JKS:
keytool -list -storetype JCEKS
生成公钥对:
keytool -genkeypair -alias pubKey -keyalg "RSA" -storetype JCEKS
Keytool 生成keypair的源码如下,如果自己想直接定制一个可以直接参考:
private void doGenCert(String alias, String sigAlgName, InputStream in, PrintStream out)
throws Exception {
Certificate signerCert = keyStore.getCertificate(alias);
byte[] encoded = signerCert.getEncoded();
X509CertImpl signerCertImpl = new X509CertImpl(encoded);
X509CertInfo signerCertInfo =
(X509CertInfo)signerCertImpl.get(
X509CertImpl.NAME + "." + X509CertImpl.INFO);
X500Name issuer =
(X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
CertificateSubjectName.DN_NAME);
Date firstDate = getStartDate(startDate);
Date lastDate = new Date();
lastDate.setTime(firstDate.getTime() +
validity*1000L*24L*60L*60L);
CertificateValidity interval = new
CertificateValidity(firstDate,
lastDate);
PrivateKey privateKey =
(PrivateKey)recoverKey(alias, storePass,
keyPass).fst;
if (sigAlgName == null) {
sigAlgName =
getCompatibleSigAlgName(privateKey.getAlgorithm());
}
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privateKey);
X509CertInfo info = new X509CertInfo();
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new
CertificateSerialNumber(
new java.util.Random().nextInt() & 0x7fffffff));
info.set(X509CertInfo.VERSION,
new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(
AlgorithmId.getAlgorithmId(sigAlgName)));
info.set(X509CertInfo.ISSUER, new
CertificateIssuerName(issuer));
BufferedReader reader = new BufferedReader(new
InputStreamReader(in));
boolean canRead = false;
StringBuffer sb = new StringBuffer();
while (true) {
String s = reader.readLine();
if (s == null) break;
// OpenSSL does not use NEW
//if (s.startsWith("-----BEGIN NEW CERTIFICATE
REQUEST-----")) {
if (s.startsWith("-----BEGIN") && s.indexOf("REQUEST")
>= 0) {
canRead = true;
//} else if (s.startsWith("-----END NEW CERTIFICATE
REQUEST-----")) {
} else if (s.startsWith("-----END") &&
s.indexOf("REQUEST") >= 0) {
break;
} else if (canRead) {
sb.append(s);
}
}
byte[] rawReq = new BASE64Decoder().decodeBuffer(new
String(sb));
PKCS10 req = new PKCS10(rawReq);
info.set(X509CertInfo.KEY, new
CertificateX509Key(req.getSubjectPublicKeyInfo()));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(
dname==null?req.getSubjectName():new
X500Name(dname)));
CertificateExtensions reqex = null;
Iterator attrs =
req.getAttributes().getAttributes().iterator();
while (attrs.hasNext()) {
PKCS10Attribute attr = attrs.next();
if
(attr.getAttributeId().equals(PKCS9Attribute.EXTENSION_REQUEST_OID)) {
reqex =
(CertificateExtensions)attr.getAttributeValue();
}
}
CertificateExtensions ext = createV3Extensions(
reqex,
null,
v3ext,
req.getSubjectPublicKeyInfo(),
signerCert.getPublicKey());
info.set(X509CertInfo.EXTENSIONS, ext);
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privateKey, sigAlgName);
dumpCert(cert, out);
for (Certificate ca: keyStore.getCertificateChain(alias)) {
if (ca instanceof X509Certificate) {
X509Certificate xca = (X509Certificate)ca;
if (!isSelfSigned(xca)) {
dumpCert(xca, out);
}
}
}
}