KeyStore 和 TrustStore 加载失败 - 私钥必须附带证书链
[英]KeyStore and TrustStore load failed - Private key must be accompanied by certificate chain
问题描述
I have created a self signed certificate using the following command:
我使用以下命令创建了一个自签名证书:
keytool -genkeypair -keyalg RSA -alias test-api -keystore test-api.p12 -storepass password -validity 3650 -keysize 2048 -storetype pkcs12
I then imported this keystore into new truststore:然后我将此密钥库导入新的信任库:
keytool -import -trustcacerts -alias test-api-2018 -file test.crt -keystore trusted-keystore.p12 -storetype pkcs12
In Java, creating a custom SSL store provider ( org.springframework.boot.context.embedded.SslStoreProvider ).在 Java 中,创建自定义 SSL 存储提供程序( org.springframework.boot.context.embedded.SslStoreProvider )。 As a part of it, loaded keystore and truststore using the following Java code:作为其中的一部分,使用以下 Java 代码加载密钥库和信任库:
try {
try (final InputStream keyStoreStream = new ByteArrayInputStream(Base64.decode(keyStoreEncoded))) {
keyStore = KeyStore.getInstance(KEYSTORE_TYPE_PKCS12);
LOGGER.info("Loading a KeyStore object based on the decoded value.");
keyStore.load(keyStoreStream, serverSslKeyPassword.toCharArray());
}
....
trustStore.load(trustStoreStream, serverSslTrustStorePassword.toCharArray());
}
Created custom implementation of EmbeddedServletContainerCustomizer and set SSL Provider:创建EmbeddedServletContainerCustomizer自定义实现并设置 SSL 提供程序:
public void customize(final ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
configurableEmbeddedServletContainer.setSslStoreProvider(awsSslStoreProvider);
}
Application fails to start because of the following error:由于以下错误,应用程序无法启动:
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:253)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
... 19 common frames omitted
2 个解决方案
解决方案1
37 2018-12-25 20:04:57
I just jad this problem to today, the problem occurs when the security config in the application.properties file isnt configured properly, this causes the certificate chain to break.直到今天才遇到这个问题,是因为application.properties 文件中的安全配置没有正确配置,导致证书链中断。
in my case i used就我而言,我使用了
server.ssl.key-password=123456789
instead of代替
server.ssl.key-store-password=123456789
minor issues like this can cause issues.像这样的小问题可能会导致问题。
解决方案2
2 2020-06-28 23:22:20
This also happens when using BouncyCastle as PKCS12 key store provider and the key alias is using incorrect upper case.当使用 BouncyCastle 作为 PKCS12 密钥存储提供程序并且密钥别名使用不正确的大写时,也会发生这种情况。
Eg (incorrect):例如(不正确):
server.ssl.key-alias=17B2E92E5694C7AE11A65C4A4EBFC75558399E05
instead (correct):相反(正确):
server.ssl.key-alias=17b2e92e5694c7ae11a65c4a4ebfc75558399e05
The strange thing about this error is that the key is found, so obviously is not case sensitive, but the check for ks.getCertificateChain(keyAlias) is.这个错误的奇怪之处在于找到了密钥,所以显然不区分大小写,但对ks.getCertificateChain(keyAlias)的检查是。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.