[英]Adding certificate to Java truststore and Sslhandshake
I sent http request with Java Program (using HttpUrlConnection) to web site and download files from there. 我使用Java程序(使用HttpUrlConnection)将http请求发送到网站并从那里下载文件。
The website is "https" and use certificates. 该网站为“ https”并使用证书。
When I try to run my code it take exception: 当我尝试运行代码时,会出现异常:
cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I tried to go this web site with my Browser(Mozilla).And when I check the certificates,There are three certificates.The site contain these certs. 我试图用我的浏览器(Mozilla)转到该网站。当我检查证书时,共有三个证书。该站点包含这些证书。
DigiCert High Assurance EV Root CA DigiCert高保证EV根CA
-DigiCert High Assurance CA-3 -DigiCert高保证CA-3
-thecompanycert (Issued by DigiCert High Assurance CA-3) -thecompanycert(由DigiCert High Assurance CA-3发行)
And I check my trustsroe with keytool. 我用keytool检查我的信任。 The truststore only has the Root CA.
信任库仅具有根CA。 Is it enough or I have to import the other 2 certificate?
够了还是我必须导入其他两个证书? Or only -thecompanycert?
或仅-companycert?
What is the risks of adding intermediate certificates to the java truststore? 向Java truststore中添加中间证书有什么风险? Am I have to do this?
我必须这样做吗?
Can anyone help about that? 有人可以帮忙吗?
If the server was configured correctly, it should send the site certificate along with any/ all intermediate certificates that are required to build the trust chain. 如果服务器配置正确,则应将站点证书以及构建信任链所需的任何/所有中间证书一起发送。 It appears the site you're connecting to isn't sending the intermediate cert(s).
您似乎要连接到的站点没有发送中间证书。
If you are the site admin, you can correct this and you wouldn't have to mess around with the Java client trust store. 如果您是站点管理员,则可以更正此问题,而无需弄乱Java客户端信任库。
If you are an end user, you can add the intermediate cert(s) to the Java trust store. 如果您是最终用户,则可以将中间证书添加到Java信任库中。 You would not be required to add the site certificate.
您不需要添加站点证书。 However, do contact the site owner and request them to have this corrected.
但是,请务必与网站所有者联系,并要求他们进行更正。
I'd posted a similar answer a few days ago. 我几天前也发布了类似的答案 。
Given that that CA and intermediate CA are already present in the default truststore in recent Java version you shouldn't need to import them unless you are using an older Java version. 鉴于CA和中间CA已经存在于最新Java版本的默认信任库中,因此除非您使用的是较旧的Java版本,否则无需导入它们。 In any case it depends on how much you trust the CA but Java and most browsers already trust it.
无论如何,这取决于您对CA的信任程度,但是Java和大多数浏览器已经信任它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.