因证书到期,故要切换证书,做下记录
1.将cer导入到JDK证书信任库中
keytool -import -keystore "/usr/local/java/jdk1.8.0_191/jre/lib/security/cacerts" -file /opt/AppServer/apache-tomcat-7.0.92/cert/2021/guoxfee.cer -alias guoxfee_2021
2.将cer导入到证书链pfx中
keytool -import -v -trustcacerts -alias guoxfee_2021 -file /opt/AppServer/apache-tomcat-7.0.92/cert/2021/guoxfee.cer -storepass 12345678 -keystore "/opt/AppServer/apache-tomcat-7.0.92/cert/2021/guoxfee.pfx"
3.将pfx证书链加到JDK证书链中
keytool -import -alias guoxfee_pfx -keystore cacerts -file /opt/AppServer/apache-tomcat-7.0.92-jlrc/cert/2021/guoxfee.pfx -trustcacerts
或
keytool -import -alias guoxfee_pfx -keystore "/usr/local/java/jdk1.8.0_191/jre/lib/security/cacerts" -file /opt/AppServer/apache-tomcat-7.0.92/cert/2021/guoxfee.pfx -trustcacerts
# 如果第3步出现keytool error: java.lang.Exception: Input not an X.509 certificate 这种报错,则执行下面的步骤
# 将pfx文件转为pem文件
openssl pkcs12 -in ./guoxfee.pfx -nodes -out ./guoxfee.pem
# 将pem文件转为X509的crt文件
openssl x509 -in ./guoxfee.pem -out ./guoxfee.crt
# 将crt文件导出信任证书链中
keytool -import -alias guoxfee_crt -keystore cacerts -file /opt/apache-tomcat-7.0.96/cert/2021/guoxfee.crt -trustcacerts
|