Correct way to import root and intermediate certificates in Java cacerts(在 Java cacerts 中导入根证书和中间证书的正确方法)
问题描述
我的公司有自己的 ROOT 证书.他们使用此证书签署了
intermediate
证书.
My company has its own ROOT
certificate. Using this certificate they signed intermediate
certificate.
然后我们为 server
证书颁发 CSR 并使用 intermediate
证书对其进行签名.
Then we issued CSR for server
certificate and signed it with intermediate
certificate.
在Java cacerts文件中导入ROOT
证书和intermediate
的正确方法是什么,以便能够与具有server
证书由 intermediate
签名?
What is a correct way to import the ROOT
certificate and intermediate
in Java cacerts file, in order to be able to establish SSL connection with the server which has server
certificate signed by the intermediate
?
我使用 OpenSSL 在服务器上测试证书链:
I used OpenSSL to test certificate chain on the server:
openssl s_client -showcerts -connect host:443
CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
推荐答案
只需要导入信任库中的根证书即可.
You only need to import the root certificate in the truststore.
keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit -alias aliasName -file path/to/certificate.cer
握手期间的 SSL 服务器应提供证书和中间件.您客户端的 TrustManager 将验证证书链,直到找到根目录
The SSL server during handshake should provide the certificate and the intermediates. The TrustManager of your client will validate the certification chain until root is found
注意:建议使用自己的truststore,不要修改cacerts
Note: It is recommended to use your own truststore instead of modifying cacerts
这篇关于在 Java cacerts 中导入根证书和中间证书的正确方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:在 Java cacerts 中导入根证书和中间证书的正确方法


- GC_FOR_ALLOC 是否更“严重"?在调查内存使用情况时? 2022-01-01
- java.lang.IllegalStateException:Bean 名称“类别"的 BindingResult 和普通目标对象都不能用作请求属性 2022-01-01
- 如何指定 CORS 的响应标头? 2022-01-01
- 转换 ldap 日期 2022-01-01
- 在 Java 中,如何将 String 转换为 char 或将 char 转换 2022-01-01
- Eclipse 的最佳 XML 编辑器 2022-01-01
- 如何使 JFrame 背景和 JPanel 透明且仅显示图像 2022-01-01
- 将 Java Swing 桌面应用程序国际化的最佳实践是什么? 2022-01-01
- 获取数字的最后一位 2022-01-01
- 未找到/usr/local/lib 中的库 2022-01-01