将密钥对导入现有密钥对文件

【问题标题】:Importing key pair to existing key pair file将密钥对导入现有密钥对文件
【发布时间】:2017-04-28 11:16:56
【问题描述】:

我有两个不同的密钥对值,它们使用 Java keytool 生成并存储在名为 keystore1.jks 和 keystore2.jks 的两个不同文件中。

我所做的是通过以下命令将密钥对从 keystore2.jks 导入到 keystore1.jks

keytool -importkeystore -srcstoretype JKS -srckeystore <source_keystorfile> -deststoretype JKS -destkeystore <keystorfile_to_import_keypair>

我已将 keystore1.jks 添加到服务器以使用此密钥库在 ssl 中侦听。

现在我已将公钥从文件 keystore2.jks 导入到名为 truststore.jks 的信任库文件

当我尝试使用 keystore1.jks 连接到在 ssl 中侦听的服务器时,从这个 truststore.jks 文件中,不幸的是,服务器不接受连接并引发如下异常

    javax.jms.JMSException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
    at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:62)
    at org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1298)
    at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1382)
    at org.apache.activemq.ActiveMQConnection.createSession(ActiveMQConnection.java:309)
    at com.sample.ssl.job.handler.MessageQueueLocator.getJmsSession(Unknown Source)
    at com.sample.ssl.job.handler.MessageQueueLocator.sendMessageToGeneralQueue(Unknown Source)
    at com.sample.ssl.communication.JobResposeDispatcherInvoker.dispatchStartupMessage(Unknown Source)
    at com.sample.ssl.job.MessageDispatchJob.dispatchStartupMessage(Unknown Source)
    at com.sample.ssl.job.MessageDispatchJob.execute(Unknown Source)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
    at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
    at java.io.DataOutputStream.flush(DataOutputStream.java:106)
    at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:181)
    at org.apache.activemq.transport.InactivityMonitor.oneway(InactivityMonitor.java:255)
    at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:168)
    at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
    at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
    at org.apache.activemq.transport.failover.FailoverTransport.doReconnect(FailoverTransport.java:844)
    at org.apache.activemq.transport.failover.FailoverTransport$2.iterate(FailoverTransport.java:135)
    at org.apache.activemq.thread.PooledTaskRunner.runTask(PooledTaskRunner.java:122)
    at org.apache.activemq.thread.PooledTaskRunner$1.run(PooledTaskRunner.java:43)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:662)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:184)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
    ... 21 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:330)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
    ... 28 more
Caused by: java.security.SignatureException: Signature does not match.
    at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
    at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
    at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
    ... 32 more

我不知道我在哪里犯了错误。在我的情况下,一半部分客户使用来自 keystore1.jks 的密钥对的信任存储,而 remaining 使用 keystore2.jks强>。

客户端使用keystore1.jks的信任库连接到服务器很好。但是那些客户端使用keystore2.jks的信任库无法连接

请在这种情况下帮助我解决。如果我的方式有任何错误,请给出正确的路径。提前致谢。

【问题讨论】:

  • 在服务器上尝试keytool -list -keystore keystore1.jks 以确保两个密钥都在密钥库中。
  • 服务器是否接受自签名证书?服务器可能不信任 Keystore2.jks 中的证书。
  • @mhawke 我已经检查了您提到的命令,并且两个密钥都存在于密钥文件中
  • @always_a_rookie_to_learn 是的,服务器将接受自签名证书。当我尝试使用单个键时,我的设置工作正常。当我尝试使用多个键时,问题就来了。
  • @BhuvaneshWaran 您的服务器是否配置为仅接受来自您的信任库 1 的证书?您是否在服务器的 SSL 设置中提供了证书的别名或任何特定信息?

标签: java ssl keytool self-signed


【解决方案1】:

我没听懂你的一些话.. 您有两个具有密码的文件。您将第二个文件导入第一个文件。 所以。为什么需要使用第二个文件?

我认为命令应该是:(先备份) keytool -importkeystore -srckeystore keystore2.jks -deskeystore keystore1.jks

【讨论】:

  • 我没有在服务器中使用第二个文件,即 keystore2.jks,因为我已将密钥导入 keystore1.jks。我已将公钥导入到名为 truststore.jks 的文件中,并在客户端使用此文件与服务器连接。
猜你喜欢
  • 2013-08-06
  • 1970-01-01
  • 2020-03-20
  • 1970-01-01
  • 2018-03-07
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2011-02-10
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode