Trust Store 与 Key Store - 使用 keytool 创建
[英]Trust Store vs Key Store - creating with keytool
问题描述
I understand that the keystore would usually hold private/public keys and the trust store only public keys (and represents the list of trusted parties you intend to communicate with).
我知道密钥库通常会保存私钥/公钥,而信任库只存储公钥(并代表您打算与之通信的可信方列表)。 Well, that's my first assumption, so if that's not correct, I probably haven't started very well...好吧,这是我的第一个假设,所以如果这不正确,我可能还没有开始很好......
I was interested though in understanding how / when you distinguish the stores when using keytool.不过,我有兴趣了解在使用 keytool 时如何/何时区分商店。
So, far I've created a keystore using所以,到目前为止,我已经使用创建了一个密钥库
keytool -import -alias bob -file bob.crt -keystore keystore.ks
which creates my keystore.ks file.这会创建我的 keystore.ks 文件。 I answer yes to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file?我对我是否信任鲍勃的问题回答yes ,但我不清楚这是否创建了密钥库文件或信任库文件? I can set up my application to use the file as either.我可以将我的应用程序设置为使用该文件。
-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x
-Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x
and with System.setProperty( "javax.net.debug", "ssl") set, I can see the certificate under trusted certifications (but not under the keystore section).并设置System.setProperty( "javax.net.debug", "ssl")后,我可以在受信任的证书下看到证书(但不在密钥库部分)。 The particular certificate I'm importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob (but perhaps that's best left for another question.).我正在导入的特定证书只有一个公钥,我打算用它通过 SSL 连接向 Bob 发送内容(但也许最好留给另一个问题。)。
Any pointers or clarifications would be much appreciated.任何指示或澄清将不胜感激。 Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store?无论您导入什么,keytool 的 output 是否都相同,它的约定是一个是密钥库,另一个是信任库? What's the relationship when using SSL etc?使用SSL等有什么关系?
6 个解决方案
解决方案1
403 已采纳 2011-06-14 09:26:22
The terminology is a bit confusing indeed, but both javax.net.ssl.keyStore and javax.net.ssl.trustStore are used to specify which keystores to use, for two different purposes.术语确实有点混乱,但是javax.net.ssl.keyStore和javax.net.ssl.trustStore都用于指定要使用的密钥库,用于两个不同的目的。 Keystores come in various formats and are not even necessarily files (see this question ), and keytool is just a tool to perform various operations on them (import/export/list/...).密钥库有多种格式,甚至不一定是文件(参见这个问题),而keytool只是一种对它们执行各种操作(导入/导出/列表/...)的工具。
The javax.net.ssl.keyStore and javax.net.ssl.trustStore parameters are the default parameters used to build KeyManager s and TrustManager s (respectively), then used to build an SSLContext which essentially contains the SSL/TLS settings to use when making an SSL/TLS connection via an SSLSocketFactory or an SSLEngine . javax.net.ssl.keyStore和javax.net.ssl.trustStore参数是用于构建KeyManager s 和TrustManager s(分别)的默认参数,然后用于构建一个SSLContext ,它基本上包含要在以下情况下使用的 SSL/TLS 设置通过SSLSocketFactory或SSLEngine建立 SSL/TLS 连接。 These system properties are just where the default values come from, which is then used by SSLContext.getDefault() , itself used by SSLSocketFactory.getDefault() for example.这些系统属性正是默认值的来源,然后由SSLContext.getDefault()使用,例如,本身由SSLSocketFactory.getDefault()使用。 (All of this can be customized via the API in a number of places, if you don't want to use the default values and that specific SSLContext s for a given purpose.) (所有这些都可以通过 API 在许多地方进行自定义,如果您不想使用默认值和特定的SSLContext用于给定目的。)
The difference between the KeyManager and TrustManager (and thus between javax.net.ssl.keyStore and javax.net.ssl.trustStore ) is as follows (quoted from the JSSE ref guide ): KeyManager和TrustManager之间的区别(以及javax.net.ssl.keyStore和javax.net.ssl.trustStore之间的区别)如下(引自JSSE 参考指南):
TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.
(Other parameters are available and their default values are described in the JSSE ref guide . Note that while there is a default value for the trust store, there isn't one for the key store.) (其他参数可用,它们的默认值在JSSE 参考指南中进行了描述。请注意,虽然信任存储有默认值,但密钥存储没有默认值。)
Essentially, the keystore in javax.net.ssl.keyStore is meant to contain your private keys and certificates, whereas the javax.net.ssl.trustStore is meant to contain the CA certificates you're willing to trust when a remote party presents its certificate.本质上, javax.net.ssl.keyStore中的密钥库旨在包含您的私钥和证书,而javax.net.ssl.trustStore旨在包含您愿意在远程方出示其证书时信任的 CA 证书证书。 In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based).在某些情况下,它们可以是同一个商店,尽管通常更好的做法是使用不同的商店(尤其是当它们基于文件时)。
解决方案2
124 2018-02-16 19:12:23
To explain in common usecase/purpose or layman way:以常见的用例/目的或外行方式解释:
TrustStore : Used to store the certificates of trusted entities.
keyStore : Used to store the server keys (both public and private) along with the signed certificate.
During the SSL handshake,在 SSL 次握手过程中,
A client tries to access https://
客户端尝试访问 https://And thus, Server responds by providing a SSL certificate (which is stored in its keyStore)
因此,服务器通过提供 SSL 证书(存储在其密钥库中)进行响应Now, the client receives the SSL certificate and verifies it via trustStore (ie the client's trustStore already has pre-defined set of certificates which it trusts.).
现在,客户端收到 SSL 证书并通过 trustStore 对其进行验证(即客户端的 trustStore 已经具有它信任的预定义证书集。)。 Its like: Can I trust this server?就像:我可以信任这个服务器吗? Is this the same server whom I am trying to talk to?这是我要与之交谈的同一台服务器吗? No middle man attacks?没有中间人攻击?Once, the client verifies that it is talking to server which it trusts, then SSL communication can happen over a shared secret key.
一次,客户端验证它正在与它信任的服务器对话,然后 SSL 通信可以通过共享密钥进行。
Note: I am not talking here anything about client authentication on server side.注意:我在这里不是在谈论服务器端的客户端身份验证。 If a server wants to do a client authentication too, then the server also maintains a trustStore to verify client.如果服务器也想进行客户端身份验证,那么服务器也会维护一个 trustStore 来验证客户端。 Then it becomes mutual TLS.然后它变成了双向 TLS。
解决方案3
29 2016-12-22 10:10:01
Keystore is used by a server to store private keys, and Truststore is used by third party client to store public keys provided by server to access. Keystore 是服务器用来存储私钥的,Truststore 是第三方客户端用来存储服务器提供的公钥以供访问的。 I have done that in my production application.我已经在我的生产应用程序中做到了。 Below are the steps for generating java certificates for SSL communication:以下是为 SSL 通信生成 java 证书的步骤:
- Generate a certificate using keygen command in windows:在 windows 中使用 keygen 命令生成证书:
keytool -genkey -keystore server.keystore -alias mycert -keyalg RSA -keysize 2048 -validity 3950
- Self certify the certificate:自我证明证书:
keytool -selfcert -alias mycert -keystore server.keystore -validity 3950
- Export certificate to folder:将证书导出到文件夹:
keytool -export -alias mycert -keystore server.keystore -rfc -file mycert.cer
- Import Certificate into client Truststore:将证书导入客户端信任库:
keytool -importcert -alias mycert -file mycert.cer -keystore truststore
解决方案4
28 2011-06-14 08:35:27
There is no difference between keystore and truststore files.密钥库和信任库文件之间没有区别。 Both are files in the proprietary JKS file format.两者都是专有 JKS 文件格式的文件。 The distinction is in the use: To the best of my knowledge, Java will only use the store that is referenced by the -Djavax.net.ssl.trustStore system property to look for certificates to trust when creating SSL connections.区别在于使用:据我所知,在创建 SSL 连接时,Java 将仅使用-Djavax.net.ssl.trustStore系统属性引用的存储来查找要信任的证书。 Same for keys and -Djavax.net.ssl.keyStore .密钥和-Djavax.net.ssl.keyStore相同。 But in theory it's fine to use one and the same file for trust- and keystores.但从理论上讲,将同一个文件用于信任库和密钥库是可以的。
解决方案5
0 2019-10-24 04:57:56
These are the steps to create a Truststore in your local machine using Keytool.这些是使用 Keytool 在本地机器上创建信任库的步骤。 Steps to create truststore for a URL in your local machine.在本地计算机中为 URL 创建信任库的步骤。
1) Hit the url in the browser using chrome 1)使用chrome在浏览器中点击url
2) Check for the "i" icon to the left of the url in the chrome and click it 2)在chrome中查看url左侧的“i”图标并点击
3) Check for certificate option and click it and a Dialog box will open 3) 检查证书选项并单击它,将打开一个对话框
4) check the "certificate path" tab for the number of certificates available to create the truststore 4) 检查“证书路径”选项卡中可用于创建信任库的证书数量
5) Go the "details" tab -> click"Copy to File" -> Give the path and the name for the certificate you want to create. 5) Go "details" tab -> click"Copy to File" -> Give the path and the name for the certificate 。
6) Check if it has parent certificates and follow the point "5" . 6)检查它是否有父证书并按照“5”点进行操作。
7) After all the certificates are being create open Command Prompt and navigate to the path where you created the certificates. 7) 创建所有证书后,打开命令提示符并导航到您创建证书的路径。
8) provide the below Keytool command to add the certificates and create a truststore. 8) 提供以下 Keytool 命令来添加证书并创建信任库。
Sample:
keytool -import -alias abcdefg -file abcdefg.cer -keystore cacerts
where "abcdefg" is the alias name and "abcdefg.cer" is the actual certificate name and "cacerts" is the truststore name
9) Provide the keytool command for all the certificates and add them to the trust store. 9) 为所有证书提供keytool 命令并将它们添加到信任库中。
keytool -list -v -keystore cacerts
解决方案6
-1 2017-12-19 13:58:07
keystore simply stores private keys, wheras truststore stores public keys. keystore 只存储私钥,而 truststore 存储公钥。 You will want to generate a java certificate for SSL communication.您需要为 SSL 通信生成一个 java 证书。 You can use a keygen command in windows, this will probably be the most easy solution.您可以在 windows 中使用 keygen 命令,这可能是最简单的解决方案。
解决方案7
-2 2019-05-21 11:10:28
I understand that the keystore would usually hold private/public keys and the trust store only public keys (and represents the list of trusted parties you intend to communicate with).我知道密钥库通常会保存私钥/公钥,而信任存储仅公钥(并代表您打算与之通信的受信任方的列表)。 Well, that's my first assumption, so if that's not correct, I probably haven't started very well...好吧,这是我的第一个假设,所以如果这不正确,我可能还没有很好地开始......
I was interested though in understanding how / when you distinguish the stores when using keytool.不过,我有兴趣了解使用 keytool 时如何/何时区分商店。
So, far I've created a keystore using所以,到目前为止,我已经使用
keytool -import -alias bob -file bob.crt -keystore keystore.ks
which creates my keystore.ks file.它创建了我的 keystore.ks 文件。 I answer yes to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file?我对我是否信任 bob 的问题回答yes ,但我不清楚这是否创建了密钥库文件或信任库文件? I can set up my application to use the file as either.我可以将我的应用程序设置为使用该文件。
-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x
-Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x
and with System.setProperty( "javax.net.debug", "ssl") set, I can see the certificate under trusted certifications (but not under the keystore section).并且设置了System.setProperty( "javax.net.debug", "ssl") ,我可以在受信任的证书下看到证书(但不在密钥库部分下)。 The particular certificate I'm importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob (but perhaps that's best left for another question.).我要导入的特定证书只有一个公钥,我打算用它通过 SSL 连接向 Bob 发送内容(但也许最好留给另一个问题。)。
Any pointers or clarifications would be much appreciated.任何指示或澄清将不胜感激。 Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store?无论您导入什么,keytool 的 output 是否相同,并且它只是约定一个是密钥库,另一个是信任库? What's the relationship when using SSL etc?使用SSL等有什么关系?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.