使用Java标准密钥库是不好的做法 [英] Is it a bad practice to use Java standard keystore

问题描述

我们一直使用java标准密钥库（ $ JAVA_HOME / jre / lib / security / cacerts ）作为tomcat的可信存储。并且该tomcat服务器将与其他服务器通信。最近的操作系统（AIX）升级显然在 $ JAVA_HOME / jre / lib / security / cacerts 中覆盖了该文件，这导致了托管应用程序的证书丢失和许多问题在tomcat。

We had been using java standard keystore ($JAVA_HOME/jre/lib/security/cacerts) as the trusted store for tomcat. And that tomcat server would communicate with some other server. A recent OS(AIX) upgrade apparently over-wrote the file at $JAVA_HOME/jre/lib/security/cacerts and that resulted in lost certificates and lot of issues with application hosted in tomcat.

看看这是一个不好的做法，转发$ JAVA_HOME / jre / lib / security / cacerts？
解决这种情况的替代（更好的|标准）方法是什么？

Looking at this is it a bad practice to relay up on $JAVA_HOME/jre/lib/security/cacerts ? What are the alternate (better|standard) ways to tackle this scenario?

推荐答案

就什么在 cacerts 文件，它不一定比依赖操作系统或浏览器中安装的默认CA证书更糟糕，但这并不意味着它很棒。

In terms of what is in the cacerts file, it's not necessarily worse practice than relying on the default CA certificates installed in your OS or your browser, but that doesn't mean it's great.

Sun / Oracle在 JSSE参考指南：

Sun/Oracle have a little "important note" somewhere in the middle of the JSSE Reference Guide about this:

重要说明：JDK在/ lib / security / cacerts文件中附带有限数量的受信任的根
证书。由于keytool中记录了
，如果您将此
文件用作信任库，则您有责任维护（即
添加/删除）此文件中包含的证书。

IMPORTANT NOTE: The JDK ships with a limited number of trusted root certificates in the /lib/security/cacerts file. As documented in keytool, it is your responsibility to maintain (that is, add/remove) the certificates contained in this file if you use this file as a truststore.

根据您联系的服务器的证书配置，
您可能需要添加其他根证书。从相应的供应商处获取所需的
特定根证书。

Depending on the certificate configuration of the servers you contact, you may need to add additional root certificate(s). Obtain the needed specific root certificate(s) from the appropriate vendor.

在配置方面，针对特定应用我必须安装本地CA证书，我发现使用本地信任存储更稳定（例如，使用 javax.net.ssl.trustStore 指定） 。

In terms of configuration, for specific applications where I've had to install "local" CA certificates, I find it more stable to use a local trust store (for example, specified with javax.net.ssl.trustStore).

这篇关于使用Java标准密钥库是不好的做法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！