[英]Certificate on the client's side?
I have a server application and a client application. 我有一个服务器应用程序和一个客户端应用程序。
The server uses https, and has a .jks file. 服务器使用https,并具有.jks文件。 Apart from that, I use authentication with login and password.
除此之外,我使用带有登录名和密码的身份验证。
I wonder if the client side should use a .cert certificate. 我想知道客户端是否应该使用.cert证书。 I thought the client's certificate should match servers certificate, but it seems that I was wrong.
我以为客户端的证书应该与服务器证书匹配,但是看来我错了。
I have some troubles understatding the topic, so please be understanding. 我有些低估了这个话题,所以请谅解。
A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – used for instance in SSL encryption. Java密钥库(JKS)是安全证书(授权证书或公钥证书)的存储库,用于SSL加密。
Keystore comes in two flavors: Keystore有两种风格:
1. Trust : 1.信任 :
A trust store contains certificates that are issued by somebody you trust, like a root certificate from a CA. 信任库包含由您信任的人颁发的证书,例如来自CA的根证书。
2. Identity: 2.身份:
I wonder if the client side should use a .cert certificate.
我想知道客户端是否应该使用.cert证书。
If you mean to connect to a HTTPS service, then you should export the server's SSL certificate and import in your server's keystore, probably you can import in jre/lib/security/cacerts
. 如果要连接到HTTPS服务,则应导出服务器的SSL证书并导入服务器的密钥库,可能可以导入
jre/lib/security/cacerts
。
Client is only required to have a SSL certificate if it is a 2 way SSL, meaning client is also required to send a SSL certificate to server because server has requested the same. 如果客户端是2向SSL,则仅要求客户端具有SSL证书,这意味着也需要客户端将SSL证书发送到服务器,因为服务器已请求该证书。
Why it is required because using SSL handshake server will send its SSL certificate and client will validate this certificate from its trusted list of certificates present in his keystore. 为什么需要它,因为使用SSL握手服务器将发送其SSL证书,并且客户端将从其密钥库中存在的受信任证书列表中验证此证书。 If it is not validated then SSL handshake cannot be completed, and hence no communication can be established.
如果未通过验证,则SSL握手无法完成,因此无法建立通信。 So, you must have server's SSL certificate inside your trusted store of certificates.
因此,您必须在受信任的证书存储区中拥有服务器的SSL证书。
I thought the client's certificate should match servers certificate, but it seems that I was wrong.
我以为客户端的证书应该与服务器证书匹配,但是看来我错了。
Yes, you are right, SSL certificates of 2 different parties will be different. 是的,没错,两个不同方的SSL证书将有所不同。
Each party who requires a SSL certificate will generate the public-private key pair at their end and will raise a CSR request to a Certificate Authority (CA), who will generate the SSL certificate using the provided key. 每个需要SSL证书的当事方都将在其末端生成公钥-私钥对,并向证书颁发机构(CA)提出CSR请求,后者将使用提供的密钥来生成SSL证书。
To export certificate: 导出证书:
If it can be accessed using web then click on HTTPS icon, view certificate and follow export commands. 如果可以使用Web进行访问,则单击HTTPS图标,查看证书并遵循导出命令。
If it cannot be accessed using web then use openssl
to export certificate. 如果无法使用Web访问,则使用
openssl
导出证书。 Use below command 使用以下命令
openssl s_client -connect host:port -key our_private_key.pem -showcerts -cert our_server-signed_cert.pem
To import certificate: 导入证书:
Use command - keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
使用命令
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
Further reading on export and import: 有关进出口的进一步阅读:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.