为什么我的 QuoVadis 证书在 Java 应用程序中无效?
[英]Why is my QuoVadis certificate not valid in a Java app?
问题描述
I've a signed server certificate by QuoVadis.
我有 QuoVadis 签署的服务器证书。 If I access my server with the browser everything is fine, but if I try it from a Java app or via NodeJS script I receive an issue that my certificate path couldn't be validated?如果我使用浏览器访问我的服务器,一切都很好,但如果我从 Java 应用程序或通过 NodeJS 脚本尝试它,我会收到无法验证我的证书路径的问题?
What is the reason?是什么原因? My thought is, that some certification authorities like QuoVadis or others root CA are included in Java etc, isn't it?我的想法是,像 QuoVadis 或其他根 CA 等一些证书颁发机构包含在 Java 等中,不是吗?
1 个解决方案
解决方案1
1 已采纳 2020-05-19 01:24:23
... certification authorities like QuoVadis or others root CA are included in Java etc, isn't it?
For Java, it varies.对于 Java,它会有所不同。 Oracle (formerly Sun) builds of Java by default use their own set of root CAs, in the file JRE/lib/security/cacerts which is installed as part of Java, but this file can be modified and Java processes (JVMs) or programs can override the default. Oracle (formerly Sun) builds of Java by default use their own set of root CAs, in the file JRE/lib/security/cacerts which is installed as part of Java, but this file can be modified and Java processes (JVMs) or programs可以覆盖默认值。 OpenJDK varies; OpenJDK各不相同; some builds similarly default to cacerts, while some default to a cert store provided by the platform they use, such as Linux or MacOS.一些构建同样默认为 cacerts,而一些默认为他们使用的平台提供的证书存储,例如 Linux 或 MacOS。 You didn't say what Java and/or platform(s) you use.你没有说你使用什么 Java 和/或平台。
For 'etc' it varies even more.对于“等”,它的变化更大。 NodeJS uses OpenSSL, which similarly has a default that can depend on build and/or platform. NodeJS 使用 OpenSSL,它同样有一个默认值,可以依赖于构建和/或平台。 You don't give details or any clue what the other things(?) are.你没有提供细节或任何线索其他的东西(?)是什么。
However, more likely this isn't the root cert at all .但是,更有可能这根本不是根证书。 All public CAs, including QuoVadis, issue end-entity or 'leaf' certs that require use of at least one intermediate or 'chain cert' for validation, and sometimes more than one.所有公共 CA,包括 QuoVadis,颁发最终实体或“叶”证书,需要使用至少一个中间证书或“链证书”进行验证,有时甚至不止一个。 (All) TLS standards require the server to send this chain cert (or these certs) as part of the handshake, and every CA I have seen gives instructions on which chain cert(s) to use, eg in this case https://support.quovadisglobal.com/kb/a469/understanding-the-trust-link-downloads-page.aspx . (全部)TLS 标准要求服务器发送这个链证书(或这些证书)作为握手的一部分,我见过的每个 CA 都给出了使用哪个链证书的说明,例如在这种情况下https:// support.quovadisglobal.com/kb/a469/understanding-the-trust-link-downloads-page.aspx 。 However, since many servers are operated by people who never read or follow instructions, most major browsers have workarounds that allow them to build and validate the cert chain even when the server breaks the rules.但是,由于许多服务器是由从不阅读或遵循说明的人操作的,因此大多数主流浏览器都有变通办法,即使服务器违反规则,它们也可以构建和验证证书链。 Java and NodeJS/OpenSSL clients (among others) do not do this, so if the server fails to send the correct chain they fail validation. Java 和 NodeJS/OpenSSL 客户端(以及其他)不这样做,因此如果服务器未能发送正确的链,它们将无法验证。
If this is a public HTTPS server, https://www.ssllabs.com/ssltest will tell you, in addition to (much) other info about the TLS implementation and configuration, whether the server is sending or missing chain cert(s).如果这是一个公共 HTTPS服务器, https://www.ssllabs.com/ssltest会告诉您,除了(很多)有关 TLS 实施和配置的其他信息之外,服务器是否正在发送或缺少链证书. For other servers, there are other tools, but the ones I know require some thought or knowledge by the user.对于其他服务器,还有其他工具,但我知道的那些需要用户的一些想法或知识。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.