stackoom
  简体   繁体   中英

Does Java Runtimes require use of Keystore for SSL certificates as mandatory?

 原文  2021-03-15 23:30:29       java/ ssl

Question

I would like to understand the Java runtime's requirement for SSL certificates storage in general. I understand it can be copied to the host's /etc/ssl/certs folder but for Java, does it need to import to a specific Keystore for a runtime to be able to use and consume in any SSL verification process by the application? Eg If I have a JRE client that requires packaging of a root/intermediate certificates to make web client internally to site1.foo.com, I will need the root and intermediate certificates dependent on the chain to verify the request.

With various other runtime environments, it seems I can just place them in the /etc/ssl/certs folder: NodeJS => How to add custom certificate authority (CA) to nodejs Go => Where is Golang picking up root CAs from?

However, presumably for usage in Java, I need to go an extra step and use keytool and import into a specific Keystore? Presumably, it can't just pick up from a common directory as per above? Hope my question makes sense.

1 answers

solution1
 2  2021-03-17 08:27:55

In Java, collections of certificates are usually accessed through a KeyStore interface.

As remarked in the comments the default SSLContext will read the certificates from a PKCS12 (or JKS) file located in $JRE_HOME/lib/security/cacerts .

However that is not the only possibility and you don't have to call keytool to add trusted certificates:

  • on Debianoids you can use -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts (cf. this question ) to use the the PKCS12 file provided by the ca-certificates-java package. It is updated whenever you call update-ca-certificates . Therefore you just need to add a *.crt file in /usr/local/share/ca-certificates and run update-ca-certificates .

  • if you don't use the default SSLContext you can init it with a different TrustManager (cf. this question ). That's how Tomcat 8.5+ loads certificates in PEM format.

Unfortunately there is no implementation of KeyStore that reads certificates from a directory, but that can easily be written.

Edit: On Debianoids the packaged JREs already use /etc/ssl/java/cacerts , so no further configuration is needed.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to load multiple SSL certificates in Java KeyStore? Is keystore and truststore mandatory for ssl? Does anyone know how to use StartCom SSL without keystore in Java OR use a custom keystore? Accessing keystore certificates in Java Getting Certificates from Java Keystore How to add SSL certificates to cacerts and keystore? java SSL and cert keystore Can I use SSL certificates using truststore and keystore in BIRT Report Designer to connect to database? SSL Sockets - Java and Certificates? SSL trusted certificates in java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM