如何使用keytool [到cert store]在单个文件中导入多个证书?
keytool -importcert只导入第一个。
答案 0 :(得分:6)
如果要包含CA证书,则应添加-trustcacerts选项。
如果您在一个PEM文件中有多个证书链,则必须split the file。
答案 1 :(得分:1)
我想做同样的事情,但显然只有你导入密钥才有可能:
有两种类型的条目 - 密钥条目和受信任的证书条目, 并且只有密钥条目可以包含附加的证书“链” 它。受信任的证书条目都是单一证书条目。
(https://www.java.net/node/674524#comment-709695)
我甚至尝试converting to PKCS#7 format first,但由于上述原因或因为我的keytool版本太旧而无效。
因此,必须首先将文件拆分为单独的证书:
cat certchain.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > ("cert" n ".pem")}'
(https://serverfault.com/q/391396/58568)
然后单独导入每个。
答案 2 :(得分:1)
您可以简单地使用免费且易于使用的 GUI 工具 Keystore Explorer 导入和管理多个证书。
答案 3 :(得分:0)
给出的答案并不是真正的Ansible解决方案,更像是替代方案。
我在下面写的内容适用于第一张证书,但是没有循环。有什么想法吗?
java_install_keystore_cert: true
java_keystore_certs: "{{ apps.jira.keystore_certs }}"
java_keystore_cert_alias: test
apps:
jira:
keystore_certs:
- certName: xyz.xxx.com
certFileName: xyz.xxx.com.pem
- certName: xxx.com
certFileName: xxx.com.pem
- name: Copy SSL certificate to remote server
copy:
src: "{{ java_keystore_certs[0].certFileName }}"
#src: "{{ java_keystore_cert_file }}"
dest: /tmp/
when: java_install_keystore_cert|default(false)
- name: Determine Java cacerts keystore location
find:
paths: "{{ java_home }}/"
patterns: 'cacerts'
recurse: yes
register: cacerts_file
when: java_install_keystore_cert|default(false)
- name: Import SSL certificate to Java cacerts keystore
java_cert:
cert_alias: "{{ java_keystore_cert_alias }}"
#cert_path: "/tmp/{{ java_keystore_cert_file }}"
cert_path: "/tmp/{{ java_keystore_certs[0].certFileName }}"
keystore_path: "{{ cacerts_file.files[0].path }}"
keystore_pass: changeit
executable: "{{ java_home }}/bin/keytool"
state: present
when: java_install_keystore_cert|default(false) and cacerts_file is defined
答案 4 :(得分:0)
我还改用了不公正的Ansible解决方案。...
copy:
src: "{{ java_keystore_cert_file }}"
dest: /tmp/
when: java_install_keystore_cert|default(false)
- name: Determine Java keystore (cacerts) location
find:
paths: "{{ java_home }}/"
patterns: 'cacerts'
recurse: yes
register: cacerts_file
when: java_install_keystore_cert|default(false)
# Not using the java_cert module (anymore) since that imports the first certificate only
# Always use .pem (simply rename .crt or .cert to .pem if needed)
# The .pem file should contain one or more public certificates, no private key(s) or chain
- name: Transfer the import certificate script
copy:
src: files/scripts/importcert.sh
dest: /tmp/importcert.sh
mode: 0700
when: java_install_keystore_cert|default(false) and cacerts_file is defined
- name: Import certificate to Java keystore
command: sh /tmp/importcert.sh "/tmp/{{ java_keystore_cert_file }}" "{{ java_home }}/bin/keytool" changeit "{{ cacerts_file.files[0].path }}"
when: java_install_keystore_cert|default(false) and cacerts_file is defined
#!/bin/bash
PEM_FILE=$1
KEYTOOL=$2
PASSWORD=$3
KEYSTORE=$4
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
# For every cert in the PEM file, extract it and import into the JKS keystore
# awk command: step 1, if line is in the desired cert, print the line
# step 2, increment counter when last line of cert is found
for N in $(seq 0 $(($CERTS - 1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE |
awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
$KEYTOOL -noprompt -import -trustcacerts \
-alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done
答案 5 :(得分:0)
您可以使用p11-kit工具来快速完成此任务。 唯一的限制是它从/ etc / pki / ca-trust / source /
读取证书/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors \
--overwrite --purpose server-auth $DEST/java/cacerts