java - 创建java识别的证书链的过程

Question

tl;dr - 获取 KeyStore Explorer (http://keystore-explorer.org/) 并为自己省去一个麻烦。
p.s. - keystore 别名设置对某些 java 应用程序非常重要(例如:iDempiere 在其 Jetty 提供者 ssl 配置中(.../jettyhome/etc/jetty-ssl-context.xml)。在这些情况下，必须确保别名java 正在寻找的证书与它实际用于查找它的别名相匹配。
OP
我需要在 Java 应用程序中使用私有(private) CA 及其证书。我无法发现如何将私有(private) CA 根证书及其中间证书添加到 Java 受信任证书中。我已经找到并阅读了多篇关于如何做到这一点的文章，但我的努力无法完成我所需要的。
我正在使用 OpenJDK11。 java cacerts fie 位于 /usr/local/openjdk11/lib/security/cacerts .我相信这包含 Java 使用的可信证书列表。
我已手动将私有(private) CA 根证书和中间证书添加到此存储:

cp -p /usr/local/openjdk11/lib/security/cacerts /usr/local/openjdk11/lib/security/cacerts.cln
cp -p /usr/local/openjdk11/lib/security/cacerts /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -import   \
  -trustcacerts   \
  -file /usr/local/etc/pki/tls/certs/CA_HLL_ROOT_2016.crt  \
  -alias 'hartelyneroot2016 [hll]'  \
  -keystore /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -import  \
   -trustcacerts  \
   -file /usr/local/etc/pki/tls/certs/CA_HLL_ISSUER_2016.crt \
   -alias 'hartelyneissuer2016 [hll]'  \
   -keystore /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -list  -rfc  -keystore /root/hll_jdk11_cacerts | grep hll
Enter keystore password:  changeit
Alias name: hartelyneissuer2016 [hll]
Alias name: hartelyneroot2016 [hll]

cp -p /root/hll_jdk11_cacerts /usr/local/openjdk11/lib/security/cacerts

据我所知，CA_HLL_ISSUER_2016 和 CA_HLL_ROOT_2016 颁发的证书现在应该被此主机上的 java 识别为信任。但是，他们不是。我需要找出原因。

JAVA_VERSION="11" java SSLPoke google.ca 443
Successfully connected

JAVA_VERSION="11" java SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchor

但我对 openssl s_client 没有任何问题:

openssl s_client -connect webmail.harte-lyne.ca:443
CONNECTED(00000003)
depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
verify return:1
depth=1 CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
verify return:1
depth=0 CN = webmail.hamilton.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca
verify return:1
---
Certificate chain
 0 s:CN = webmail.hamilton.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca
   i:CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
 1 s:CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
   i:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
 2 s:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
   i:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
---
Server certificate
-----BEGIN CERTIFICATE-----

. . .

---
Acceptable client certificate CA names
. . .
CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
. . .
CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
. . .

我在这里想念什么？如何将私有(private) CA 添加到 Java 信任库？
按照答案中给出的建议，我按照给定的顺序完全做到了这一点:

openssl s_client -connect webmail.harte-lyne.ca:443 -showcerts > harte.crt

JAVA_VERSION="11" keytool -import -alias harte -file harte.crt -keystore cacerts -storepass changeit
. . .
Trust this certificate? [no]:  yes
Certificate was added to keystore

JAVA_VERSION="11" java  SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我在 OpenJDK 中遇到错误？

Answer 1

我了解到您希望对某些 HTTPS 调用执行客户端证书身份验证。信任证书是不够的。您需要使用已使用此 CA 签名的 key 对才能成功进行 HTTPS 握手。
尝试这样的事情

String keyPassphrase = "";

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("cert-key-pair.pfx"), keyPassphrase.toCharArray());

SSLContext sslContext = SSLContexts.custom()
        .loadKeyMaterial(keyStore, null)
        .build();

HttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
HttpResponse response = httpClient.execute(new HttpGet("https://example.com"));