简体繁体 English

基于Java证书的身份验证

[英]Java certificate based authentication

原文 2010-05-03 17:29:05 5 1 java/ ssl/ ssl-certificate

I have a thrift endpoint that someone created who is not longer with our company. 我有一个节俭的终点，有人创建了一个不再在我们公司工作的人。 They implemented the authentication via client side certs, but I having a hard time wrapping my head around how it all works. 他们通过客户端证书实现了身份验证，但是我很难理解所有工作原理。 Does anyone know of a tutorial, or howto on this topic. 有谁知道教程或有关此主题的方法。

All I really have is a sample client class. 我真正拥有的只是一个示例客户端类。 Here are a list of things that I need help with: 以下是我需要帮助的事项列表：

Can a server cert and the client cert both be contained in the same trust store 服务器证书和客户端证书都可以包含在同一信任库中吗
How do you create a new client side cert? 如何创建新的客户端证书？
How do you add that client side cert to the server trust store? 如何将客户端证书添加到服务器信任库中？
Do you need to set the client trust store, and set the java trust (assuming the server is a self signed endpoint) 您是否需要设置客户端信任存储并设置Java信任（假设服务器是自签名端点）
What does the following error mean? 以下错误是什么意思？
ERROR[com.cada.CadaDaoTest][main] - Error: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate 错误[com.cada.CadaDaoTest] [main]-错误：org.apache.thrift.transport.TTransportException：javax.net.ssl.SSLHandshakeException：收到致命警报：bad_certificate

1 个解决方案

The truststore (on Tomcat it's configured forthe SSL connector in server.xml) can hold the root of the certificate chain of the client certificate, not the certificate itself. 信任库（在Tomcat上，为server.xml中的SSL连接器配置了信任库）可以保存客户端证书的证书链的根，而不是证书本身。 That is, when a certificate is created, it is signed by a CA - certificate authority. 即，创建证书时，该证书由CA证书颁发机构签名。 If the CA cert is trusted, all certs singed by the CA are trusted as well. 如果CA证书是受信任的，则由CA颁发的所有证书也将受信任。

You can create certificates using either keytool (in jdk/bin/ ) or openssl . 您可以使用keytool（在jdk/bin/ ）或openssl创建证书。 There are GUIs for that, like portecle . 有一些GUI，例如portecle 。

The tomcat ssl tutorial might be helpful. tomcat ssl教程可能会有所帮助。