1. 概述
本文介绍两种修改Java密钥库中密钥别名的方法。密钥库别名是密钥对的唯一标识符,修改别名在证书管理中是常见需求。
2. 准备工作
首先使用keytool工具创建测试密钥库文件,生成一个RSA密钥对:
keytool -genkey \
-keyalg rsa \
-alias baeldung \
-dname "cn=my-cn.localhost, ou=Java Devs, o=Baeldung, l=London, s=Greater London, c=GB" \
-keystore my-keystore.jks \
-storepass storepw@1
验证密钥库创建成功,使用grep过滤关键信息:
keytool -list -v -keystore my-keystore.jks -storepass storepw@1 \
| grep -iE "keystore contains|alias|my-cn.localhost"
输出确认密钥库包含baeldung别名:
Your keystore contains 1 entry
Alias name: baeldung
Owner: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB
Issuer: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB
3. 使用keytool工具更改别名
最简单粗暴的方式是直接使用keytool的changealias命令:
keytool -changealias -alias baeldung -destalias baeldung.com -keystore my-keystore.jks -storepass storepw@1
验证修改结果:
keytool -list -v -keystore my-keystore.jks -storepass storepw@1 \
| grep -iE "keystore contains|alias|my-cn.localhost"
输出显示别名已更新为baeldung.com:
Your keystore contains 1 entry
Alias name: baeldung.com
Owner: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB
Issuer: CN=my-cn.localhost, OU=Java Devs, O=Baeldung, L=London, ST=Greater London, C=GB
4. 使用Java代码更改别名
Java KeyStore API不提供直接重命名接口,需要通过以下步骤实现:
- 获取原别名密钥和证书链
- 删除原别名条目
- 用新别名重新添加密钥
private static final String KEYSTORE = "my-keystore.jks";
private static final String PWD = "storepw@1";
private static final String OLD_ALIAS = "baeldung";
private static final String NEW_ALIAS = "baeldung.com";
@Test
void whenAliasIsRenamed_thenNewAliasIsCreated() throws Exception {
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(getClass().getResourceAsStream(KEYSTORE), PWD.toCharArray());
assertThat(keystore.containsAlias(OLD_ALIAS)).isTrue();
assertThat(keystore.containsAlias(NEW_ALIAS)).isFalse();
Key key = keystore.getKey(OLD_ALIAS, PWD.toCharArray());
Certificate[] certificateChain = keystore.getCertificateChain(OLD_ALIAS);
keystore.deleteEntry(OLD_ALIAS);
keystore.setKeyEntry(NEW_ALIAS, key, PWD.toCharArray(), certificateChain);
assertThat(keystore.containsAlias(OLD_ALIAS)).isFalse();
assertThat(keystore.containsAlias(NEW_ALIAS)).isTrue();
}
⚠️ 踩坑提醒:上述代码仅修改内存中的密钥库副本,需调用store()方法持久化到磁盘:
try (FileOutputStream fos = new FileOutputStream("updated-keystore.jks")) {
keystore.store(fos, PWD.toCharArray());
}
5. 总结
两种方法对比:
- ✅ keytool工具:推荐首选方案,简单高效
- ✅ Java API:适合需要程序化处理的场景
- ❌ Java API缺点:需手动处理持久化,代码更复杂
完整代码示例见GitHub仓库。