将BKS与keytool一起使用导致无法从回复建立链

时间:2016-08-18 09:42:03

标签: java cryptography bouncycastle keystore keytool

我正在尝试创建BKS密钥库但无法导入证书回复

我收到错误了 keytool错误:java.lang.Exception:无法建立回复链 

java.lang.Exception: Failed to establish chain from reply
            at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3375)
            at sun.security.tools.KeyTool.installReply(KeyTool.java:2583)
            at sun.security.tools.KeyTool.doCommands(KeyTool.java:998)
            at sun.security.tools.KeyTool.run(KeyTool.java:340)
            at sun.security.tools.KeyTool.main(KeyTool.java:333)

BKS密钥库创建步骤:

步骤1:使用openssl

创建root ca key和ca cert

openssl req -x509 -newkey rsa:2048 -sha256 -nodes -out cacert.crt -outform PEM -keyout cakey.pem -config openssl-ca.cnf

步骤2:将ca cert导入cacerts keytool的keystore作为trust CRT

keytool -importcert -alias root-ca -file cacert.crt -keystore cacerts -storepass changeit

步骤3:将证书导入BKS密钥库作为信任CRT

keytool -importcert -storetype BKS -keystore mykeystore.bks -alias root-ca -file cacert.crt -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154的.jar

第4步:生成密钥对

keytool -genkeypair -alias java-client2-key -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype BKS -keystore mykeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov -ext-jdk15on-154.jar

步骤5:生成证书申请(CSR)

keytool -certreq -alias java-client2-key -file client2-ugoca.csr -storetype BKS -keystore mykeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext -jdk15on-154.jar

步骤6:使用在步骤1中创建的自签名根CA签署CSR

openssl x509 -req -days 365 -in client2-ugoca.csr -CA cacert.crt -CAkey cakey.pem -set_serial 300661 -out java-client2.crt

步骤7:将签名的证书导入密钥库

keytool -v -importcert -alias java-client2-key -file java-client2.crt -trustcacerts -storetype BKS -keystore mykeystore.bks -keypass bks123 -storepass bks123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider - providerpath bcprov-ext-jdk15on-154.jar

注意: 能够使用上述步骤创建java JKS密钥库

非常感谢任何帮助....!

1 个答案:

答案 0 :(得分:1)

在Step6之后:我们需要在其中创建具有根CRT的客户端CRT,如下所示

cat java-client2.crt cacert.crt> client_chain.crt

然后在第7步:导入client_chain.crt,如下所示

keytool -v -importcert -alias java-client2-key -file client_chain.crt -trustcacerts -storetype BKS -keystore mykeystore.bks -keypass bks123 -storepass bks123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov -ext-jdk15on-154.jar

相关问题
最新问题