Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

openssl Java密钥工具错误:Java。lang.异常:输入的不是X.509证书

1 周,4 日 Questions & Answers

要与某个服务器建立SSL连接,每当我在windows中运行以下命令,后跟密钥存储默认密码“changeit”以在java密钥存储中导入证书时,都会发生以下错误:

命令:

keytool -import -file "E:\postgrescert\server.crt" -keypass changeit -keystore "C:\Java\JDK\jre\lib\security\cacerts" -alias pgssslninet

错误:

keytool error: java.lang.Exception: Input not an X.509 certificate

服务器。crt具有以下内容:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a1:ea:8c:61:61:0a:7d:69
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/emailAddress=xyz.some@org.com
        Validity
            Not Before: Jun 14 23:59:25 2013 GMT
            Not After : Jul 14 23:59:25 2013 GMT
        Subject: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/emailAddress=xyz.some@org.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:7c:dd:6e:5f:98:85:52:b4:13:45:2d:69:26:
                    61:6c:d7:ad:d6:12:27:bf:e1:07:53:a4:76:27:29:
                    ca:3d:82:e5:63:8c:9e:a5:b0:24:f6:77:86:92:ab:
                    42:e5:26:8a:4a:ea:ea:4a:65:20:a1:3b:05:c7:e0:
                    31:8e:4c:6e:e5:9e:e4:9c:de:05:02:b3:59:70:00:
                    df:fb:b9:62:e1:5b:8e:1b:29:2d:7c:41:86:41:a9:
                    9e:24:f8:65:54:8c:cf:44:c4:7b:fa:12:b4:84:d1:
                    d7:d7:2f:14:32:f9:2e:7b:c2:d8:0b:35:c9:f5:8b:
                    64:ed:cf:84:6e:bf:97:d0:44:7b:6b:67:c6:5b:6f:
                    92:5d:f6:d7:01:b6:ba:96:37:c8:3b:f8:be:01:b5:
                    02:d1:6b:21:67:83:c8:fd:37:bd:70:e5:c1:e4:81:
                    b0:42:a9:04:b1:3d:33:4c:43:2b:33:cc:50:65:1e:
                    c0:15:8d:e3:5f:b0:9c:d9:04:09:18:e7:8f:80:56:
                    6f:45:1d:0a:c2:2d:02:7e:67:2a:8a:1b:73:4a:db:
                    80:e0:52:d6:33:23:c7:aa:48:b0:5c:ad:7f:8c:96:
                    7c:d4:84:61:4d:ae:d3:9c:ef:59:c1:bd:71:83:c3:
                    5e:a4:04:84:8f:cd:76:82:3a:86:43:ab:c1:f4:e9:
                    02:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7
            X509v3 Authority Key Identifier: 
                keyid:C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        6b:2f:5f:33:f8:bb:55:66:c3:48:c9:ae:64:c1:89:5b:e1:54:
        9a:bc:ae:34:87:7e:bc:e7:30:26:9e:65:58:42:79:19:e2:ee:
        93:2a:c7:2d:a9:45:b4:1c:7b:5f:5a:ec:12:e3:76:38:c5:44:
        aa:7f:bd:60:b6:a6:83:90:68:9d:8f:1c:7a:69:4a:58:a8:55:
        5a:36:9e:e3:69:76:50:0e:4c:30:54:11:4c:de:10:91:6f:aa:
        49:34:19:1c:96:cb:8a:6c:fd:df:19:ed:e1:84:2b:05:12:68:
        e6:af:c5:59:c2:61:ca:10:2c:8e:cc:0a:34:7e:08:e5:22:ac:
        01:fd:fc:4d:16:4f:66:29:58:ac:8e:25:79:3d:de:b6:ef:55:
        6e:26:c5:75:9d:6d:57:4e:02:89:b8:c1:b8:47:b7:09:9b:07:
        cf:5b:a3:bc:a3:6b:ef:a1:4c:95:a0:be:0f:d4:63:fe:35:c6:
        c6:42:10:0b:28:13:02:a3:6e:b3:bf:ae:57:a8:bd:a1:25:6a:
        2d:cd:c7:20:64:4b:2e:f2:b2:c9:5c:85:cf:6f:de:39:86:84:
        94:d3:01:c5:25:b7:ec:65:1b:5f:93:ec:9d:cc:81:fa:c7:34:
        fc:e4:e2:5c:3f:4b:cc:83:bb:f0:67:88:1f:f6:a1:3b:9e:00:
        7b:ba:b2:79
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJAKHqjGFhCn1pMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB0ZyZW1vbnQxEjAQBgNVBAoM
CURhdGFndWlzZTELMAkGA1UECwwCSVQxFDASBgNVBAMMC0NvbW1vbiBOYW1lMSgw
JgYJKoZIhvcNAQkBFhlzcmluaS5zdWJyYUBkYXRhZ3Vpc2UuY29tMB4XDTEzMDYx
NDIzNTkyNVoXDTEzMDcxNDIzNTkyNVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJDQTEQMA4GA1UEBwwHRnJlbW9udDESMBAGA1UECgwJRGF0YWd1aXNlMQswCQYD
VQQLDAJJVDEUMBIGA1UEAwwLQ29tbW9uIE5hbWUxKDAmBgkqhkiG9w0BCQEWGXNy
aW5pLnN1YnJhQGRhdGFndWlzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDefN1uX5iFUrQTRS1pJmFs163WEie/4QdTpHYnKco9guVjjJ6lsCT2
d4aSq0LlJopK6upKZSChOwXH4DGOTG7lnuSc3gUCs1lwAN/7uWLhW44bKS18QYZB
qZ4k+GVUjM9ExHv6ErSE0dfXLxQy+S57wtgLNcn1i2Ttz4Ruv5fQRHtrZ8Zbb5Jd
9tcBtrqWN8g7+L4BtQLRayFng8j9N71w5cHkgbBCqQSxPTNMQyszzFBlHsAVjeNf
sJzZBAkY54+AVm9FHQrCLQJ+ZyqKG3NK24DgUtYzI8eqSLBcrX+MlnzUhGFNrtOc
71nBvXGDw16kBISPzXaCOoZDq8H06QLVAgMBAAGjUDBOMB0GA1UdDgQWBBTBT/ou
j/M2/q6bEnPHCMlZllNxpzAfBgNVHSMEGDAWgBTBT/ouj/M2/q6bEnPHCMlZllNx
pzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBrL18z+LtVZsNIya5k
wYlb4VSavK40h3685zAmnmVYQnkZ4u6TKsctqUW0HHtfWuwS43Y4xUSqf71gtqaD
kGidjxx6aUpYqFVaNp7jaXZQDkwwVBFM3hCRb6pJNBkclsuKbP3fGe3hhCsFEmjm
r8VZwmHKECyOzAo0fgjlIqwB/fxNFk9mKVisjiV5Pd6271VuJsV1nW1XTgKJuMG4
R7cJmwfPW6O8o2vvoUyVoL4P1GP+NcbGQhALKBMCo26zv65XqL2hJWotzccgZEsu
8rLJXIXPb945hoSU0wHFJbfsZRtfk+ydzIH6xzT85OJcP0vMg7vwZ4gf9qE7ngB7
urJ5
-----END CERTIFICATE-----

有人能帮我找到这个错误背后的确切问题吗

PS:当我删除-----BEGIN CERTIFICATE-----上面的所有内容时,它成功导入。上面的信息真的需要吗。请帮忙

问候,

阿伦


共 (2) 个答案

  1. # 1 楼答案

    Can anyone help me to locate the exact issue behind this error.

    Keytool可以处理两种格式。一个是ASN。1/DER编码,看起来像十六进制编辑器下的二进制数据。另一个是RFC 1421,证书编码标准,它是证书的Base64编码。请参阅Solaris站点Keytool上的文档

    When i removed every thing above -BEGIN CERTIFICATE -, it get successfully imported. Does the information above -BEGIN CERTIFICATE - is really required.

    您上面描述的格式是Internet RFC 1421证书编码标准Keytool应该能够处理该格式。手册明确规定允许采用以下格式:

    Certificates are often stored using the printable encoding format defined by the Internet RFC 1421 standard, instead of their binary encoding. This certificate format, also known as "Base 64 encoding", facilitates exporting certificates to other applications by email or through some other mechanism. ...

    Certificates read by the -import and -printcert commands can be in either this format or binary encoded.

    在上文中,“此格式”为RFC 1421。“二进制编码”是ASN。1/10

    话虽如此,该证书看起来像一个客户端证书,因为它在Common Name中有一个PKCS#9电子邮件地址,并且没有DNS名称(如example.com)。然而,is也有Basic ConstraintCA=TRUE

    IETF和CA/B论坛都不赞成将电子邮件地址和DNS名称放在Common Name字段中。这些名称应放在Subject Alternate Name字段中。使用Common Name作为友好名称或显示名称,如“John Doe”或“Datametrics”

    Java似乎也比其他大多数标准更接近IETF标准(其他标准是指工具和库,而不是标准)。但是RFC往往运行得又快又松,我不记得PKCS#9 email address/CA=TRUE标志被禁止

    该问题可能会影响其进口能力。Bruno或EJP可能肯定知道

  2. # 2 楼答案

    这里也有同样的问题。我只是在结尾加了一条空行,keytool很高兴