tomcat 的ssl 会使用到jks,而haproxy的ssl(非tcp代理方式)会使用到pem
如果从tomcat的ssl需要迁移到haproxy的ssl,就需要从jks中读取相关信息生成pem文件。
========================
先通过keytool导出成PKCS12格式(.p12后缀):
$ keytool -importkeystore -srckeystore tankywoo.jks -destkeystore tankywoo.p12 -srcstoretype jks -deststoretype pkcs12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias foo successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled指定源(jks)文件和目标(pkcs)文件的文件名和类型.
执行时输入设置给pkcs12证书的密码, 以及jks证书的密码.
再通过openssl将pkcs12文件导出成pem格式文件.
# 生成key 加密的pem证书
$ openssl pkcs12 -in tankywoo.p12 -out tankywoo.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# 生成key 非加密的pem证书
$ openssl pkcs12 -nodes -in tankywoo.p12 -out tankywoo.pem
Enter Import Password:
MAC verified OK也可以分开导出:
导出key:
# 生成加密的key
$ openssl pkcs12 -in tankywoo.p12 -nocerts -out server.key
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# 生成非加密的key
$ openssl pkcs12 -in tankywoo.p12 -nocerts -nodes -out server.key
Enter Import Password:
MAC verified OK导出server证书:
$ openssl pkcs12 -in tankywoo.p12 -nokeys -clcerts -out server.crt
Enter Import Password:
MAC verified OK导出ca证书:
$ openssl pkcs12 -in tankywoo.p12 -nokeys -cacerts -out ca.crt
Enter Import Password:
MAC verified OK========================
参考:
http://ju.outofmemory.cn/entry/108566
http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format#comment1252648_656559