如何从 Java 密钥库中的证书链中仅删除一个证书

2022-01-25 00:00:00 https ssl ssl-certificate keystore java

我有一个 Tomcat 服务器,它的 HTTPS 证书链存储在 Java 密钥库中.该链包括自签名根 CA 证书.尽管 TLS 规范 显然没问题,但一些验证服务会对此发出警告,并且最好不要使用它.

I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. The chain includes the self-signed root CA certificate. Although this is apparently okay by the TLS spec, some validation services warn about it, and it's probably better to leave it off.

如何编辑密钥库以仅删除自签名的根 CA 证书,但保持链的其余部分和私钥完好无损?

How can I edit the keystore to remove just the self-signed root CA certificate, but leave the rest of the chain and the private key intact?

推荐答案

首先,将密钥库从 JKS 转换为 PKCS12(此命令和其他命令需要输入密码):

First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):

keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12

接下来,使用 PKCS12 文件中的密钥和证书导出 PEM 文件:

Next, export a PEM file with key and certs from the PKCS12 file:

openssl pkcs12 -in old.p12 -out pemfile.pem -nodes

现在只需使用文本编辑器编辑 pemfile.pem 并删除有问题的证书(及其前面的Bag Attributes").

Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").

接下来,将编辑后的 ​​PEM 文件加载到新的 PKCS12 文件中.您需要为证书/密钥提供适当的密钥库别名,例如tomcat",此时.

Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "tomcat", at this point.

openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12

最后,从 PKCS12 转换回 JKS:

Finally, convert back from PKCS12 to JKS:

keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12

new.jks 文件就是你想要的.

相关文章