[英]Retrieve and use Root-CA list of Microsoft or Mozilla and use it in Java?
The list of included root-CA certificates in OpenJDK for Windows is quite impressive but there are a lot of root-CA certificates that are trusted by common browsers like Firefox that are not trusted by Java. Windows的OpenJDK中包含的root-CA证书的列表令人印象深刻,但是有很多root-CA证书受到Firefox之类的普通浏览器的信任,而Java不信任。
Both Microsoft and Mozilla publish their current list of root-CA certificates but the used file format seems to be proprietary. Microsoft和Mozilla都发布了它们当前的root-CA证书列表,但是所使用的文件格式似乎是专有的。
The curl project has an automatic converter that uses the Mozilla file as source, however this converter ( mk-ca-bundle ) is a Perl script. curl项目有一个使用Mozilla文件作为源的自动转换器,但是该转换器( mk-ca-bundle )是Perl脚本。
Is there a way to read one of these lists with plain Java so that it can be used as trust store afterwards? 有没有办法使用纯Java读取这些列表之一,以便以后可以用作信任存储区?
OpenJDK describes how they build the cacerts
file in the Security files for OpenJDK repo . OpenJDK描述了他们如何在OpenJDK存储库的安全性文件中构建
cacerts
文件。 The script downloads the certificates from Mozilla: 该脚本从Mozilla下载证书:
wget https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt .
As per the repo instructions you could build your own cacerts
file that will trust another list of certificates of your own choosing: 根据回购说明,您可以构建自己的
cacerts
文件,该文件将信任您自己选择的另一份证书列表:
Download the following Perl script: https://raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl
下载以下Perl脚本: https : //raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl
Download the following Java application: https://github.com/use-sparingly/keyutil/releases/download/0.4.0/keyutil-0.4.0.jar (source available at https://github.com/use-sparingly/keyutil )
下载以下Java应用程序: https : //github.com/use-sparingly/keyutil/releases/download/0.4.0/keyutil-0.4.0.jar (源可在https://github.com/use-sparingly获得) / keyutil )
Run the provided
GenerateCertsFile.sh
script with: bash./GenerateCertsFile.sh
- this will use the above files assuming they're located in the same directory as the script使用以下命令运行提供的
GenerateCertsFile.sh
脚本:bash./GenerateCertsFile.sh
假定它们与脚本位于同一目录中,则将使用上述文件Use the cacerts provided: it must be in the
jdk/jre/lib/security
orjdk/lib/securityfolder
使用提供的cacert:必须位于
jdk/jre/lib/security
或jdk/lib/securityfolder
夹中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.