java ssl 证书&CA
[英]java ssl certificate & CA
问题描述
How does my java application get a public key, for example the google or facebook domains WITHOUT THE NEED to add their.cer files in cacerts keystore?
我的 java 应用程序如何获得公钥,例如 google 或 facebook 域,而无需在 cacerts 密钥库中添加他们的 .cer 文件?
I suspect that the reason is that such domains use well-known Certification authority, CA, that may already be in java cacerts keystore file (depending on version java? I tried to see if there are certificates up to 2030-2040 validity, or I'm wrong in my theory).我怀疑原因是这些域使用了著名的证书颁发机构 CA,它可能已经在 java cacerts 密钥库文件中(取决于版本 java?我试图查看是否有有效期为 2030-2040 的证书,或者我在我的理论中是错误的)。 But if I guess correctly, then where are the public keys from these domains stored?但如果我猜对了,那么这些域的公钥存储在哪里? I would like an expert opinion on this matter.我想就此事征求专家意见。
1 个解决方案
解决方案1
0 2023-01-23 14:36:14
You are correct - if a cert provided by a server is not signed by recognised CA then the cert that signed the provided cert needs to be added to CACERTS.您是对的 - 如果服务器提供的证书未由公认的 CA 签名,则需要将签署所提供证书的证书添加到 CACERTS。 By recognised CA I mean one that is the CACERTS of the default Java install.通过公认的 CA,我的意思是默认 Java 安装的 CACERTS。
Strictly speaking it's a bit more complicated.严格来说要复杂一些。 A cert will be trusted if it's signing path (signed-by, signed-by...) can be traced back in the cert chain provided by the server to one in CACERTS.如果证书的签名路径(签名者,签名者......)可以在服务器提供的证书链中追溯到 CACERTS 中的证书链,则该证书将被信任。
The public keys are part of the certs.公钥是证书的一部分。 If you want to see all the public keys in CACERTS run the following from your JAVA_HOME with bin on the path:如果您想查看 CACERTS 中的所有公钥,请从路径为 bin 的 JAVA_HOME 运行以下命令:
keytool -list -rfc -keystore jre/lib/security/cacerts
password is changeit密码是changeit
This will give you lots of output that will include the actual certs, eg:这将为您提供大量 output,其中将包含实际证书,例如:
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIQZ8jh6OO+HL38kTuOpiOHSTANBgkqhkiG9w0BAQUFADCB
izELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxML
RHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUVGhhd3RlIENl
cnRpZmljYXRpb24xHzAdBgNVBAMTFlRoYXd0ZSBUaW1lc3RhbXBpbmcgQ0EwHhcN
OTcwMTAxMDAwMDAwWhcNMjEwMTAxMjM1OTU5WjCBizELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNV
BAoTBlRoYXd0ZTEdMBsGA1UECxMUVGhhd3RlIENlcnRpZmljYXRpb24xHzAdBgNV
BAMTFlRoYXd0ZSBUaW1lc3RhbXBpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANYrWHhhRYZT6jR7UZztsOYuGA7+4F+oJ9O0yeB8WU4WDnNUYMF/9p8u
6TqFJBU820cEY8OexJQaWt9MevPZQx08EHp5JduQ/vBR5zDWQQD9nyjfeb6Uu522
FOMjhdepQeBMpHmwKxqL8vg7ij5FrHGSALSQQZj7X+36ty6K+Ig3AgMBAAGjEzAR
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAS+mqF4EF+3kKMZ/F
QfRWVKvpwuWXjhj+kckMPiZkyaFMJ2SnvQGTVXFuF0853BvcSTUQOSP/ypvIz2Y/
3Ewa1IEGQlIf4SaxFhe65nByMUToTo1b5NP50OOPJWQx5yr4GIg2GlLFDUE1G2m3
JvUXzMEZXkt8XOKDgJH6L/uatxY=
-----END CERTIFICATE-----
Then use a site like this to inspect the public key - it is under 'RAW OUTPUT"然后使用这样的网站检查公钥 - 它在“原始输出”下
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d6:2b:58:78:61:45:86:53:ea:34:7b:51:9c:ed:
b0:e6:2e:18:0e:fe:e0:5f:a8:27:d3:b4:c9:e0:7c:
59:4e:16:0e:73:54:60:c1:7f:f6:9f:2e:e9:3a:85:
24:15:3c:db:47:04:63:c3:9e:c4:94:1a:5a:df:4c:
7a:f3:d9:43:1d:3c:10:7a:79:25:db:90:fe:f0:51:
e7:30:d6:41:00:fd:9f:28:df:79:be:94:bb:9d:b6:
14:e3:23:85:d7:a9:41:e0:4c:a4:79:b0:2b:1a:8b:
f2:f8:3b:8a:3e:45:ac:71:92:00:b4:90:41:98:fb:
5f:ed:fa:b7:2e:8a:f8:88:37
Exponent: 65537 (0x10001)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.