为SpringBoot应用程序指定密钥库时，javax.net.ssl.keyStore和server.ssl.key-store属性之间有什么区别 [英] What is the difference between javax.net.ssl.keyStore and server.ssl.key-store properties when specifying keystore for a SpringBoot app

问题描述

1. 我可以使用以下两个属性之一来指定密钥库吗:特定于Java的javax.net.ssl.keyStore或特定于Spring Boot的server.ssl.key-store.有什么区别吗?我想使用密钥库通过https以及通过某些REST服务进行的客户端认证来为我的应用程序提供服务

1. Can I specify keystore using either of these properties - the Java-specific javax.net.ssl.keyStore or the spring boot specific server.ssl.key-store. Any differences? I would like to use the keystore for serving my app using https as well as mutual client authentication with some REST services

如果未将密钥库指定为属性或jvm参数，而是在启动时使用自定义代码读取了密钥库，那么可以使用https为SpringBoot应用程序提供服务吗?或者，如果必须使用https为应用程序提供服务，则是否必须先制定密钥库规范?

Can the SpringBoot application be served using https if the keystore is not specified as a property or jvm argument, rather is read at the startup using custom code? Or does the keystore specification have to come before that if the app has to be served using https?

推荐答案

这两个属性具有互补作用:

Those two properties have complementary roles:

• javax.net.ssl.keyStore 是Java安全提供程序用来配置默认 SSLContext 的 system 属性.大多数SSL 客户端使用默认的 SSLContext .

• javax.net.ssl.keyStore is a system property used by the Java security providers to configure the default SSLContext. Most SSL clients use the default SSLContext.

您不需要将此属性作为 -D 参数传递给JVM，您可以在应用程序启动的非常早的阶段以编程方式对其进行设置，但是我不建议这样做:由于您的应用程序可能不是JVM中的唯一应用程序(例如，将其作为WAR存档运行)，因此您将影响其他应用程序的行为.改用非默认的 SSLContext .

You don't need to pass this property as -D argument to the JVM, you can set it programmatically at a very early stage of your application startup, but I would advise against it: since your application may not be the only application in the JVM (e.g. your run it as WAR archive), you will influence the behavior of other applications. Use a non-default SSLContext instead.

server.ssl.keyStore 是 Spring 属性，用于配置嵌入式servlet容器的 server 套接字.它可以来自

server.ssl.keyStore is a Spring property to configure the server socket of the embedded servlet container. It can come from many different sources.

从理论上讲，servlet容器可以使用默认的 SSLContext 并从默认的 KeyManager (从通过 javax指定的密钥库中加载其密钥)中检索其证书.net.ssl.keyStore )，我不知道有哪个servlet容器可以真正做到这一点.

While in theory a servlet container can use the default SSLContext and retrieve its certificate from the default KeyManager (which loads its keys from the keystore specified through javax.net.ssl.keyStore), I don't know any servlet container that would actually do it.

通常，用作SSL客户端的证书与用作SSL服务器的证书不同.

Usually the certificate used as SSL client is not the same as the one used as SSL server.

这篇关于为SpringBoot应用程序指定密钥库时，javax.net.ssl.keyStore和server.ssl.key-store属性之间有什么区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！