问题
I have a CA issued CERT in PKCS#7 format. It has certificates (chained) within it. Keytool does not recognize the PKCS7 format. I have tried OpenSSL tool to convert PKCS7 format certificate to PEM format and it fails. I receive an error message "Unable to load PKCS7 object".
How do I import the PKCS7 cert chain to my JKS?
回答1:
As you can read in the keytool reference for -importcert command:
Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or PKCS#7 reply is read from stdin.
keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type.
Try to import the PKCS7 cert as it is.
Though, it doesn't always work. If you have problems, try to do the following (using OpenSSL):
Print all the certs it contains to a PEM file
OpenSSL> pkcs7 -in initial_file.p7b -inform DER -print_certs -outform PEM -out certs_chain.pemOpen the new PEM file (certs_chain.pem) with an editor and delete everything outside
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----boundaries (keep only the encoded content within the boundaries, the certificates themselves) and save it.
Now keytool should not have problems to import your cert, using certs_chain.pem as cert_file
回答2:
Another approach is to use IE to create an X.509 certificate. You can find the steps in my article on doing SSL between WLS and IIS at http://techblog.fywservices.com/2012/10/establishing-weblogic-server-https-trust-of-iis-using-a-microsoft-local-certificate-authority/
来源:https://stackoverflow.com/questions/15814569/import-pkcs7-chained-certificate-using-keytool-command-to-jks