Java 7 applet自签名证书
[英]Java 7 applet self signed certificates
问题描述
I've been trying to adopt myself and my applet to the new security constraints imposed in Java 7. 
我一直在尝试将自己和我的applet用于Java 7中强加的新安全限制。
My applet is self signed and as such, it was automatically blocked. 我的applet是自签名的,因此它被自动阻止。 After adding the site to the exception list in the java configuration console I managed accessing it but not without having to see that annoying message shouting at me that the signer is UNKNOWN, requiring me to approve running the applet. 将站点添加到java配置控制台中的异常列表后,我管理访问它,但不是没有看到那个恼人的消息向我喊叫签名者是未知的,要求我批准运行applet。
This one is really annoying as it requires my approval each time I try to load the applet...not storing my previous approval... 这个真的很烦人,因为每次我尝试加载applet时都需要我的批准...不存储我以前的批准...
so, I found this document which should have solved all my problems as the distribution of my applet is within a known community. 所以,我发现这个文件应该解决了我所有的问题,因为我的applet分布在一个已知的社区中。 I followed all the guidelines, created the certificate and entered it into the store that is used by the JRE (I also see that certificate from the configuration console) but the annoying approval message keeps popping and saying that the signer is still UNKNOWN... 我遵循了所有准则,创建了证书并将其输入到JRE使用的商店(我也从配置控制台看到该证书)但是令人讨厌的批准消息不断弹出并说签名者仍然未知......
any idea, what I'm missing? 任何想法,我错过了什么? it looks like the addition of the certificate into my store had no impact on the flow whatsoever... 看起来在我的商店中添加证书对流程没有任何影响......
thanks in advance. 提前致谢。 GBa. GBA。
2 个解决方案
解决方案1
1 2014-02-21 15:11:41
Unfortunately mentioned certificate fields are not provided so maybe my guess is wrong but I would suggest that you create a certificate where the Common Name in the Subject field matches the signing authority address. 不幸的是提到了证书字段没有提供所以我的猜测可能是错误的,但我建议您创建一个证书,其中Subject字段中的Common Name与签名授权机构地址匹配。 There are three ways to have a match and eventually avoid the warning: 1. The host name (in the address bar) exactly matches the Common Name in the certificate's Subject. 有三种方法可以匹配并最终避免警告:1。主机名(在地址栏中)与证书主题中的公用名完全匹配。 2. The host name matches a wildcard common name. 2.主机名与通配符公用名匹配。 For example, www.example.com matches the common name *.example.com. 例如,www.example.com与通用名称* .example.com匹配。 3. The host name is listed in the Subject Alternative Name field. 3.主机名列在“主题备用名称”字段中。 The most common form of SSL name matching is for the SSL client to compare the server name it connected to with the common name in the server's certificate. 最常见的SSL名称匹配形式是SSL客户端将其连接的服务器名称与服务器证书中的公用名称进行比较。 If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore the common name value and seek a match in the SAN list. 如果SSL证书具有主题备用名称(SAN)字段,则SSL客户端应忽略公用名称值并在SAN列表中寻找匹配项。
解决方案2
1 已采纳 2014-02-22 20:39:16
Well, I finally found the problem... 好吧,我终于找到了问题......
It turns out that once I cloned the trusted.certs (deployment.user.security.trusted.certs) file into trusted.cacerts (deployment.user.security.trusted.cacerts) file, everything started working... 事实证明,一旦我将trusted.certs(deployment.user.security.trusted.certs)文件克隆到trusted.cacerts(deployment.user.security.trusted.cacerts)文件中,一切都开始工作......
I do not understand what the difference is between the two stores, futhermore, in the link that I added in the question ( this ), it talks about the certs file for individual usage and so... it made sense to me that it should work... however, it turns out that Java thinks differently :-) 我不明白这两家商店之间有什么区别,更进一步,在我在问题( 这个 )中添加的链接中,它讨论了个人使用的证书文件,所以...它对我有意义它应该工作......然而,事实证明Java思维方式不同:-)
anyways... this is the answer. 无论如何......这就是答案。
thanks everyone for your collaboration, GBa. 感谢大家的合作,GBa。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.