在 tomcat 中安装 GoDaddy SSL 证书...没有证书与私钥匹配

2022-01-25 00:00:00 ssl-certificate pkcs#12 java keytool tomcat

生成 Tomcat 密钥库

Generate the Tomcat KeyStore

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore
    tomcat.keystore

生成证书密钥库

keytool -genkey -alias tomcatCert -keyalg RSA -keystore tomcat.keystore

生成密钥

keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore -storepass pa$$word

合并证书

cat mydomain.crt gd_bundle-g2-g1.crt > combinedcerts

创建 P12 密钥库

keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcatkey.p12 -deststoretype PKCS12 -storepass pa$$word

生成 PEM

openssl pkcs12 -in tomcatkey.p12 -out tomcatkey.pem -nodes

正在将剩余的 CRT 文件导出到密钥库...

Exporting remaining CRT files to keystore...

openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in combinedcerts -inkey tomcatkey.pem -out new.tomcat.keystore -name tomcat -passout pass:pa$$word

在最后一步中,我收到以下错误:没有证书与私钥匹配"

And in this last step I'm getting the following error: "No certificate matches private key"

几年前同样的步骤有效,服务器是相同的......只有 JDK 是 8u131 与之前的 8u45.

This same steps worked a couple of years ago, server is the same... only JDK is 8u131 vs 8u45 from before.

有人可以指导我做错什么吗?谢谢!

Can someone guide me on what I might be doing wrong? Thank you!

推荐答案

生成 Tomcat 密钥库

Generate the Tomcat KeyStore

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore
tomcat.keystore

没有.这一步可以创建密钥库文件,但更重要的是它创建了 RSA 类型的密钥对.

No. This step creates the keystore file all right, but more importantly it creates the keypair, of type RSA.

生成证书密钥库

keytool -genkey -alias tomcatCert -keyalg RSA -keystore tomcat.keystore

没有.此步骤不会生成证书密钥库",无论它应该是什么.除了在 same 密钥库中创建另一个别名下的另一个密钥对之外,它什么也不做,并且该别名在整个过程的其余部分中保持未使用状态.通过检查与上一步相同,除了没有意义的别名更改和丢失的密钥大小,这使其无用.省略.

No. This step does not 'generate the certificate keystore', whatever that is supposed to be. It does nothing except create another keypair, under another alias, in the same keystore, and the alias remains unused throughout the rest of the procedure. It is identical by inspection to the previous step, with the exception of the alias change, which is pointless, and the missing key size, which make make it useless. Omit.

生成密钥

keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore -storepass pa$$word

您已经在第一步中生成了密钥.此步骤生成证书签名请求 (CSR).

You already generated the keys in the first step. This step generates the Certificate Signing Request (CSR).

合并证书

cat mydomain.crt gd_bundle-g2-g1.crt > combinedcerts

这里缺少一个步骤,即您提交 CSR 并进行签名.大概这个过程的结果是 mydomain.crt 和 Godaddy 捆绑文件.

There's a step missing here, where you submitted the CSR and got it signed. Presumably the results of this process were mydomain.crt and the Godaddy bundle file.

创建 P12 密钥库

keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcatkey.p12 -deststoretype PKCS12 -storepass pa$$word

为什么?如果您想要 P12 密钥库,您可以在第 1 步及之后使用 -storetype PKCS12.这里缺少一个步骤,将连接的证书导入回原始密钥库.

Why? You could have used -storetype PKCS12 at step 1 and following, if you wanted a P12 keystore. And there is a step missing here, where you import the concatenated certificates back into the original keystore.

生成 PEM

openssl pkcs12 -in tomcatkey.p12 -out tomcatkey.pem -nodes

为什么?

正在将剩余的 CRT 文件导出到密钥库...

Exporting remaining CRT files to keystore...

openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in combinedcerts -inkey tomcatkey.pem -out new.tomcat.keystore -name tomcat -passout pass:pa$$word

为什么?

我不知道您为什么要执行这些 OpenSSL 步骤.Tomcat 已经可以处理 tomcat.keystoretomcat.p12 了.

I don't know why you're doing these OpenSSL steps. Tomcat can already handle either tomcat.keystore or tomcat.p12 as they already are.

在最后一步中,我收到以下错误:没有证书与私钥匹配"

And in this last step I'm getting the following error: "No certificate matches private key"

我不知道您为什么要执行大部分这些步骤.您从未使用过 tomcatCert 别名,而是通过进一步的三个无意义的步骤而不是一个步骤来放置一个已经完全足够的 tomcat.keystore 文件.

I don't know why you're doing most of these steps. You're never using the tomcatCert alias, and you're putting an already perfectly adequate tomcat.keystore file through not one but three further pointless steps.

几年前同样的步骤有效,服务器是相同的......只有 JDK 是 8u131 与之前的 8u45.

This same steps worked a couple of years ago, server is the same... only JDK is 8u131 vs 8u45 from before.

我对此表示怀疑.它们被贴错标签、冗余、不完整且完全不连贯.更有可能有人只是无助地四处乱窜,直到有什么东西起作用,然后尽可能多地写下他们能记住的东西.根本不需要使用 OpenSSL 工具.您只需要:

I doubt it. They are mislabelled, redundant, incomplete, and totally incoherent. More probably somebody just flailed around helplessly until something worked and then wrote down as much as they could remember. There is no need to use the OpenSSL tool at all. All you need is:

  1. 生成密钥对:keytool -genkey.
  2. 生成 CSR:keytool -certreq.
  3. 签署 CSR.
  4. 连接证书,首先是新签名的证书,然后是捆绑包.
  5. 使用与 (1) 和 (2) 相同的别名将连接的文件导入同一密钥库.

相关文章