[英]Mutual SSL - getting the key/truststores in the proper formats
I generated a CSR using OpenSSL: 我使用OpenSSL生成了CSR:
openssl req -out MyCompanyCsr.csr -new -newkey rsa:2048 -nodes -keyout MyCompanyPrivateKey.key
So starting out, we have: 因此,开始时,我们有:
- MyCompanyPrivateKey.key
- MyCompanyCsr.csr
Then I sent it to our integration partner, who responded with 3 files: 然后,我将其发送给我们的集成合作伙伴,该合作伙伴回复了3个文件:
- PartnerIntermediateCa.crt
- PartnerRootCa.crt
- MyCompanyCsr.crt
Now I need to connect to their web service using mutual SSL. 现在,我需要使用相互SSL连接到他们的Web服务。 To do this, I know I need to set the truststore and keystore in my SSLSocketFactory for JAXB.
为此,我知道我需要在我的SSLSocketFactory中为JAXB设置信任库和密钥库。
I'm instantiating the keystore and truststore in Java using: 我正在使用以下方法在Java中实例化密钥库和信任库:
KeyStore trustStore = KeyStore.getInstance("JKS");
InputStream tsis = ClassLoader.getSystemResourceAsStream(trustStorePath);
trustStore.load(tsis, "mypassword".toCharArray());
tsis.close();
KeyStore keyStore = KeyStore.getInstance("JKS");
InputStream ksis = ClassLoader.getSystemResourceAsStream(keyStorePath);
keyStore.load(ksis, "mypassword".toCharArray());
if (ksis != null) {
ksis.close();
}
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, "mypassword".toCharArray());
However, attempting to use this code in connecting to the server throws a SSLHandshakeException
with the message http.client.failed
: 但是,尝试在连接服务器时使用此代码会引发
SSLHandshakeException
并显示消息http.client.failed
:
com.sun.xml.ws.client.ClientTransportException: HTTP transport error:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
The keystore
and truststore
I'm using were exported from my browser, with the Client private key as a PKCS
and the Server cert as a x509 Cert PKCS#7 w/ Chain'. Then opened them up in Portecle and exported them both as
我使用的
keystore
和truststore
keystore
是从浏览器中导出的,其中客户端私钥作为PKCS
,服务器证书作为x509 Cert PKCS#7 w/ Chain'. Then opened them up in Portecle and exported them both as
x509 Cert PKCS#7 w/ Chain'. Then opened them up in Portecle and exported them both as
JKS` files. x509 Cert PKCS#7 w/ Chain'. Then opened them up in Portecle and exported them both as
JKS`文件。
Assuming the Java code is legit, how can I be sure I have correctly created the keystore
and truststore
? 假设Java代码是合法的,如何确定正确创建了
keystore
和truststore
keystore
?
Thanks very much. 非常感谢。
I finally figured this out. 我终于想通了。 I used FireFox and Portecle .
我使用了FireFox和Portecle 。
Install the Server Certs and Private Key in the browser. 在浏览器中安装服务器证书和私钥。
Note: One always confusing point: both the "truststore" and "keystore" are keystores as far as Portecle / Java goes. 注意:一个总是令人困惑的地方:就Portecle / Java而言,“ truststore”和“ keystore”都是密钥库 。 The only difference is the one we use as our keystore in the client is going to have our private keys in addition to the public certs.
唯一的不同是, 我们在客户端中用作密钥库的密钥将具有除公共证书之外的私有密钥。
TrustStore built with the server certificates: 使用服务器证书构建的TrustStore:
Save somewhere as ffTestServerCert.crt 另存为ffTestServerCert.crt
Open in Portecle via: Examine menu > Examine Certificate > select ffTestServerCert.crt 通过以下方法在Portecle中打开:检查菜单>检查证书>选择ffTestServerCert.crt
Save as .pem file on disk (for this example, say I have caCert1.pem, caCert2.pem, caCert3.pem) 另存为.pem文件在磁盘上(例如,说我有caCert1.pem,caCert2.pem,caCert3.pem)
Create new Keystore in Portecle: File > New Keystore > JKS 在Portecle中创建新的密钥库:File> New Keystore> JKS
Repeat for any other certs you want to import (I did all 3). 对要导入的任何其他证书重复上述步骤(我全部完成了3个)。
Save keystore in Portecle: 在Portecle中保存密钥库:
Congrats, that's the valid truststore . 恭喜,这是有效的truststore 。
KeyStore built with the private key and server certificates: 使用私钥和服务器证书构建的KeyStore:
Should say they were exported, click Ok 应该说它们已导出,请单击“确定”。
Open keys in Portecle 在Portecle中打开钥匙
Enter password chosen above 输入上面选择的密码
Convert to JKS using Portecle 使用Portecle转换为JKS
password
. password
的内部 password
。 Hit Ok 打好
Save keystore : 保存密钥库 :
Finished 已完成
Now you have the correctly-configured clientTrustStore.jks and clientKeyStore.jks for authenticating your client. 现在,您已经具有正确配置的clientTrustStore.jks和clientKeyStore.jks用于验证客户端。
To see an example of how these can now be used, you can check out: SOAP with mutual SSL - how to send over credentials? 要查看如何现在使用它们的示例,您可以签出: 具有双向SSL的SOAP-如何发送凭据?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.