![](/img/trans.png)
[英]Java client not picking root/intermediate certificates from Windows Trust Store
[英]Correct way to import root and intermediate certificates in Java cacerts
我公司有自己的ROOT
证书。 他们使用此证书签署了intermediate
证书。
然后我们为server
证书颁发 CSR 并使用intermediate
证书对其进行签名。
在Java cacerts文件中导入ROOT
证书和intermediate
的正确方法是什么,以便能够与具有intermediate
签名的server
证书的服务器建立SSL连接?
我使用 OpenSSL 来测试服务器上的证书链:
openssl s_client -showcerts -connect host:443
CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
您只需要在信任库中导入根证书。
keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit -alias aliasName -file path/to/certificate.cer
握手期间的 SSL 服务器应提供证书和中间件。 您客户端的 TrustManager 将验证认证链,直到找到根
注意:建议使用自己的truststore,不要修改cacerts
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.