pfx转jks:(注:因jks要求密码长度不能小于6位,所以申请pfx证书时,密码长度最好不小于6位)
keytool -importkeystore -v -srckeystore ***.pfx -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore ***.jks -deststoretype jks -deststorepass 123456
#将我方服务端证书导入jks信任库 keytool -import -file ca.cer -keystore ***.jks
jks转pem:
keytool -importkeystore -srckeystore my.jks -destkeystore my.p12 -srcstoretype jks -deststoretype pkcs12 openssl pkcs12 -in my.p12 -out my.pem
-------------------------------------------------------------------------------------------------------------------------
更新公认CA配置
# yum reinstall ca-certificates
# update-ca-trust
--------------------------------------------------------------------------------------------------------------------------
通过命令 :curl -vvv https://www.unixy.net 验证证书库是否有效
如果出现这个报错信息的话就是证书无效:Peer certificate cannot be authenticated with known CA certificates
解决办法是将该证书的公钥.pem文件内容,追加到/etc/pki/tls/certs/ca-bundle.crt
具体步骤:
ca证书可以通过浏览器访问来下载:
然后将下载好的ca证书进行格式转换 (
cer转pem):
# openssl x509 -inform der -in vmwar.cer -out vmwar.pem
或
# openssl x509 -inform der -in vmwar.crt -out vmwar.pem
ca证书导入到linux证书库:
# cat vmwar.pem >> /etc/pki/tls/certs/ca-bundle.crt
|