如何使用SSL设置MySql JDBC连接

Question

jdbc:mysql://localhost:3306/MyDb?verifyServerCertificate=true&useSSL=true&requireSSL=true

I downloaded the public certificate from the mySql server and put it into cacerts like this:

keytool.exe -import -alias mysql_dev \
    -keystore /c/dev/tools/Java/jre1.8.0_131/jre/lib/security/cacerts \
    -file rds-combined-ca-bundle.pem

I generated new keys using keytool like this:

keytool.exe -genkeypair -alias adam \
               -keypass changeit \
               -keysize 1024 \
               -keystore /c/dev/.secure/haa2xt.jks \
               -storepass changeit

So now I can see that Java is picking up both my key from the keystore and the server certificate from the truststore, but still I'm getting the PKIX error.

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I added this debug param to the command line and got some more info which all looks good, and I can see the mySql certificate in there.

-Djavax.net.debug=all

trustStore is: c:\\dev\\tools\\java\\jdk1.8.0_131\\jre\\lib\\security\\cacerts

trustStore type is : jks

[.....]

keyStore is : C:/dev/.secure/haa2xt.jks

keyStore type is : jks

keyStore provider is :

init keystore

init keymanager of type SunX509

*** found key for : adam

What have I done wrong?

Answer 1

It turns out that the keytool import command will only import the first certificate in the PEM file when there are more than one.

This was the only one I checked for as well, so I thought it was fine when actually there were about 15 that I still hadn't imported.

I used this tool to import them all: https://github.com/use-sparingly/keyutil