生成证书库
keytool将密钥(key)和证书(certificates)存储在keystore文件中
1
| keytool -genkey -keysize 1024 -validity 3650 -keyalg RSA -alias "privateKey" -keystore "privateKeys.keystore" -storepass "soyuan.123" -keypass "soyuan.123" -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN"
|
genkey: 表示生成密钥对(公钥和私钥)
storepass: 密码库密码
keypass: 私钥密码
alias: 别名
validity: 36500 过期时间(天),默认大约90天
dname “CN=jwt,OU=jtw,O=jwt,L=zurich,S=zurich, C=CH” 名字与姓氏,组织单位,城市,区县,国家代码
keyalg RSA 加密算法 指定密钥的 算法 (如 RSA DSA(如果不指定默认采用DSA))
执行完会出现警告: JKS 密钥库使用专用格式。建议使用 “keytool -importkeystore -srckeystore privateKeys.keystore -destkeystore privateKeys.keystore -deststoretype pkcs12” 迁移到行业标准格式 PKCS12。
查看证书
1
2
3
4
5
6
7
| keytool -list -v -keystore privateKeys.keystore -storepass soyuan.123
# 可编码方式打印证书
keytool -list -rfc -keystore privateKeys.keystore -storepass soyuan.123
# 查看公钥
keytool -list -rfc --keystore privateKeys.keystore | openssl x509 -inform pem -pubkey
# 下面导出证书文件, 为了在java程序里面使用
|
JKS转换到PKCS12
1
| keytool -importkeystore -srckeystore privateKeys.keystore -destkeystore privateKeys.keystore -deststoretype pkcs12
|
修改密码
1
2
3
4
| # 修改密钥库中指定条目的密码
keytool -keypasswd -alias 需修改的别名 -keypass 旧密码 -new 新密码 -storepass keystore密码 -keystore 所在的密钥库
# 修改密钥库的密码
keytool -storepasswd -keystore privateKeys.keystore -storepass 原始密码 -new 新密码
|
导出证书
1
| keytool -export -alias "privateKey" -file "certfile.cer" -keystore "privateKeys.keystore" -storepass soyuan.123
|
把证书导入到证书库
公钥和私钥最好分开存储二个keystore文件
1
| keytool -import -alias "publicKey" -file "certfile.cer" -keystore "privateKeys.keystore" -storepass "soyuan.123"
|
删除证书库条目
1
| keytool -delete -alias mykey -keystore privateKeys.keystore -storepass soyuan.123
|
转换成pem证书
1
| openssl x509 -inform der -in certfile.cer -out certfile.pem
|
查看公钥
私钥条目 和 导出的证书都可以查看公钥
1
| keytool -list -rfc --keystore privateKeys.keystore | openssl x509 -inform pem -pubkey
|
公钥信息:
1
2
3
4
5
6
| -----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCU3Evfsz32KGB0QU/D7L5F1ELx
X4C7u+gBjnIiF4YTTeLBevu/XO3EyXDFEnuKlRyXB/ZConG78wWcBWC1jXpcabfI
8HCb3nNq0fcbrz2faTps8sTldbAX4VlGKHY+xbRhwvcucXgpU7JICLDN7DhaeEds
1VVo5Hg/sIRuoBBF5wIDAQAB
-----END PUBLIC KEY-----
|
获取私钥
1
| openssl pkcs12 -in privateKeys.keystore -nodes -nocerts -out privatekey.pem
|
私钥信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| -----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJTcS9+zPfYoYHRB
T8PsvkXUQvFfgLu76AGOciIXhhNN4sF6+79c7cTJcMUSe4qVHJcH9kKicbvzBZwF
YLWNelxpt8jwcJvec2rR9xuvPZ9pOmzyxOV1sBfhWUYodj7FtGHC9y5xeClTskgI
sM3sOFp4R2zVVWjkeD+whG6gEEXnAgMBAAECgYBhI3hnm8GdNi/q7QuuIHjxfFfK
xrVszGvTSC72TD9zrWmBNE2/TFbkCUeLckon3rHvZISwauyo5ycL7v5yusXTNWrH
MjIitWAQZP58qnIiJx72COTi3pG3U/aE9/694ChZ9pSOaaULWYPPbxjZCUe2Z1O+
IagLVubAhrhOWfRPQQJBAMNsHoWxsc9Nv6zMOLbxFRg9nb/KLp4VXAqMwK5ctK2Y
Kj34qGWwOomnT5g3V5LhBeQ0NMH0d+8Guy0/DVuzyHcCQQDDATs2ym0StdB3yzs5
DSsSET0m6vv49503XfQGRWsFaIzpPuddweSS2ztevfdMzUULWj2up/dGPiYOTGCS
MzoRAkBW83yBMBdVjdqDIDr76zjfmErgUy162TYi243ABy+9Lb9d443J8Seap/8a
U0V77POaHkB7LDNQ/0W5VBy1eMDxAkBK4ZgpbAYCX0rUFXiCaeoWIASJg0aKzhrS
/gMMvW9hPkqN7pfNyvzI3+KmePATz+cpetegz+MGWCso5m9W9NDhAkAOGZ+a8QFV
xY8iVb/l6ZyS0AaKghgrLv+aReTQwTc+rkkjvVwe7cyh9dChN0rWfOenceaXks+H
cTVuMmKV6pts
-----END PRIVATE KEY-----
|
java获取RSA公钥私钥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
| package com.soyuan.umsserviceapi.security;
import com.soyuan.umsserviceapi.conf.JwtPrivateKeyConf;
import sun.misc.BASE64Encoder;
import java.io.FileWriter;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
import java.security.cert.Certificate;
public class ExportCert {
public static String getJwtPrivateKey(JwtPrivateKeyConf jwtPrivateKeyConf) throws Exception {
String keyStoreType = "jks";
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(Files.newInputStream(Paths.get(jwtPrivateKeyConf.getPrivateKeysStorePath())), jwtPrivateKeyConf.getPassword().toCharArray());
KeyPair keyPair = ExportCert.getKeyPair(keyStore, jwtPrivateKeyConf.getAlias(), jwtPrivateKeyConf.getPrivatePassword().toCharArray());
return ExportCert.exportPrivateKey(keyPair.getPrivate());
}
public static String getJwtPublicKey(JwtPrivateKeyConf jwtPrivateKeyConf) throws Exception {
String keyStoreType = "jks";
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(Files.newInputStream(Paths.get(jwtPrivateKeyConf.getPrivateKeysStorePath())), jwtPrivateKeyConf.getPassword().toCharArray());
KeyPair keyPair = ExportCert.getKeyPair(keyStore, jwtPrivateKeyConf.getAlias(), jwtPrivateKeyConf.getPrivatePassword().toCharArray());
return ExportCert.exportPublicKey(keyPair.getPublic());
}
private static KeyPair getKeyPair(KeyStore keyStore, String alias, char[] password) {
try {
Key key = keyStore.getKey(alias, password);
if (key instanceof PrivateKey) {
Certificate certificate = keyStore.getCertificate(alias);
PublicKey publicKey = certificate.getPublicKey();
return new KeyPair(publicKey, (PrivateKey) key);
}
} catch (UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) {
e.printStackTrace();
}
return null;
}
private static String exportPrivateKey(PrivateKey privateKey) throws Exception {
BASE64Encoder encoder = new BASE64Encoder();
String encoded = encoder.encode(privateKey.getEncoded());
return encoded;
}
private static String exportPublicKey(PublicKey publicKey) throws Exception {
BASE64Encoder encoder = new BASE64Encoder();
String encoded = encoder.encode(publicKey.getEncoded());
return encoded;
}
}
|