Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

ssl是在Java cacerts中导入根证书和中间证书的正确方法

3 周,4 日 Questions & Answers

我的公司有自己的ROOT证书。他们使用这个证书签署了intermediate证书

然后我们为server证书颁发了CSR,并用intermediate证书对其进行了签名

在Java cacerts文件中导入ROOT证书和intermediate的正确方法是什么,以便能够与具有server证书的服务器建立SSL连接,该证书由intermediate签名

我使用OpenSSL在服务器上测试证书链:

openssl s_client -showcerts -connect host:443

CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
   i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA

共 (1) 个答案

  1. # 1 楼答案

    您只需要在信任库中导入根证书

     keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

    握手期间的SSL服务器应提供证书和中间层。客户的TrustManager将验证证书链,直到找到根

    注意:建议使用您自己的信任库,而不是修改cacerts