将subjectAltName(SAN)的X509证书导入JKS密钥库

时间:2016-08-26 13:03:06

标签: x509 keytool pyopenssl

我使用pyOpenSSL创建X509证书。我需要将此证书导入Java JKS密钥库,以使其可用于我的Java应用程序。只要我没有在证书中添加subjectAltName扩展名,这项工作正常。如果证书具有备用主题集,则导入JKS密钥库失败:

root@51561a8a1e01:~# /opt/oracle/java/jdk64-1.8.0_92/bin/keytool -keystore keystore -storepass changeit -noprompt -importcert -alias example -file certificate.crt -v
keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
    at sun.security.tools.keytool.Main.doCommands(Main.java:1009)655)
    at sun.security.tools.keytool.Main.main(Main.java:336)
root@51561a8a1e01:~#

如果我在命令行上使用OpenSSL打印此证书,我会收到此输出:

root@51561a8a1e01:~# openssl x509 -in certificate.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU=example.com, CN=my-server.example.com, O=example.com
        Validity
            Not Before: Aug 26 12:03:03 2016 GMT
            Not After : Aug 25 12:03:03 2021 GMT
        Subject: OU=example.com, CN=my-server.example.com, O=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cc:a7:53:5a:38:...:11:2f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         ab:51:12:fb:a6:a6:...:0d:4b

那证书显然是有效的。根据{{​​3}},Java 8 keytool应该支持SubjectAlternativeName扩展名。

当我尝试使用keytool本身生成所有内容时 - 这似乎有效 - 我注意到keytool生成的证书有第二个扩展名X509v3 Subject Key Identifier

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1510484556 (0x5a082a4c)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=example.com, OU=example.com, CN=my-server.example.com
        Validity
            Not Before: Aug 26 12:52:43 2016 GMT
            Not After : Nov 24 12:52:43 2016 GMT
        Subject: O=example.com, OU=example.com, CN=my-server.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:99:b6:b1:11:a6:...:7b:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:localhost
            X509v3 Subject Key Identifier:
                66:75:AD:7A:A5:19:AB:43:DE:55:E4:A7:4F:C2:3D:53:55:49:CE:48
    Signature Algorithm: sha256WithRSAEncryption
         50:7c:fe:c8:5d:1b:...:da:27

我是否还需要使用pyOpenSSL将此扩展程序添加到我的证书中。但是正确的价值是什么?!

1 个答案:

答案 0 :(得分:1)

好吧,在写完这个问题的所有内容后,我注意到用pyOpenSSL生成的证书与keytool证书之间存在第二个区别。 keytool证书表示Version: 3 (0x2),而另一个表示Version: 1 (0x0)

我对X509规范的了解不多,但由于扩展名都以X509v3为前缀,我猜这种扩展支持不适用于版本1证书。

在调整我的python代码以将版本设置为3(实际上是2版本为0)时,导入到keytool按预期工作:

_req = OpenSSL.crypto.X509Req()
_req.set_version(2)
...
相关问题
最新问题