如何从 PEM/PKCS7/DER 和私钥创建 SSLContext?

时间:2021-07-07 20:49:06

标签: java ssl ssl-certificate keystore sslcontext

我需要为 Cloudflare 源证书创建一个 SSLContext

提供了证书和私钥。证书以下列格式提供:

  • PEM
  • PKCS#7
  • DER

私钥以单一格式提供,其名称未指定。下面是一个例子:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKmiJFzrd/3y5S
uKGStmnyUdJKNzJEtgeoyZ6M+S4aFohyC6xM5wDvpWiXtzg1zppUCS2z6LaJRP1N
JlGE3JqolPXnl8hA5sqqD0ytgWKF9/5VRhoqjUayIQ+p593PBbg41Wc0N6ZavhLF
Lf/eIzKPQpsVQnzSMAUZXbwBCPNql9t3flZvmKveBuHD8ZaCjXvHaekOowneVPnM
D8XSlLoAbCAtAZmX6eLl2QxbmXjczsiNMHRFC0GO6sf43rq9bE7x3K3TzMv/EM+v
0VLR/WL9UadqC8+P2cfzrg5aAqsQFi4q3sUI5UwWrfPFvff30ZQSvHxWSqEFdVY0
uoW51ybHAgMBAAECggEABpPXIFcOuWBghkpSNzYkMxFu91PawO+mngHgW4lMyDIK
afwbsuoeVf6+ajaGOlD5IlijRYpSQBtKR0fthkJh5Fk5sTQfSeQe7kMi5SXPMgmU
FeakZinsrU8feA+msYLpBodUcMCMbmO/WOweY3LXFbQ+3q4oPpaqg7akVOWafs+y
emGBOA57kNu7/AerTZ5ydQZBbGDAxR+Vmgpd2BiSneeTHWFLHqC6xRXw904x+HTz
rOO7VJOoA7cAdYlMzrOvgurqjb0ba+wdKfHgbCIos7nj3/YfVNlFxr2IkmnXauLC
O6KaIydQ2rdN5bPdpiHx3WeyYroF2ti9VmK7gz3gGQKBgQD060UuIrNeYxE8yEkC
dJmGRtn9cUhtbVinvWVKBaahgSjfpNmmcuO1FknygIbSIUuP1ZkNVIPeAsrQt3EN
RU/QNglCAibBqxKY0CwvsroN/5e07l65zSWSSXcWl10gwySSz4Er1sNSF45GGV+h
zoJEtc5cp+m2RauSNzjwrmEdvQKBgQDTxLxGEnTPJNCQmOCv+V5FstmpmnHvb8en
VCykp0zSX6K+T7eXY+3oILqwyXyeoflcB6zfbC3MyEhfTrFLxPnwCtMLKeI4kUBh
OBM5vbGvUymIDuhTxMwJtOLJZ1B+n00n4gXprc6N007uKe4yTmrIhdn5sH7EOPVr
YT4in7p00wKBgQCeZrNdfU/o0cXKO/cMQYExmQ1Pnz6qlzfpdNLXpwP4HGLlEec6
gb/H1NyKnJmVubb3FbxhJLIMml21046oeJWAIhKmwGF0jEIA11Jcnwk6GH5zpF9b
Z9TO4fjFgavXjp5O3Sm7wrCcnWOE7tAtBDS4X6VRw7+iBTlL3a9T6lQhOQKBgFSj
D6Bt5fOYQidYgoyyfMQcjDPl/11z7nbpBIK2PtTh1jh7weOm08Hvus3HaaA5GmF2
y9fr844iChLVb7TZwA75NIoErl5vZyyz7bMpJqfs8+9mDeLVB7tlaTKXsSs6Xerv
we84QRKb/rLfXU0L3E/Sd2D88l1YanYFQoEyF6JzAoGADBtkMM9pF7eyLqBey1zd
NKxSa3hNikeg6OVG4Lj/sEH6vXjvkz/dCBkR5YSMl0EPGBqh1YC+zqbnDrgth7sQ
n3IfJ2wZ3mgfjriq5RCNqA8+Dv2WpcdgqN1W7s2WV88hQXTl8TsqUyIDl4PWrOHV
3DjkEpNcjyFspPaidOGrDfw=
-----END PRIVATE KEY-----

在 Java 11 中,如何创建一个 KeyManager[],然后我可以使用它以下列方式创建一个 SSLContext

KeyManager[] keyManagers = ...
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, null, null);

1 个答案:

答案 0 :(得分:0)

将 PEM 证书和私钥转换为 PKCS12:

openssl pkcs12 -export -out localhost.p12 -inkey localhost.key -in localhost.crt

然后,创建 SSLContext

char[] password = ...

KeyStore keyStore = KeyStore.getInstance("PKCS12");
try (InputStream stream = ...) {
    keyStore.load(stream, password);
}

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

要为本地开发生成自签名证书,请使用:

openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:2048 -days 360 -nodes -sha256 -subj '/CN=localhost' -extensions EXT -config <( printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
相关问题
最新问题