[英]Correct way to import root and intermediate certificates in Java cacerts
My company has its own ROOT
certificate.我公司有自己的
ROOT
证书。 Using this certificate they signed intermediate
certificate.他们使用此证书签署了
intermediate
证书。
Then we issued CSR for server
certificate and signed it with intermediate
certificate.然后我们为
server
证书颁发 CSR 并使用intermediate
证书对其进行签名。
What is a correct way to import the ROOT
certificate and intermediate
in Java cacerts file, in order to be able to establish SSL connection with the server which has server
certificate signed by the intermediate
?在Java cacerts文件中导入
ROOT
证书和intermediate
的正确方法是什么,以便能够与具有intermediate
签名的server
证书的服务器建立SSL连接?
I used OpenSSL to test certificate chain on the server:我使用 OpenSSL 来测试服务器上的证书链:
openssl s_client -showcerts -connect host:443
CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
You only need to import the root certificate in the truststore.您只需要在信任库中导入根证书。
keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit -alias aliasName -file path/to/certificate.cer
The SSL server during handshake should provide the certificate and the intermediates.握手期间的 SSL 服务器应提供证书和中间件。 The TrustManager of your client will validate the certification chain until root is found
您客户端的 TrustManager 将验证认证链,直到找到根
Note: It is recommended to use your own truststore instead of modifying cacerts注意:建议使用自己的truststore,不要修改cacerts
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.