问题
I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. The chain includes the self-signed root CA certificate. Although this is apparently okay by the TLS spec, some validation services warn about it, and it's probably better to leave it off.
How can I edit the keystore to remove just the self-signed root CA certificate, but leave the rest of the chain and the private key intact?
回答1:
First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):
keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12
Next, export a PEM file with key and certs from the PKCS12 file:
openssl pkcs12 -in old.p12 -out pemfile.pem -nodes
Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").
Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "tomcat", at this point.
openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12
Finally, convert back from PKCS12 to JKS:
keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12
The file new.jks is what you want.
回答2:
keytool -delete -alias -keystore lib/security/cacerts -storepass changeit
来源:https://stackoverflow.com/questions/31441070/how-to-remove-just-one-certificate-from-a-certificate-chain-in-a-java-keystore