堆栈内存溢出
  简体   繁体   English

在 Java cacerts 中导入根证书和中间证书的正确方法

[英]Correct way to import root and intermediate certificates in Java cacerts

 原文  2017-02-03 15:42:41       java/ ssl/ certificate/ ssl-certificate/ x509certificate

问题描述

My company has its own ROOT certificate.我公司有自己的ROOT证书。 Using this certificate they signed intermediate certificate.他们使用此证书签署了intermediate证书。

Then we issued CSR for server certificate and signed it with intermediate certificate.然后我们为server证书颁发 CSR 并使用intermediate证书对其进行签名。

What is a correct way to import the ROOT certificate and intermediate in Java cacerts file, in order to be able to establish SSL connection with the server which has server certificate signed by the intermediate ?在Java cacerts文件中导入ROOT证书和intermediate的正确方法是什么,以便能够与具有intermediate签名的server证书的服务器建立SSL连接?

I used OpenSSL to test certificate chain on the server:我使用 OpenSSL 来测试服务器上的证书链:

openssl s_client -showcerts -connect host:443

CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
   i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA

1 个解决方案

解决方案1
 8 已采纳  2017-02-04 08:15:29

You only need to import the root certificate in the truststore.您只需要在信任库中导入根证书。

 keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

The SSL server during handshake should provide the certificate and the intermediates.握手期间的 SSL 服务器应提供证书和中间件。 The TrustManager of your client will validate the certification chain until root is found您客户端的 TrustManager 将验证认证链,直到找到根

Note: It is recommended to use your own truststore instead of modifying cacerts注意:建议使用自己的truststore,不要修改cacerts

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Java 客户端不从 Windows 信任存储中选择根/中间证书 - Java client not picking root/intermediate certificates from Windows Trust Store 获取链中的所有证书;中间和根 - Obtaining all certificates in a chain; both intermediate and root 将 Windows 证书导入 Java - Import Windows certificates to Java 从终端实体获取根证书和中间证书 - Getting root and intermediate certificates from an end-entity 我们可以从 JRE 的“cacerts”文件中导出证书并将其导入更高的 JRE 版本吗? - Can we export certificates from JRE's "cacerts" file and import it to higher JRE version? Import.cer 到 cacerts 使用图像 openjdk - java.io.FileNotFoundException - Import .cer to cacerts using image openjdk - java.io.FileNotFoundException Java 11 怎么可能验证中间证书在 cacerts 中不可用的证书? - How is is possible that Java 11 validates a certificate whom intermediate certificate isn't avalaible in cacerts? 无法将证书导入 cacerts - Unable to import certificate to cacerts 运行带有导入到cacerts密钥库中的受信任证书的签名jar时出现Java Web Start错误 - Java Web Start error when running signed jar with trusted certificates imported into cacerts keystore 如何将SSL证书添加到cacerts和keystore? - How to add SSL certificates to cacerts and keystore?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM