开发者

Can the alias in a keystore be a guid?

开发者 https://www.devze.com 2023-02-14 08:27 出处:网络
I have a problem in regards to Tomcat 6 and certificates. The problem is somewhat similar to this: Tomcat HTTPS keystore certificate.

I have a problem in regards to Tomcat 6 and certificates. The problem is somewhat similar to this: Tomcat HTTPS keystore certificate.

My task is to get a Jira installation running with an SSL certific开发者_如何学Pythonate issued by a CA.

To make sure I have got the workflow right I have tried to create a certificate of my own the following way (this works):

  • Create 'my' keystore
  • Extract the certificate from the 'my' keystore
  • Import the extracted certificate into Java's \cacerts keystore.

This solution works fine - site can be accessed over SSL.

I assume the following can be done with my CA issued certificate, in the form of a pfx file.

I created a new keystore using this command:

keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore \mydest\keystore.jks -deststorepass changeit

When I list the contents of the new keystore.jks I get one entry; private key with a guid.

I extract the certificate from the keystore. In this operation I am unable to specify an alias.

I import the certificate into the \cacerts keystore.

I then list the concents of the \cacerts keystore and find my new entry. Instead of having a name, the entry is showing the same guid as from the initial (pfx) keystore.

I alter my server.xml file with the new alias (e.g. guid) and keystore file.

However - starting Tomcat gives this error:

Alias name {guid} does not identify a key entry

Question is:

  1. Can a guid be a key name?
  2. If not, what I am doing wrong? :)

I have tried both keystores in the server.xml file, without luck.

New info; when I execute this command I am able to find information regarding the certificate in the \cacerts file:

keytool -list -v -keystore \cacerts -alias {guid}

So it seems that the guid exists. However, Tomcat seems to be unable to find the same key.


Answer is 'yes'.

The origins of my problem was that I had the wrong password for the key from the pfx file. Using the following command I changed the password from the original one to a the standard password (I did this prior to exporting the certificate from the keystore created from the pfx file):

keytool -keypasswd -alias {guid} 

Keytool then asked me for old password and new password.

I might have been able to add some sort of configuration in the server.xml file like 'keypassword', but I haven't looked into that.

0

精彩评论

暂无评论...
验证码 换一张
取 消