通过https的Java Web服务 - 如何将自签名证书添加到客户端API?
[英]Java web service over https - How to add a self-signed certificate into a client api?
问题描述
I have a "Hello World" web service created with axis2. 
我有一个用axis2创建的“Hello World”Web服务。 I would like to write a client api which could use this service over https with a self-signed certificate. 我想编写一个客户端api,可以通过https使用此服务并使用自签名证书。 I have a self-signed certificate myCertificate.cer and a keystore containing it. 我有一个自签名证书myCertificate.cer和一个包含它的keystore 。
Here is my client API : 这是我的客户端API:
public class MyApi{
public Object callMyService(){
Axis2TestStub stub = new Axis2TestStub(
"https://localhost:8443/axis2/services/Axis2Test");
System.setProperty("javax.net.ssl.trustStore",
"src/main/resources/myKeystore.jks")
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Hello request = new Hello();
request.setMot("World");
HelloResponse response = stub.hello(request);
Object mot = response.get_return();
return mot;
It works but I would like to use myCertificate.cer and not a keystore containing it. 它工作,但我想使用myCertificate.cer而不是包含它的keystore 。 Does someone know how to do that? 有人知道怎么做吗? I tried to override https protocol with no success : 我试图覆盖https协议但没有成功:
HttpSecureProtocol myHttpsProtocol = new HttpSecureProtocol();
myHttpsProtocol .setCheckHostname(false);
myHttpsProtocol .addTrustMaterial(new TrustMaterial("myCertificate.cer"));
Protocol customHttps = new Protocol("https",
(ProtocolSocketFactory) myHttpsProtocol , 8443);
Protocol.registerProtocol("https", customHttps);
2 个解决方案
解决方案1
3 2010-02-08 20:30:06
I would like to write a client api which could use this service over https with a self-signed certificate.
The server key store do contain the server's self-signed certificate and private key and is used by the server to sign messages and to return credentials to the client. 服务器密钥库包含服务器的自签名证书和私钥,服务器使用它来签署消息并将凭据返回给客户端。
On the client-side, you need to import the server certificate into the client trust store (and generally, you don't want the private key in the client trust store so you extract a stand-alone certificate file ie without the private key and then you import that server certificate in the trust store). 在客户端,您需要将服务器证书导入客户端信任库 (通常,您不希望客户端信任库中的私钥,因此您提取独立的证书文件,即没有私钥和然后在信任库中导入该服务器证书)。
It works but I would like to use myCertificate.cer and not a keystore containing it.
It's not a key store but a trust store and adding the certificate to the client trust store is required because self-signed certificates are not signed by a root CA and are not trusted by default. 它不是密钥存储,而是信任存储,并且需要将证书添加到客户端信任存储区,因为自签名证书不是由根CA签名的,并且默认情况下不受信任。 So you need to create a chain of trust. 所以你需要建立一个信任链。
Now, you can maybe distribute the trust store in the JAR of the client API. 现在,您可以在客户端API的JAR中分发信任库。 This approach is discussed in this thread (the biggest problem being that you'll have to redistribute the JAR when the server certificate expires). 这个方法在这个线程中讨论(最大的问题是你必须在服务器证书过期时重新分发JAR)。 Personally, I don't really like this solution. 就个人而言,我真的不喜欢这个解决方案。
IMHO, the good solution if you want to skip the trust store stuff would be to buy a real certificate from a widely-known certificate vendor for which you already have root CA certificates in the trust store (like Verisign, Thawte). 恕我直言,如果你想跳过信任商店的东西,那么很好的解决方案就是从一个广为人知的证书供应商处购买一张真正的证书,你已经在信托商店中拥有根CA证书(如Verisign,Thawte)。
解决方案2
2 2010-02-08 18:59:00
I would just add the certificate to the cacerts file of the JDK running your app. 我只是将证书添加到运行您的应用程序的JDK的cacerts文件中。 If you do this then you won't have to do anything else. 如果你这样做,那么你将不必做任何其他事情。 The code you have above wouldn't be required. 您不需要上面的代码。 You add the certificate to the keystore by running a command similar to below: 您可以通过运行类似于以下的命令将证书添加到密钥库:
C:/<jdk-version/bin/keytool -import -alias myalias -file mycert.crt -keystore C:/<jdk-version>/jre/lib/security/cacerts
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.