安装keytool centos简书 linux安装keytool

NOTE: (xp:%JAVA_HOME%/jre/lib/security/cacerts,linux: $JAVA_HOME/jre/lib/security/cacerts)

验证是否已创建过同名的证书keytool -list -v -alias tomcat -keystore"%JAVA_HOME%/jre/lib/security/cacerts " -storepass changeit

删除已创建的证书keytool -delete -alias tomcat -keystore"%%JAVA_HOME%/jre/lib/security/cacerts " -storepass changeit

Keytool是一个Java数据证书的管理工具。keystore

Keytool将密钥(key)和证书(certificates)存在一个称为keystore的文件中在keystore里，包含两种数据：密钥实体(Key entity)——密钥(secret

key)又或者是私钥和配对公钥(采用非对称加密)可信任的证书实体(trusted certificate entries)——只包含公钥Alias(别名)每个keystore都关联这一个独一无二的alias，这个alias通常不区分大小写keystore的存储位置在没有制定生成位置的情况下，keystore会存在与用户的系统默认目录，如：对于window xp系统，会生成在系统的C:\Documents andSettings\UserName\文件名为“.keystore”keystore的生成

引用

keytool -genkey-alias tomcat-keyalgRSA-keystore d:\mykeystore -dname "CN=localhost, OU=localhost, O=localhost,L=SH, ST=SH, C=CN" -keypass changeit -storepass

-validity 180参数说明：-genkey表示要创建一个新的密钥-dname表示密钥的Distinguished Names，CN=commonName

OU=organizationUnit
O=organizationName
L=localityName
S=stateName
C=country

Distinguished Names表明了密钥的发行者身份-keyalg使用加密的算法，这里是RSA

-alias密钥的别名-keypass私有密钥的密码，这里设置为changeit

-keystore密钥保存在D:盘目录下的mykeystore文件中-storepass存取密码，这里设置为changeit，这个密码提供系统从mykeystore文件中将信息取出-validity该密钥的有效期为180天(默认为90天)cacerts证书文件(The cacerts Certificates File)该证书文件存在于java.home\jre\lib\security目录下，是Java系统的CA证书仓库创建证书1.服务器中生成证书：(注：生成证书时，CN要和服务器的域名相同，如果在本地测试，则使用localhost)

keytool -genkey -alias tomcat -keyalg RSA -keystore d:\mykeystore -dname"CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypasschangeit -storepass changeit2.导出证书，由客户端安装：keytool -export -alias tomcat -keystore d:\mykeystore -file d:\mycerts.cer-storepass changeit3.客户端配置：为客户端的JVM导入密钥(将服务器下发的证书导入到JVM中)keytool-import -trustcacerts -alias tomcat -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file d:\mycerts.cer -storepass changeit生成的证书可以交付客户端用户使用，用以进行SSL通讯，或者伴随电子签名的jar包进行发布者的身份认证。

常出现的异常：“未找到可信任的证书”--主要原因为在客户端未将服务器下发的证书导入到JVM中，可以用keytool -list -alias tomcat -keystore "%JAVA_HOME%/JRE/LIB/SECURITY/CACERTS"-storepass changeit

linux: #keytool -list -alias tomcat -keystore"$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit来查看证书是否真的导入到JVM中。

keytool生成根证书时出现如下错误：

keytool错误:java.io.IOException:keystore was tampered with,or passwordwas incorrect

原因是在你的home目录下是否还有.keystore存在。如果存在那么把他删除掉，然后再执行

或者删除"%JAVA_HOME%/jre/lib/security/cacerts再执行

keytool用法：

-certreq    [-v] [-protected]
[-alias ] [-sigalg]
[-file ] [-keypass ]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-changealias [-v][-protected] -alias -destalias
[-keypass ]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-delete     [-v] [-protected] -alias 
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-exportcert  [-v][-rfc] [-protected]
[-alias ] [-file ]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-genkeypair [-v] [-protected]
[-alias ]
[-keyalg ] [-keysize ]
[-sigalg ] [-dname ]
[-validity ] [-keypass ]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-genseckey  [-v] [-protected]
[-alias ] [-keypass]
[-keyalg ] [-keysize ]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-importcert [-v] [-noprompt] [-trustcacerts] [-protected]
[-alias ]
[-file ] [-keypass]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-importkeystore[-v]
[-srckeystore ][-destkeystore ]
[-srcstoretype ][-deststoretype ]
[-srcstorepass ][-deststorepass ]
[-srcprotected] [-destprotected]
[-srcprovidername ]
[-destprovidername ]
[-srcalias [-destalias]
[-srckeypass ] [-destkeypass ]]
[-noprompt]
[-providerclass [-providerarg]] ...
[-providerpath ]
-keypasswd  [-v] [-alias ]
[-keypass ] [-new ]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-list       [-v | -rfc] [-protected]
[-alias ]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]
-printcert  [-v] [-file ]
-storepasswd [-v][-new ]
[-keystore ] [-storepass]
[-storetype ][-providername ]
[-providerclass [-providerarg]] ...
[-providerpath ]