Java Keytool工具简介
来源:互联网 发布:怕错过了也不会知 编辑:程序博客网 时间:2024/06/14 21:18
随着信息安全的重要性的日益提高,HTTP/FTP等越来越多的被迁到了 HTTPS/SFTP,SSL/TLS已经是避无可避。了解一些简单的加密算法的基本理论或者常见工具,或者如何生成和使用证书,这些都在工作中应用的愈加广泛。Java自带的Keytool工具就是这样的一种工具,被广泛地用于管理密钥和证书。
前提
keytool工具是JDK自带的工具,所以前提就是安装JDK。具体可以参照Maven的安装脚本,安装Maven的前提是安装JDK,所以下面的脚本执行之后,JDK自然会被安装。已经有JDK的可以跳过此步。
安装确认
确认keytool可用
[root@liumiaocn ~]# which keytool/usr/local/java/jdk1.8.0_121/bin/keytool[root@liumiaocn ~]#
命令说明
keytool命令以及常见的option如下所示:
证书管理
证书的发行有专门的CA机构,但是基本上都是要付费的,CA机构又不是NGO,无利不起早,不然为什么人家要做这个呢。一般来说除非是非常正式的项目,一般的项目很多情况下使用自发行的证书即可。
基础知识
keystore生成
按照如下信息生成keystore
执行命令:
keytool -genkey -alias kstore -keypass init123 -keyalg RSA -keysize 2048 -validity 30 -keystore /tmp/kstore.keystore -storepass init234
执行参照
[root@liumiaocn ~]# keytool -genkey -alias kstore -keypass init123 -keyalg RSA -keysize 2048 -validity 30 -keystore /tmp/kstore.keystore -storepass init234What is your first and last name? [Unknown]: michaelWhat is the name of your organizational unit? [Unknown]: liumiaocnWhat is the name of your organization? [Unknown]: ngoWhat is the name of your City or Locality? [Unknown]: dalianWhat is the name of your State or Province? [Unknown]: liaoningWhat is the two-letter country code for this unit? [Unknown]: CNIs CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CN correct? [no]: yes[root@liumiaocn ~]#
生成结果文件确认
[root@liumiaocn ~]# ls -l /tmp/kstore.keystore-rw-r--r--. 1 root root 2230 Mar 10 17:46 /tmp/kstore.keystore[root@liumiaocn ~]# file /tmp/kstore.keystore/tmp/kstore.keystore: Java KeyStore[root@liumiaocn ~]#
keystore确认
因为生成的/tmp/kstore.keystore非文本类型文件,无法直接确认内容,使用list子命令可以确认keystore的详细信息。
执行命令:
keytool -list -v -keystore /tmp/kstore.keystore -storepass init234
执行参照
[root@liumiaocn ~]# keytool -list -v -keystore /tmp/kstore.keystore -storepass init234Keystore type: JKSKeystore provider: SUNYour keystore contains 1 entryAlias name: kstoreCreation date: Mar 10, 2017Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNIssuer: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNSerial number: 58700a1Valid from: Fri Mar 10 17:46:00 EST 2017 until: Sun Apr 09 18:46:00 EDT 2017Certificate fingerprints: MD5: C9:88:B5:3E:62:F1:31:4D:8B:81:9C:45:90:F1:0F:CF SHA1: 59:C9:D3:3F:07:80:73:7C:7E:43:94:3B:E5:43:61:FF:14:F1:1A:CC SHA256: 32:71:6C:1E:1F:F6:23:01:66:81:92:36:C8:6F:E3:8D:5B:32:C4:F2:10:94:D0:3D:8C:07:5B:91:7A:59:B2:56 Signature algorithm name: SHA256withRSA Version: 3Extensions:#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 06 91 44 93 93 46 D0 EE A9 B3 9C A6 6C 1A BD D4 ..D..F......l...0010: E3 EA 74 74 ..tt]]**************************************************************************************[root@liumiaocn ~]#
证书导出
单向认证和双向认证时不可避免的用到证书,使用如下命令则可以生成证书。
keytool -export -alias kstore -keystore /tmp/kstore.keystore -file /tmp/kstore.crt -rfc -storepass init234
注意: storepass的密码是/tmp/kstore.keystore生成时创建的密码,此处是作确认用,输入错误会提示:Keystore was tampered with, or password was incorrect
执行参照
[root@liumiaocn ~]# keytool -export -alias kstore -keystore /tmp/kstore.keystore -file /tmp/kstore.crt -rfc -storepass init234Certificate stored in file </tmp/kstore.crt>[root@liumiaocn ~]# file /tmp/kstore.crt/tmp/kstore.crt: PEM certificate[root@liumiaocn ~]#[root@liumiaocn ~]#[root@liumiaocn ~]# cat /tmp/kstore.crt-----BEGIN CERTIFICATE-----MIIDaTCCAlGgAwIBAgIEBYcAoTANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJDTjERMA8GA1UECBMIbGlhb25pbmcxDzANBgNVBAcTBmRhbGlhbjEMMAoGA1UEChMDbmdvMRIwEAYDVQQLEwlsaXVtaWFvY24xEDAOBgNVBAMTB21pY2hhZWwwHhcNMTcwMzEwMjI0NjAwWhcNMTcwNDA5MjI0NjAwWjBlMQswCQYDVQQGEwJDTjERMA8GA1UECBMIbGlhb25pbmcxDzANBgNVBAcTBmRhbGlhbjEMMAoGA1UEChMDbmdvMRIwEAYDVQQLEwlsaXVtaWFvY24xEDAOBgNVBAMTB21pY2hhZWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL/LZP2FH8jybQD7KvKaqo0TS17xr8isWIkYcjVkvPT8ZoijWxSLckLI8r83g1Az+obfBuqDlbP/C2qGqf64MGw4mh6/CXnYNgvTOzgLOqxFgCSQebBhGx0u6gDCpgkoOdTzljDs6YR7Jv3rhIUodsPxc+Bzf8NXbDi1i6rvi5UW7ijLYFH1jAozTOlLtVWK1cw97BlXXcYhUEBsO682UzYvOeqCuPGcXKX7v1CsNDj+OWf+kfAZ1RF7e3/8IC/FBuAVKHbMD9jWknwAMI7NqGx4Ej6K0LFL6C4XmZMHlasznT7Eyri0YS5jdWYI+duOEmcbh7MR1FzsZzcw8mmSKPAgMBAAGjITAfMB0GA1UdDgQWBBQGkUSTk0bQ7qmznKZsGr3U4+p0dDANBgkqhkiG9w0BAQsFAAOCAQEAdRpSqAtxZ5JEzN/upzlT6Cp2kK6k7ZQ8ezKYDdUgBtqvMC/TaHwJCMHnvr0aSs24o8SIv0vmX01RXf5qzMmelMiJCA2EyRFIsKwKE6fWvyRaK1L5NiKbbivqiOHlvcw5pZfKiC/Cy6W0Y7KY4AtfNreAX7lmxQ611sc6F/Dz5rFv8s5gSaBg6oxc3HnXWYkR9iGulYJUhV4tanXsgyhS1/N6PiLbwZ+8ryactI9XgCmao+WQ1M0uhEITZFr8TuRkrG9KfmvZUD+STRGDh4Us447vezeCw3s/r2rNsvxSpPhRd9PlPJShLe8lVM+bpkdilGwkyOAewyPCWGtaaWXwIQ==-----END CERTIFICATE-----[root@liumiaocn ~]#
证书确认
生成的证书的格式是PEM certificate,确认其内容则可以通过如下命令:
keytool -printcert -file /tmp/kstore.crt
执行参照
[root@liumiaocn ~]# keytool -printcert -file /tmp/kstore.crtOwner: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNIssuer: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNSerial number: 58700a1Valid from: Fri Mar 10 17:46:00 EST 2017 until: Sun Apr 09 18:46:00 EDT 2017Certificate fingerprints: MD5: C9:88:B5:3E:62:F1:31:4D:8B:81:9C:45:90:F1:0F:CF SHA1: 59:C9:D3:3F:07:80:73:7C:7E:43:94:3B:E5:43:61:FF:14:F1:1A:CC SHA256: 32:71:6C:1E:1F:F6:23:01:66:81:92:36:C8:6F:E3:8D:5B:32:C4:F2:10:94:D0:3D:8C:07:5B:91:7A:59:B2:56 Signature algorithm name: SHA256withRSA Version: 3Extensions:#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 06 91 44 93 93 46 D0 EE A9 B3 9C A6 6C 1A BD D4 ..D..F......l...0010: E3 EA 74 74 ..tt]][root@liumiaocn ~]#
证书导入
将生成的证书倒入到keystore中,使用如下命令:
keytool -import -alias aliascrt -file /tmp/kstore.crt -keystore /tmp/kstore.keystore -storepass init234 -keypass init123
事前确认
文件信息
[root@liumiaocn tmp]# ll kstore.keystore kstore.crt-rw-r--r--. 1 root root 1263 Mar 10 17:57 kstore.crt-rw-r--r--. 1 root root 2230 Mar 10 17:46 kstore.keystore[root@liumiaocn tmp]#
keystore详细
[root@liumiaocn tmp]# keytool -list -v -keystore /tmp/kstore.keystore -storepass init234Keystore type: JKSKeystore provider: SUNYour keystore contains 1 entryAlias name: kstoreCreation date: Mar 10, 2017Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNIssuer: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNSerial number: 58700a1Valid from: Fri Mar 10 17:46:00 EST 2017 until: Sun Apr 09 18:46:00 EDT 2017Certificate fingerprints: MD5: C9:88:B5:3E:62:F1:31:4D:8B:81:9C:45:90:F1:0F:CF SHA1: 59:C9:D3:3F:07:80:73:7C:7E:43:94:3B:E5:43:61:FF:14:F1:1A:CC SHA256: 32:71:6C:1E:1F:F6:23:01:66:81:92:36:C8:6F:E3:8D:5B:32:C4:F2:10:94:D0:3D:8C:07:5B:91:7A:59:B2:56 Signature algorithm name: SHA256withRSA Version: 3Extensions:#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 06 91 44 93 93 46 D0 EE A9 B3 9C A6 6C 1A BD D4 ..D..F......l...0010: E3 EA 74 74 ..tt]]**************************************************************************************[root@liumiaocn tmp]#
导入
[root@liumiaocn tmp]# keytool -import -alias aliascrt -file /tmp/kstore.crt -keystore /tmp/kstore.keystore -storepass init234 -keypass init123Certificate already exists in keystore under alias <kstore>Do you still want to add it? [no]: yesCertificate was added to keystore[root@liumiaocn tmp]#
事后确认
通过文件确认,keystore文件发生了变化
[root@liumiaocn tmp]# ll kstore.keystore kstore.crt-rw-r--r--. 1 root root 1263 Mar 10 17:57 kstore.crt-rw-r--r--. 1 root root 3140 Mar 10 18:11 kstore.keystore[root@liumiaocn tmp]#
keystore详细确认后发现,证书已经加入: Alias name: aliascrt
[root@liumiaocn tmp]# keytool -list -v -keystore /tmp/kstore.keystore -storepass init234Keystore type: JKSKeystore provider: SUNYour keystore contains 2 entriesAlias name: kstoreCreation date: Mar 10, 2017Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNIssuer: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNSerial number: 58700a1Valid from: Fri Mar 10 17:46:00 EST 2017 until: Sun Apr 09 18:46:00 EDT 2017Certificate fingerprints: MD5: C9:88:B5:3E:62:F1:31:4D:8B:81:9C:45:90:F1:0F:CF SHA1: 59:C9:D3:3F:07:80:73:7C:7E:43:94:3B:E5:43:61:FF:14:F1:1A:CC SHA256: 32:71:6C:1E:1F:F6:23:01:66:81:92:36:C8:6F:E3:8D:5B:32:C4:F2:10:94:D0:3D:8C:07:5B:91:7A:59:B2:56 Signature algorithm name: SHA256withRSA Version: 3Extensions:\#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 06 91 44 93 93 46 D0 EE A9 B3 9C A6 6C 1A BD D4 ..D..F......l...0010: E3 EA 74 74 ..tt]]**************************************************************************************Alias name: aliascrtCreation date: Mar 10, 2017Entry type: trustedCertEntryOwner: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNIssuer: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNSerial number: 58700a1Valid from: Fri Mar 10 17:46:00 EST 2017 until: Sun Apr 09 18:46:00 EDT 2017Certificate fingerprints: MD5: C9:88:B5:3E:62:F1:31:4D:8B:81:9C:45:90:F1:0F:CF SHA1: 59:C9:D3:3F:07:80:73:7C:7E:43:94:3B:E5:43:61:FF:14:F1:1A:CC SHA256: 32:71:6C:1E:1F:F6:23:01:66:81:92:36:C8:6F:E3:8D:5B:32:C4:F2:10:94:D0:3D:8C:07:5B:91:7A:59:B2:56 Signature algorithm name: SHA256withRSA Version: 3Extensions:\#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 06 91 44 93 93 46 D0 EE A9 B3 9C A6 6C 1A BD D4 ..D..F......l...0010: E3 EA 74 74 ..tt]]**************************************************************************************
[root@liumiaocn tmp]#
证书删除
从keystore中删除证书,使用如下命令即可
keytool -delete -alias aliascrt -keystore /tmp/kstore.keystore -storepass init234
执行参照
[root@liumiaocn tmp]# keytool -delete -alias aliascrt -keystore /tmp/kstore.keystore -storepass init234[root@liumiaocn tmp]#
事后确认
[root@liumiaocn tmp]# keytool -list -v -keystore /tmp/kstore.keystore -storepass init234Keystore type: JKSKeystore provider: SUNYour keystore contains 1 entryAlias name: kstoreCreation date: Mar 10, 2017Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:Owner: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNIssuer: CN=michael, OU=liumiaocn, O=ngo, L=dalian, ST=liaoning, C=CNSerial number: 58700a1Valid from: Fri Mar 10 17:46:00 EST 2017 until: Sun Apr 09 18:46:00 EDT 2017Certificate fingerprints: MD5: C9:88:B5:3E:62:F1:31:4D:8B:81:9C:45:90:F1:0F:CF SHA1: 59:C9:D3:3F:07:80:73:7C:7E:43:94:3B:E5:43:61:FF:14:F1:1A:CC SHA256: 32:71:6C:1E:1F:F6:23:01:66:81:92:36:C8:6F:E3:8D:5B:32:C4:F2:10:94:D0:3D:8C:07:5B:91:7A:59:B2:56 Signature algorithm name: SHA256withRSA Version: 3Extensions:#1: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 06 91 44 93 93 46 D0 EE A9 B3 9C A6 6C 1A BD D4 ..D..F......l...0010: E3 EA 74 74 ..tt]]**************************************************************************************[root@liumiaocn tmp]#
可以看到,刚刚加入的证书已经被删除。
总结
keytool作为JDK提供的证书管理工具,使用它可以很方便的管理DSA/RSA等流行加密方式的证书,而这些在Web服务器认证以及容器私库管理方面都有着很多应用。
- Java Keytool工具简介
- java keytool 工具
- java keytool证书工具
- java keytool 工具
- java keytool 工具
- JAVA keytool工具
- java keytool 工具
- java keytool证书工具使用
- Java Security:keytool工具使用说明
- keytool简介
- Java keytool工具的作用及使用方法
- Java keytool工具的作用及使用方法
- Java keytool工具的作用及使用方法
- Java keytool工具的作用及使用方法
- Java keytool工具的作用及使用方法
- Java keytool工具的作用及使用方法
- Java keytool工具的作用及使用方法
- java keytool证书工具使用小结
- Spring AOP详解
- 安卓仿手机联系人右侧快速搜索菜单自定义View
- iOS实现图形编程可以使用三种API
- 算法练习
- “三天打渔,两天晒网”,从2010年1月1日开始,计算后来的任意一天是打鱼还是晒网
- Java Keytool工具简介
- 新手使用Git
- JavaScript循环打印斐波那契数列
- 解决DevExpress GridControl 用List无法在列表上添加新行问题
- STL容器 vector deque简记
- spring boot概述
- Maven依赖排除 禁止依赖传递 取消依赖的方法
- 深入Redux架构
- MySql:存储过程编译错误代码1337