我想使用keytool程序将证书创建为PKCS12密钥库格式。
密钥库的扩展名为.pfx。
我如何实现这一目标?
答案 0 :(得分:23)
如果密钥库是PKCS12类型(.pfx),则必须使用-storetype PKCS12指定它(为了便于阅读而添加了换行符):
keytool -genkey -alias <desired certificate alias>
-keystore <path to keystore.pfx>
-storetype PKCS12
-keyalg RSA
-storepass <password>
-validity 730
-keysize 2048
答案 1 :(得分:1)
问题的键的附加答案。
使用JDK 8( 1.8.0_121-b13 )如果删除-storetype pkcs12但keytool创建JKS密钥库,则不会出现异常相反,.pfx扩展名被忽略。
它还要求-keypass mykeypassword keytool不支持PKCS12。
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -keystore keystore.pfx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Generating keypair (Type EC, 256 Bit) and self-signed certificate (SHA256withECDSA) with a validity of 365 days
for: CN=CN, OU=OU, O=O, C=C
[keystore.pfx saved]
列出内容:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pfx -storepass mystorepassword
(translated)
Keystore-Type: JKS
Keystore-Provider: SUN
Keystore contains 1 entry.
mykey, 25.04.2017, PrivateKeyEntry,
Certificate-Fingerprint (SHA1): A1:6C:5F:8F:43:37:1A:B6:43:69:08:DE:6B:B9:4D:DB:05:C9:D5:84
您认为它是一个Java密钥库。
下一个问题是,即使您在-storetype pkcs12密钥库时指定-list,keytool仍会将商店显示为JKS密钥库!
我们试试看:
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -storetype pkcs12 -keystore keystore.pkx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Warning: No support for different keystore and key password for PKCS12 keystores. The value of -keypass will be ignored.
Generating keypair (Type EC, 256 Bit) and self signed certificate (SHA256withECDSA) with a validity of 365 Days
für: CN=CN, OU=OU, O=O, C=C
[keystore.pkx saved]
现在列出内容:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pkx -storepass mystorepassword
(translated)
Keystore-Type: JKS // ??
Keystore-Provider: SUN
Keystore contains 1 entry
mykey, 25.04.2017, PrivateKeyEntry,
Certificate Fingerprint (SHA1): EA:C2:36:C6:55:69:CB:32:22:C7:14:83:67:47:D2:7E:06:8E:13:14