gpt4 book ai didi

java - 创建java识别的证书链的过程

转载 作者:行者123 更新时间:2023-12-04 22:42:32 26 4
gpt4 key购买 nike

tl;dr - 获取 KeyStore Explorer (http://keystore-explorer.org/) 并为自己省去一个麻烦。
p.s. - keystore 别名设置对某些 java 应用程序非常重要(例如:iDempiere 在其 Jetty 提供者 ssl 配置中(.../jettyhome/etc/jetty-ssl-context.xml)。在这些情况下,必须确保别名java 正在寻找的证书与它实际用于查找它的别名相匹配。
OP
我需要在 Java 应用程序中使用私有(private) CA 及其证书。我无法发现如何将私有(private) CA 根证书及其中间证书添加到 Java 受信任证书中。我已经找到并阅读了多篇关于如何做到这一点的文章,但我的努力无法完成我所需要的。
我正在使用 OpenJDK11。 java cacerts fie 位于 /usr/local/openjdk11/lib/security/cacerts .我相信这包含 Java 使用的可信证书列表。
我已手动将私有(private) CA 根证书和中间证书添加到此存储:

cp -p /usr/local/openjdk11/lib/security/cacerts /usr/local/openjdk11/lib/security/cacerts.cln
cp -p /usr/local/openjdk11/lib/security/cacerts /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -import \
-trustcacerts \
-file /usr/local/etc/pki/tls/certs/CA_HLL_ROOT_2016.crt \
-alias 'hartelyneroot2016 [hll]' \
-keystore /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -import \
-trustcacerts \
-file /usr/local/etc/pki/tls/certs/CA_HLL_ISSUER_2016.crt \
-alias 'hartelyneissuer2016 [hll]' \
-keystore /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -list -rfc -keystore /root/hll_jdk11_cacerts | grep hll
Enter keystore password: changeit
Alias name: hartelyneissuer2016 [hll]
Alias name: hartelyneroot2016 [hll]

cp -p /root/hll_jdk11_cacerts /usr/local/openjdk11/lib/security/cacerts
据我所知,CA_HLL_ISSUER_2016 和 CA_HLL_ROOT_2016 颁发的证书现在应该被此主机上的 java 识别为信任。但是,他们不是。我需要找出原因。
JAVA_VERSION="11" java SSLPoke google.ca 443
Successfully connected

JAVA_VERSION="11" java SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchor
但我对 openssl s_client 没有任何问题:
openssl s_client -connect webmail.harte-lyne.ca:443
CONNECTED(00000003)
depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
verify return:1
depth=1 CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
verify return:1
depth=0 CN = webmail.hamilton.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca
verify return:1
---
Certificate chain
0 s:CN = webmail.hamilton.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca
i:CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
1 s:CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
i:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
2 s:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
i:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
---
Server certificate
-----BEGIN CERTIFICATE-----
. . .
---
Acceptable client certificate CA names
. . .
CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
. . .
CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
. . .
我在这里想念什么?如何将私有(private) CA 添加到 Java 信任库?
按照答案中给出的建议,我按照给定的顺序完全做到了这一点:
openssl s_client -connect webmail.harte-lyne.ca:443 -showcerts > harte.crt

JAVA_VERSION="11" keytool -import -alias harte -file harte.crt -keystore cacerts -storepass changeit
. . .
Trust this certificate? [no]: yes
Certificate was added to keystore

JAVA_VERSION="11" java SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我在 OpenJDK 中遇到错误?

最佳答案

我了解到您希望对某些 HTTPS 调用执行客户端证书身份验证。信任证书是不够的。您需要使用已使用此 CA 签名的 key 对才能成功进行 HTTPS 握手。
尝试这样的事情

String keyPassphrase = "";

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("cert-key-pair.pfx"), keyPassphrase.toCharArray());

SSLContext sslContext = SSLContexts.custom()
.loadKeyMaterial(keyStore, null)
.build();

HttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
HttpResponse response = httpClient.execute(new HttpGet("https://example.com"));

关于java - 创建java识别的证书链的过程,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65363256/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com