Rol*_*olf 5 java ssh ssl identity keystore
我正在构建的Java应用程序的任务之一是连接到远程SFTP服务器.为了做到这一点我有一个远程计算机的证书和本地身份(id_rsa并且id_rsa.pub将在.ssh文件夹中).这工作正常.
我想将证书和身份放在受密码保护的java密钥库中,以便更容易和更安全地配置.我有这个工作的证书,但我有问题在JKS或PKCS12密钥库中存储SSH身份(任何一个都可以工作).
为了隔离问题,我尝试了以下步骤:
我ssh-keygen -b 2048用来创建两个身份文件id_rsa_demo和id_rsa_demo.pubte本地目录.据我所知,这些是身份的私钥和公钥,所以我尝试将它们组合成一个identity.p12文件:
openssl pkcs12 -export \
-inkey "id_rsa_demo" \
-in "id_rsa_demo.pub" \
-out "identity.p12" \
-password "pass:topsecret" \
-name "demoalias"
这给了我错误unable to load certificates.我四处搜索,似乎openssl需要一个带有-in参数完整链的证书.由于我生成的身份没有,我尝试了-nocerts选项,如下所示:
openssl pkcs12 -export \
-inkey "id_rsa_demo" \
-in "id_rsa_demo.pub" \
-out "identity.p12" \
-password "pass:topsecret" \
-name "demoalias" \
-nocerts
我没有得到任何错误,但该-nocerts选项符合其承诺,并且不会将我的公钥添加到pkcs12文件中:
openssl pkcs12 -info -in identity.p12
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
friendlyName: demoalias
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAOXpzckBb28CAggA
MBQGCCqGSIb3DQMHBAjPq9ibr445xQSCBMi5IlOk5F28kQPB5D97afiUb5d3It46
...
ejwYfHTj6bm+dEOUk68zNrWwKqwuJx5AZv3U8sm1cicVmh9W0HpL5tSmMMpDS1ey
Uos=
-----END ENCRYPTED PRIVATE KEY-----
有没有办法将SSH身份存储到PKCS12或JKS密钥库中?
假设您有一个如下所示的私钥:
id_rsa
-----BEGIN RSA PRIVATE KEY----- MIICWgIBAAKBgQCh3czej+KeEraesxts3xP6kx+cO/Fu8ROc/k4hSl7fO9jFZ6Lm OsGlzsRsi8VDg9n/fh6iFng/Umgnfd4J0IiLQihSRYnvyOsqqXbIJ8mBtydqO4s+ CjZLLDRSEMx3dw6GhFOcQ7xYYOeUMNY8QFidPn2LjURfMxG9XWOrCww8rwIBJQKB gGA+sSpjZCajV9P7yx4jxrCqgX99lnlREpSy4lj7ybUqgOQUG6t84dg1wOaYS8dH erOXGSIbMr3d+L2JHD0v4ntcKqzJm6Nf1FE27V0hvpzZl3fNax4NI/cIXM78zBx4 lBblr5QMYnTSd5eADIcDy7TZHuScRPkPViQ2x9QPayQ9AkEA67lfOXFEJ8iTYHdu ykvj0Xqcs/peDX5nYXCEJ2XECxgxfKYVbQPazO5ACgp1VsgFMCsd4rDSwahOAgkE rGfgCwJBAK/KFkSqMCLga8m19uqOftTQ+GhFc0O1lchWQ0A99+b9Rcs0yAe10GCN SbgrEmMuXEQS1emT6ZHM7KIh2P7kiG0CQQDSPYxH/TzJiWDZf0cjIRdMIT+ncJkS 9DKw2flTkh2NWsRaap1858MleowkoYs/j81Gov76nbUNlhwPpy2uhiivAkByBor8 G11+aA6QrWHkQMD4vuZReSgr62gTPt+DndE74o4i8c3bfNowyllU3asP5rhjgdbc svheksMBYhA2ohNNAkAiKQdv08UAG77piJi09OFIEcetTiq/wy9Zeb6fmEuMFzsT 2aR6x0d43OXqAgcKFgFuzqdXgxqhP/n9/eIqXdVA -----END RSA PRIVATE KEY-----
做两件事:
1)创建证书以包装密钥并将公钥公开为证书,以便keytool理解它.
openssl x509 -signkey id_rsa -req -in example.req
2)根据新请求创建自签名证书.
openssl x509 -signkey id_rsa -req -in example.req -out example.cer
然后,合并证书和私钥,然后导入keytool.
cat example.cer id_rsa > example.full
keytool -import -keystore example.jks -file example.full
这将获得钥匙.利用私钥和公钥以及与您选择的SSH/SFTP库进行交互是一项练习.
| 归档时间: |
|
| 查看次数: |
6611 次 |
| 最近记录: |