客户端-服务器SSL通讯+自签名证书 [英] Client-Server SSL communication + Self signed certificate
问题描述
我正在构建Java客户端-服务器应用程序.客户端将通过SSL与服务器通信.我想让客户自己进行身份验证.我的意思是使用密钥库之类的东西,但是这个话题对我来说真的很新.
I'm building a Java Client-Server application. The client will communicating with the Server through SSL. I want to achive that the client needs to be authenticate itself. I mean use a keystore or whatever, but this topic is really new to me.
所以我的问题是,如何生成一个客户端和一个服务器端密钥库(如果这就是所谓的名称)并对其进行自签名.从这里我可以做剩下的事情.
So my question would be, how can I generate a Client and a Server side Keystore (if that's what it's called) and self sign it. From here I can do the rest.
我所拥有的:
keytool -genkeypair -alias test -keystore test.store -storepass StorePass -validity 365 -keyalg RSA -keysize 2048 -dname "CN=TestCompany Ltd., OU=TestCompany Developments, O=TestCompany Ltd., L=MyCity, S=MyState, C=HU" -storetype jks
keytool -keystore test.store -certreq -alias test -keyalg rsa -file test.csr
我认为现在我需要对test.csr进行自签名,对吗? 但是,这将是什么?应该在服务器端还是客户端上使用它?
I think now I need to self-sign the test.csr, right? But what will be this? Should be this used on the Server or the Client side?
在服务器端又应该有一个仅包含证书而不包含私钥的密钥库?或这如何运作? :)
And there again on the server side there should be a Keystore which only contains the certificate, but not the private key? Or how does this work? :)
感谢您的任何帮助!
推荐答案
您已生成CSR.证书签名请求.因此,您需要有人签名.如果只需要自签名证书,请使用-selfcert选项.
You've generated a CSR. Certificate Signing Request. So, you need somebody to sign it. If you just want a self-signed certificate, use the -selfcert option.
在服务器端,您需要一个密钥库文件,其中包含私钥和签名证书,并且使用相同的别名.
On the server side you need a keystore file containing both the private key and the signed certificate, under the same alias.
在客户端顶部,您需要:
On the client side top you need either:
- 包含自签名证书的信任库(如果这样做),或者
- 包含CA证书或其根的信任库(如果已对其进行CA签名),并且Java已经随附其中一个.
这篇关于客户端-服务器SSL通讯+自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
