我可以使用keytool创建没有密码的Java信任库吗?
[英]Can I create a Java trust store without a password using keytool?
问题描述
I want to connect to a TLS server with a self-signed certificate, so I need a custom trust store. 
我想连接到带有自签名证书的TLS服务器,因此我需要一个自定义信任存储。 keytool seems to absolutely require a password in order to import the certificate, but I really don't need to password-protect the trust store. keytool似乎绝对需要密码才能导入证书,但我真的不需要密码保护信任存储。 Using the standard password "changeit" will work, but it I'd prefer to have no password at all. 使用标准密码“changeit”将起作用,但我宁愿根本没有密码。
Note that this is a "trust store" not a "key store", so there is no secret material in the trust store at all: just the server's certificate, so the client can authenticate that the server is trusted. 请注意,这是一个“信任存储”而不是“密钥存储”,因此信任存储中根本没有秘密材料:只是服务器的证书,因此客户端可以验证服务器是否可信。
Is this possible with keytool ? 这有可能与keytool ? Are there other tools that can remove the password from the trust store? 是否有其他工具可以从信任存储中删除密码? Understanding that authenticating the trust store might actually have its uses, are there any specific reasons why I should not use a trust store without a password? 了解该认证的信任存储实际上可能有用武之地,在那里我为什么不应该使用信任存储没有密码任何特殊的理由?
1 个解决方案
解决方案1
-1 已采纳 2016-07-06 13:31:23
I am pretty sure keytool will let you put in a blank password if you create a new trust store, but the problem with not having a password is that an attacker can insert any certificate they want and have it be trusted. 我很确定如果你创建一个新的信任存储,keytool会让你输入一个空密码,但是没有密码的问题是攻击者可以插入他们想要的任何证书并使其受信任。 This creates malicious opportunities such as a man-in-the-middle attack . 这会产生恶意机会,例如中间人攻击 。 Your application assumes it can trust that URL that an attacker has set up, so there's nothing stopping them from re-routing your web service calls for example. 您的应用程序假定它可以信任攻击者已设置的URL,因此没有什么可以阻止他们重新路由您的Web服务调用。
It is definitely best practice to change your key store and trust store passwords in production environments from the default. 从默认设置更改生产环境中的密钥库和信任库密码绝对是最佳做法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.