要与某些服务器建立 SSL 连接,每当我运行以下命令,然后在 Windows 中运行 keystore 默认密码“changeit”以将证书导入 java keystore 时,就会发生以下错误:
命令:
keytool -import -file "E:\postgrescert\server.crt" -keypass changeit -keystore "C:\Java\JDK\jre\lib\security\cacerts" -alias pgssslninet
错误:
keytool error: java.lang.Exception: Input not an X.509 certificate
server.crt 包含以下内容:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:ea:8c:61:61:0a:7d:69
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3c59515d55507d58584e594f4f01444546124f5351597c534e5b125f5351" rel="noreferrer noopener nofollow">[email protected]</a>
Validity
Not Before: Jun 14 23:59:25 2013 GMT
Not After : Jul 14 23:59:25 2013 GMT
Subject: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="583d35393134193c3c2a3d2b2b65202122762b37353d18372a3f763b3735" rel="noreferrer noopener nofollow">[email protected]</a>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:7c:dd:6e:5f:98:85:52:b4:13:45:2d:69:26:
61:6c:d7:ad:d6:12:27:bf:e1:07:53:a4:76:27:29:
ca:3d:82:e5:63:8c:9e:a5:b0:24:f6:77:86:92:ab:
42:e5:26:8a:4a:ea:ea:4a:65:20:a1:3b:05:c7:e0:
31:8e:4c:6e:e5:9e:e4:9c:de:05:02:b3:59:70:00:
df:fb:b9:62:e1:5b:8e:1b:29:2d:7c:41:86:41:a9:
9e:24:f8:65:54:8c:cf:44:c4:7b:fa:12:b4:84:d1:
d7:d7:2f:14:32:f9:2e:7b:c2:d8:0b:35:c9:f5:8b:
64:ed:cf:84:6e:bf:97:d0:44:7b:6b:67:c6:5b:6f:
92:5d:f6:d7:01:b6:ba:96:37:c8:3b:f8:be:01:b5:
02:d1:6b:21:67:83:c8:fd:37:bd:70:e5:c1:e4:81:
b0:42:a9:04:b1:3d:33:4c:43:2b:33:cc:50:65:1e:
c0:15:8d:e3:5f:b0:9c:d9:04:09:18:e7:8f:80:56:
6f:45:1d:0a:c2:2d:02:7e:67:2a:8a:1b:73:4a:db:
80:e0:52:d6:33:23:c7:aa:48:b0:5c:ad:7f:8c:96:
7c:d4:84:61:4d:ae:d3:9c:ef:59:c1:bd:71:83:c3:
5e:a4:04:84:8f:cd:76:82:3a:86:43:ab:c1:f4:e9:
02:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7
X509v3 Authority Key Identifier:
keyid:C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
6b:2f:5f:33:f8:bb:55:66:c3:48:c9:ae:64:c1:89:5b:e1:54:
9a:bc:ae:34:87:7e:bc:e7:30:26:9e:65:58:42:79:19:e2:ee:
93:2a:c7:2d:a9:45:b4:1c:7b:5f:5a:ec:12:e3:76:38:c5:44:
aa:7f:bd:60:b6:a6:83:90:68:9d:8f:1c:7a:69:4a:58:a8:55:
5a:36:9e:e3:69:76:50:0e:4c:30:54:11:4c:de:10:91:6f:aa:
49:34:19:1c:96:cb:8a:6c:fd:df:19:ed:e1:84:2b:05:12:68:
e6:af:c5:59:c2:61:ca:10:2c:8e:cc:0a:34:7e:08:e5:22:ac:
01:fd:fc:4d:16:4f:66:29:58:ac:8e:25:79:3d:de:b6:ef:55:
6e:26:c5:75:9d:6d:57:4e:02:89:b8:c1:b8:47:b7:09:9b:07:
cf:5b:a3:bc:a3:6b:ef:a1:4c:95:a0:be:0f:d4:63:fe:35:c6:
c6:42:10:0b:28:13:02:a3:6e:b3:bf:ae:57:a8:bd:a1:25:6a:
2d:cd:c7:20:64:4b:2e:f2:b2:c9:5c:85:cf:6f:de:39:86:84:
94:d3:01:c5:25:b7:ec:65:1b:5f:93:ec:9d:cc:81:fa:c7:34:
fc:e4:e2:5c:3f:4b:cc:83:bb:f0:67:88:1f:f6:a1:3b:9e:00:
7b:ba:b2:79
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJAKHqjGFhCn1pMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB0ZyZW1vbnQxEjAQBgNVBAoM
CURhdGFndWlzZTELMAkGA1UECwwCSVQxFDASBgNVBAMMC0NvbW1vbiBOYW1lMSgw
JgYJKoZIhvcNAQkBFhlzcmluaS5zdWJyYUBkYXRhZ3Vpc2UuY29tMB4XDTEzMDYx
NDIzNTkyNVoXDTEzMDcxNDIzNTkyNVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJDQTEQMA4GA1UEBwwHRnJlbW9udDESMBAGA1UECgwJRGF0YWd1aXNlMQswCQYD
VQQLDAJJVDEUMBIGA1UEAwwLQ29tbW9uIE5hbWUxKDAmBgkqhkiG9w0BCQEWGXNy
aW5pLnN1YnJhQGRhdGFndWlzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDefN1uX5iFUrQTRS1pJmFs163WEie/4QdTpHYnKco9guVjjJ6lsCT2
d4aSq0LlJopK6upKZSChOwXH4DGOTG7lnuSc3gUCs1lwAN/7uWLhW44bKS18QYZB
qZ4k+GVUjM9ExHv6ErSE0dfXLxQy+S57wtgLNcn1i2Ttz4Ruv5fQRHtrZ8Zbb5Jd
9tcBtrqWN8g7+L4BtQLRayFng8j9N71w5cHkgbBCqQSxPTNMQyszzFBlHsAVjeNf
sJzZBAkY54+AVm9FHQrCLQJ+ZyqKG3NK24DgUtYzI8eqSLBcrX+MlnzUhGFNrtOc
71nBvXGDw16kBISPzXaCOoZDq8H06QLVAgMBAAGjUDBOMB0GA1UdDgQWBBTBT/ou
j/M2/q6bEnPHCMlZllNxpzAfBgNVHSMEGDAWgBTBT/ouj/M2/q6bEnPHCMlZllNx
pzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBrL18z+LtVZsNIya5k
wYlb4VSavK40h3685zAmnmVYQnkZ4u6TKsctqUW0HHtfWuwS43Y4xUSqf71gtqaD
kGidjxx6aUpYqFVaNp7jaXZQDkwwVBFM3hCRb6pJNBkclsuKbP3fGe3hhCsFEmjm
r8VZwmHKECyOzAo0fgjlIqwB/fxNFk9mKVisjiV5Pd6271VuJsV1nW1XTgKJuMG4
R7cJmwfPW6O8o2vvoUyVoL4P1GP+NcbGQhALKBMCo26zv65XqL2hJWotzccgZEsu
8rLJXIXPb945hoSU0wHFJbfsZRtfk+ydzIH6xzT85OJcP0vMg7vwZ4gf9qE7ngB7
urJ5
-----END CERTIFICATE-----
任何人都可以帮助我找到此错误背后的确切问题。
PS:当我删除上面的所有内容-----BEGIN CERTIFICATE-----时,它就成功导入了。上述-----BEGIN CERTIFICATE-----信息是否确实需要。请帮忙。
问候,
阿伦
最佳答案
Can anyone help me to locate the exact issue behind this error.
Keytool 可以处理两种格式。一种是 ASN.1/DER 编码,它看起来像十六进制编辑器下的二进制数据。另一个是RFC 1421,Certificate Encoding Standard,它是证书的Base64编码。请参阅 Keytool 上的文档在 Solaris 站点。
When i removed every thing above
-----BEGIN CERTIFICATE-----, it get successfully imported. Does the information above-----BEGIN CERTIFICATE-----is really required.
您上面描述的格式是 Internet RFC 1421 证书编码标准。 Keytool 应该能够处理该格式。手册明确指出允许的格式:
Certificates are often stored using the printable encoding format defined by the Internet RFC 1421 standard, instead of their binary encoding. This certificate format, also known as "Base 64 encoding", facilitates exporting certificates to other applications by email or through some other mechanism. ...
Certificates read by the
-importand-printcertcommands can be in either this format or binary encoded.
在上面,“此格式”是 RFC 1421。“二进制编码”是 ASN.1/DER。
话虽如此,该证书看起来像客户端证书,因为它在通用名称中具有 PKCS#9 电子邮件地址,并且没有 DNS 名称(例如 example.com)。 com)。然而它还有一个基本约束CA=TRUE。
IETF 和 CA/B 论坛均已弃用将电子邮件地址和 DNS 名称放在通用名称字段中。这些名称应放置在Subject Alternate Name 字段中。使用通用名称作为友好名称或显示名称,例如“John Doe”或“Datametrics”。
Java 似乎也比大多数其他标准更严格地遵循 IETF 标准(其他标准指的是工具和库;而不是标准)。但 RFC 往往运行得又快又松散,而且我不记得 PKCS#9 电子邮件地址/CA=TRUE 标志被禁止。
该问题可能会影响其导入能力。 Bruno 或 EJP 可能肯定知道。
关于Java keytool错误: java. lang.Exception : Input not an X. 509证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24409169/