Como importar a cadeia de certificados * .p7s para o keystore?

1

Eu usei esses comandos para criar meu CSR

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore domain.jks -dname "CN=*.domain.com,OU=Software Development, O=Company Name, L=Asuncion, ST=Central, C=PY"
keytool -certreq -alias server -keyalg RSA -sigalg SHA256withRSA -file domain.csr -keystore domain.jks

Então eu tenho meu certificado assinado

Web Server CERTIFICATE
-----------------
-----BEGIN CERTIFICATE-----
MIIFZjCCBE6gAwIBAgIQeg8KZmYMVuy/9w/yfpEWozANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MDMwNzAwMDAwMFoXDTE3MDQwNjIzNTk1
OVowFjEUMBIGA1UEAwwLKi5zZWdweS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCk2tfnkEN7n6Qtg7wt4lbFHyBN0UW19aSjwme5/zXbLp5S0TUN
MSwxilEGFumUE700oAyT0uQBakV9m/qwrljDdZNgrR2+4VSJfMTL+fRSNQh//pls
TFV8sc6czPxnSKeT8ufsCFF50aadRnK2+GdLC5Vpfhlwfknpu7d3RI5aMFwWzSfG
YNsqShm7sJtYnwA1y3o9eG2XiDuNt6Y5+5lHEafwGxwg8gaL5MpY5wNPDNfr6sYp
YOkJi/JdgRlLnEZn2nTawJRhkODb64vZ5arteN06fBMJjw+yrhfFqt/MEwy2Odiv
WOrWgi1ODft3QHO8jd2JCX4j/apBTEm/acmtAgMBAAGjggKCMIICfjAhBgNVHREE
GjAYggsqLnNlZ3B5LmNvbYIJc2VncHkuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQw
IjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBk
BgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29t
L2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9s
ZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEB
BEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcw
AoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggEFBgorBgEEAdZ5AgQCBIH2
BIHzAPEAdgDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVNS3iEc
AAAEAwBHMEUCIQCWspEnkaLlNJNpPVDU1M0QnErjVSPI1pOQNGcXjpG03wIgCbjt
I9hCpywde6agjJyn7+nJ/TT0Bk35SLqkkYWwfm0AdwCkuQmQtBhYFIe7E6LMZ3AK
PDWYBPkb37jjd80OyA3cEAAAAVNS3iFaAAAEAwBIMEYCIQDB0lAOazP3u9pYPwEc
6VDu+PloTiKoju2Up9ANeR9qowIhAPcUsiayPGVWMuLwb842w9oCkiASjWlGj9CL
Gbadpg3AMA0GCSqGSIb3DQEBCwUAA4IBAQCuujNCOo8z69IYcQFEJkbXwcUJDEWZ
9rP7IbOY1/P9GicK//lR/RMpoZqCujsMVOrq3baAdOb27n08sD7qi9uPeCNcpAeK
EeKEXrppcG9qD6zy+yx1K6GZW4GY0iSJ5U0+ad26t0ShkH0hzPmvNv5rHe8LEAU1
sxwTuKBhyf41+6MCMbdpex0Id17IWqUpb7ZSNq2n1ilJyEeuO5gQ64XXctc6MWzF
NfhcYcaL9kSS1ENRXvLcotbuLCUg/zu1WThUm3a/6QvpWRMUCcqyBehVVNa69Av0
aq4cMMrjJ9Qtt1tZN0dXNXsZPP9rPyv+KAY3Fa15M9rHZAgfBSuNjeGG
-----END CERTIFICATE-----

INTERMEDIATE CA:
---------------------------------------
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQK
Ew1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTMxMjExMjM0
NTUxWhcNMjIwNTIwMjM0NTUxWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5j
LjEbMBkGA1UEAxMSUmFwaWRTU0wgU0hBMjU2IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAu1jBEgEul9h9GKrIwuWF4hdsYC7JjTEFORoGmFbdVNcRjFlbPbFUrkshhTIWX1SG5tmx
2GCJa1i+ctqgAEJ2sSdZTM3jutRc2aZ/uyt11UZEvexAXFm33Vmf8Wr3BvzWLxmKlRK6msrVMNI4
/Bk7WxU7NtBDTdFlodSLwWBBs9ZwF8w5wJwMoD23ESJOztmpetIqYpygC04q18NhWoXdXBC5VD0t
A/hJ8LySt7ecMcfpuKqCCwW5Mc0IW7siC/acjopVHHZDdvDibvDfqCl158ikh4tq8bsIyTYYZe5Q
Q7hdctUoOeFTPiUs2itP3YqeUFDgb5rE1RkmiQF1cwmbOwIDAQABo4IBSjCCAUYwHwYDVR0jBBgw
FoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4wHQYDVR0OBBYEFJfCJ1CewsnsDIgyyHyt4qYBT9pvMBIG
A1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6
Ly9nMS5zeW1jYi5jb20vY3Jscy9ndGdsb2JhbC5jcmwwLwYIKwYBBQUHAQEEIzAhMB8GCCsGAQUF
BzABhhNodHRwOi8vZzIuc3ltY2IuY29tMEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsG
AQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMCkGA1UdEQQiMCCk
HjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTU2OTANBgkqhkiG9w0BAQsFAAOCAQEANevhiyBW
lLp6vXmp9uP+bji0MsGj21hWID59xzqxZ2nVeRQb9vrsYPJ5zQoMYIp0TKOTKqDwUX/N6fmS/Zar
RfViPT9gRlATPSATGC6URq7VIf5Dockj/lPEvxrYrDrK3maXI67T30pNcx9vMaJRBBZqAOv5jUOB
8FChH6bKOvMoPF9RrNcKRXdLDlJiG9g4UaCSLT+Qbsh+QJ8gRhVd4FB84XavXu0R0y8TubglpK9Y
Ca81tGJUheNI3rzSkHp6pIQNo0LyUcDUrVNlXWz4Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4l
ecWLVtXjCYDqwSfC2Q7sRwrp0Mr82A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----

Eu também recebi um arquivo p7s (domain.com.p7s)

Eu tentei de várias maneiras diferentes importá-lo corretamente para o keystore, mas recebo o erro mostrado nesta página link > ERR_CERT_AUTHORITY_INVALID

Qual é o comando para importar esta cadeia? esta não é a primeira vez que estou fazendo isso, mas desta vez eu simplesmente não consigo fazer funcionar.

    
por David Hofmann 08.03.2016 / 00:31

1 resposta

4

No seu caso, como você já tem a chave privada em seu keystore, você pode importar a cadeia de certificados PKCS # 7 (* .p7s / * .p7b ...) graças a este comando:

 keytool -import -alias <same alias as the key> -file <p7 filename> -keystore <keystore filename>

Considerando que, se você quiser importar uma cadeia de certificados sem ter a chave no armazenamento de chaves, a keytool não aceita a importação em um único disparo e, portanto, você deve seguir este método (ou se o método anterior não funcionou):

Para continuar, basta criar um arquivo pem por certificado e importá-los no keystore, definindo o mesmo alias para o certificado como o alias de chave.

(o conteúdo de cada arquivo pem é o formato base64 do certificado:

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

Para importar um certificado com keytool:

keytool -import -alias server -file server.pem -trustcacerts -keystore domain.jks

Fontes:

  • experiência pessoal
  • comentários desta resposta (graças a David Hofmann e dave_thompson_085)
  • outra pergunta para um problema do pkcs # 7: link

Nota:
O kse51 pode ser muito útil ao gerenciar keystore. Você pode encontrá-lo aqui: link . (Eu não tenho relação com o editor de software)

    
por 09.03.2016 / 17:58