如何在 Eclipse 中使用 p12 证书?
[英]How to use p12 certificate in Eclipse?
问题描述
I am getting following error while accessing the our server..
访问我们的服务器时出现以下错误..
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure
I have a .p12 certificate..
When i give the path of the ssl certificate and password in Soap UI.当我在 Soap UI 中给出 ssl 证书和密码的路径时。 it is working perfectly.. I wanted to do it in Java/Eclipse它工作得很好..我想在 Java/Eclipse 中做到这一点
https://jackstromberg.com/2013/05/importing-a-ssl-certificate-into-a-java-keystore-via-a-pkcs12-file/ https://jackstromberg.com/2013/05/importing-a-ssl-certificate-into-a-java-keystore-via-a-pkcs12-file/
Followed the step 1, 2 and 4 to create keystore and import it..
placed mykeystore and mycertificate in C:\Program Files\Java\jdk1.8.0_261\jre\bin
while importing I am getting following message..
C:\Program Files\Java\jdk1.8.0_261\jre\bin>keytool -v -importkeystore -srckeystore mycertificate.p12 -srcstoretype PKCS12 -destkeystore mykeystore -deststoretype JKS
Importing keystore mycertificate.p12 to mykeystore...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias fcs certificate successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing mykeystore]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mykeystore -destkeystore mykeystore -deststoretype pkcs12".
Added the following in eclipse config file在 eclipse 配置文件中添加了以下内容
-Djavax.net.ssl.trustStore="C:/Program Files/Java/jdk1.8.0_261/jre/lib/security/cacerts"
-Djavax.net.ssl.trustStorePassword=changeit
Restarted the eclipse and trying to run that but still getting handshake failure..
Is all my procedure correct?我所有的程序都正确吗?
When debug enabled.. getting below error启用调试时.. 低于错误
javax.net.ssl|ALL|01|main|2020-11-09 18:28:51.118 IST|null:-1|No X.509 cert selected for RSA
javax.net.ssl|WARNING|01|main|2020-11-09 18:28:51.118 IST|null:-1|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|01|main|2020-11-09 18:28:51.118 IST|null:-1|No X.509 cert selected for EC
The other way , I tried this as well.另一种方式,我也试过这个。
Exported certificate from the browser..从浏览器导出的证书..
https://www.javasavvy.com/import-ssl-certificate-into-java-keystore/ https://www.javasavvy.com/import-ssl-certificate-into-java-keystore/
still getting same error.仍然得到同样的错误。
2 个解决方案
解决方案1
3 已采纳 2020-11-12 12:05:15
I think your problem is that you are not configuring your trust store correctly.我认为您的问题是您没有正确配置您的信任存储。
You need to configure the javax.net.ssl.trustStore with the keystore created, something like:您需要使用创建的密钥库配置javax.net.ssl.trustStore ,例如:
-Djavax.net.ssl.trustStore=/path/to/mykeystore.jks
If you ran keytool from C:\\Program Files\\Java\\jdk1.8.0_261\\jre\\bin , the keystore will be possibly in that directory.如果您从C:\\Program Files\\Java\\jdk1.8.0_261\\jre\\bin运行keytool ,则密钥库可能位于该目录中。 Try something similar to:尝试类似的东西:
-Djavax.net.ssl.trustStore="/Program Files/Java/jdk1.8.0_261/jre/bin/mykeystore.jks" -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit
You can also indicate the keystore type:您还可以指明密钥库类型:
-Djavax.net.ssl.trustStore="/Program Files/Java/jdk1.8.0_261/jre/bin/mykeystore.jks" -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit
Reviewing the article that you followed in your setup I think your keys are well suited for the use of secure communications, and that the actual problem is that Eclipse is not seeing the right keystore, but please, also consider the following stack overflow question: Java 11 and 12 SSL sockets fail on a handshake_failure error with TLSv1.3 enabled , perhaps if can be of help.查看您在设置中遵循的文章,我认为您的密钥非常适合使用安全通信,而实际问题是 Eclipse 没有看到正确的密钥库,但请同时考虑以下堆栈溢出问题: Java 11 和 12 SSL 套接字在启用 TLSv1.3 的情况下因 handshake_failure 错误而失败,也许会有所帮助。
UPDATE更新
Although ideally suited for SSL client authentication, in this specific use case, configuring javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword solved the problem:尽管非常适合 SSL 客户端身份验证,但在此特定用例中,配置javax.net.ssl.keyStore和javax.net.ssl.keyStorePassword解决了该问题:
-Djavax.net.ssl.keyStore="C:\Users\3020722\OneDrive - FIS\Desktop\certificate\newjks.jks" \
-Djavax.net.ssl.keyStorePassword=changeit
Thank you very much for the feedback @ChanGan!!非常感谢@ChanGan 的反馈!!
解决方案2
0 2020-11-19 07:52:32
Few main points to consider before proceeding.在继续之前需要考虑的几个要点。 I'm not sure if all of them have been addressed or not in your context.我不确定在您的上下文中是否已解决所有这些问题。 So these are the following points to check before going forward.因此,在继续之前,需要检查以下几点。
Let's say there are two applications App1 and App2 and these two are talking to each other.假设有两个应用程序 App1 和 App2,这两个应用程序正在相互通信。
If both have ssl disabled then no issues.如果两者都禁用了 ssl,则没有问题。 But if we want to ensure traffic is encrypted between them we need SSL.但是如果我们想确保它们之间的流量被加密,我们需要 SSL。
So for both of them to talk to each other the following should be checked properly.因此,为了让他们彼此交谈,应正确检查以下内容。
One way SSL: Certificate of App2 has to be present in trust Store of App1.一种方式 SSL:App2 的证书必须存在于 App1 的信任存储中。 Certificate of App1 has to be present in trust store of App2. App1 的证书必须存在于 App2 的信任存储中。
Note that truststore is different from key store.请注意,信任库与密钥库不同。 A Keystore contains files which are related to application. Keystore 包含与应用程序相关的文件。 In this App1, App2 context lets say C1 is certificate of App1 and C2 is certificate of App2.在这个 App1 中,App2 上下文可以说 C1 是 App1 的证书,C2 是 App2 的证书。
So the key store and trust stores will be as follows:所以密钥库和信任库如下:
KeyStore of App1: C1 App1的KeyStore:C1
TrustStore of App1: C2 App1 的 TrustStore:C2
KeyStore of App2: C2 App2的KeyStore:C2
Trust Store of App2: C1 App2的信任存储:C1
To understand better lets introduce App3 with certificate C3 and all are mutually talking to each other.为了更好地理解,让我们介绍带有证书 C3 的 App3,并且所有这些都相互交谈。
Now the new scenario will be: KeyStore of App1: C1现在新的场景将是: App1 的 KeyStore:C1
Trust Store of App1: C2, C3 App1的信任存储:C2、C3
KeyStore of App2: C2 App2的KeyStore:C2
Trust Store of App2: C1, C3 App2的信任存储:C1、C3
KeyStore of App3: C3 App3的KeyStore:C3
Trust Store of App3: C1, C2 App3的信任存储:C1、C2
Make sure you get these concepts right.确保你正确理解这些概念。
So now you're trying to talk to some server from your local application.所以现在您正在尝试从本地应用程序与某个服务器通信。 So you need to add the server's certificate to your local java cacerts (acts as local trust store) (which you mentioned is correct) and there is no need to mention the trust store separately if you're using the java cacerts.因此,您需要将服务器的证书添加到本地 java cacerts(充当本地信任库)(您提到的是正确的),如果您使用 java cacerts,则无需单独提及信任库。
Just try checking if you have configured correct java environment in eclipse.只需尝试检查您是否在 eclipse 中配置了正确的 java 环境。 For example i have three versions of java on my machine.例如,我的机器上有三个版本的 java。 1.8_201, 1.8_181 and java 11. 1.8_201、1.8_181 和 java 11。
There is a chance that eclipse can use a latest version. eclipse 有可能使用最新版本。 So in that case check the project settings and check if you are using correct jdk (to which you have added the certs)因此,在这种情况下,请检查项目设置并检查您是否使用了正确的 jdk(已添加证书)
To add the certs to cacerts you can use something like this:要将证书添加到 cacerts,您可以使用以下内容:
$JAVA_HOME/jre/bin/keytool -v -alias -import -file -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass -noprompt $JAVA_HOME/jre/bin/keytool -v -alias -import -file -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass -noprompt
First try to ensure that you're able to start the service from command line.首先尝试确保您能够从命令行启动服务。
$JAVA_HOME/bin/java -jar your.jar $JAVA_HOME/bin/java -jar your.jar
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.