相互SSL - 以正确的格式获取密钥/信任库 [英] Mutual SSL - getting the key/truststores in the proper formats

问题描述

我使用OpenSSL生成了CSR：

I generated a CSR using OpenSSL:

openssl req -out MyCompanyCsr.csr -new -newkey rsa:2048 -nodes -keyout MyCompanyPrivateKey.key

开始时，我们有：

- MyCompanyPrivateKey.key
- MyCompanyCsr.csr

然后我将它发送给我们的集成合作伙伴，后者回复了3个文件：

Then I sent it to our integration partner, who responded with 3 files:

- PartnerIntermediateCa.crt
- PartnerRootCa.crt
- MyCompanyCsr.crt

现在我需要连接到他们的Web服务使用相互SSL。为此，我知道我需要在我的SSLSocketFactory中为JAXB设置信任库和密钥库。

Now I need to connect to their web service using mutual SSL. To do this, I know I need to set the truststore and keystore in my SSLSocketFactory for JAXB.

我使用以下方法在Java中实例化密钥库和信任库：

I'm instantiating the keystore and truststore in Java using:

      KeyStore trustStore = KeyStore.getInstance("JKS");
      InputStream tsis = ClassLoader.getSystemResourceAsStream(trustStorePath);
      trustStore.load(tsis, "mypassword".toCharArray());
      tsis.close();

      KeyStore keyStore = KeyStore.getInstance("JKS");
      InputStream ksis = ClassLoader.getSystemResourceAsStream(keyStorePath);
      keyStore.load(ksis, "mypassword".toCharArray());
      if (ksis != null) {
        ksis.close();
      }

      TrustManagerFactory tmf =
          TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      tmf.init(trustStore);

      KeyManagerFactory kmf =
          KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
      kmf.init(keyStore, "mypassword".toCharArray());

但是，尝试在连接服务器时使用此代码会抛出 SSLHandshakeException ，消息 http.client.failed ：

However, attempting to use this code in connecting to the server throws a SSLHandshakeException with the message http.client.failed:

com.sun.xml.ws.client.ClientTransportException: HTTP transport error: 
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

密钥库和 truststore 我正在使用的是从我的浏览器导出，客户端私钥为 PKCS ，服务器证书为 x509 Cert PKCS＃7 w / Chain'。然后在Portecle打开它们并将它们作为 JKS`文件导出。

The keystore and truststore I'm using were exported from my browser, with the Client private key as a PKCS and the Server cert as a x509 Cert PKCS#7 w/ Chain'. Then opened them up in Portecle and exported them both asJKS` files.

假设Java代码是合法的，我怎么能确定我已正确创建密钥库和信任库？

Assuming the Java code is legit, how can I be sure I have correctly created the keystore and truststore?

谢谢非常。

推荐答案

我终于弄明白了。我使用了FireFox和 Portecle 。

I finally figured this out. I used FireFox and Portecle.

在浏览器中安装服务器证书和私钥。

Install the Server Certs and Private Key in the browser.

注意：一个总是令人困惑的一点是：就Portecle / Java而言，truststore和keystore都是 keystore 。唯一的区别是我们使用的那个我们的密钥库在客户端除了公共证书之外还将拥有我们的私钥。

Note: One always confusing point: both the "truststore" and "keystore" are keystores as far as Portecle / Java goes. The only difference is the one we use as our keystore in the client is going to have our private keys in addition to the public certs.

使用服务器证书构建的TrustStore：

• 转到该地址的URL，单击地址栏旁边的（锁定图标，显示SSL已启用）


• 安全选项卡>查看证书>详细信息选项卡>导出按钮


• 选择类型：X.509带链的证书（PKCS＃7）。



• 将某处保存为ffTestServerCert.crt

• Go to a URL at the address, click next to the address bar (lock icon, showing SSL enabled)
• Security tab > View Certificate > Details tab > Export button
• Choose type: X.509 Certificate with chain (PKCS#7).

• Save somewhere as ffTestServerCert.crt

通过以下方式在Portecle中打开：检查菜单>检查证书>选择ffTestServerCert.crt

Open in Portecle via: Examine menu > Examine Certificate > select ffTestServerCert.crt

在磁盘上另存为.pem文件（例如，假设我有caCert1.pem，caCert2.pem，caCert3.pem）

Save as .pem file on disk (for this example, say I have caCert1.pem, caCert2.pem, caCert3.pem)

在Portecle中创建新的密钥库：文件>新密钥库> JKS

Create new Keystore in Portecle: File > New Keystore > JKS

重复对于您要导入的任何其他证书（我做了所有3）。

Repeat for any other certs you want to import (I did all 3).

在Portecle中保存密钥库：

Save keystore in Portecle:

恭喜，这是有效的信任库。

使用私钥和服务器证书构建的KeyStore：

• 首先将私钥导入FireFox （或Chrome或IE）


• 使用浏览器导出PKCS格式的私钥。


• Firefox>首选项>高级选项卡>加密选项卡>查看证书>您的证书


• 选择要导出的文件>点击备份按钮


• （这里只有选项是PKCS12格式，这就是我们的意思想要）


• 选择一个名字 - clientKeys.p12


• 输入密钥库的密码



• 应该说它们已导出，单击确定

• First import the private keys into FireFox (or Chrome or IE)
• Use the browser to export the private key in PKCS format.
• Firefox > Preferences > Advanced tab > Encryption tab > View Certificates > Your Certificates
• Select the one you want to export > click Backup button
• (Only option here is PKCS12 format, which is what we want)
• Choose a name - clientKeys.p12
• enter a password for the keystore

• Should say they were exported, click Ok

在Portecle中打开键

Open keys in Portecle

输入上面选择的密码

使用Portecle转换为JKS

Convert to JKS using Portecle

点击确定

保存密钥库：

已完成

现在你有正确的 - 配置 clientTrustStore.jks 和 clientKeyStore.jks 以验证您的客户端。

Now you have the correctly-configured clientTrustStore.jks and clientKeyStore.jks for authenticating your client.

要查看这些内容的示例现在可以使用，你可以查看：
带有相互SSL的SOAP - 如何通过凭据发送？

To see an example of how these can now be used, you can check out: SOAP with mutual SSL - how to send over credentials?

这篇关于相互SSL - 以正确的格式获取密钥/信任库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！