是否有必要将Tomcat的Ca证书添加到pkcs12证书中 [英] Is it necessary to add Ca certificate to pkcs12 certificate for tomcat

问题描述

我正在从客户中导入证书和密钥，并为tomcat创建PKCS12证书. Tomcat已配置为使用此证书作为密钥库.我是否还需要从客户导入CA证书?如果是，为什么?

I am importing certificate and key from my customer and creating PKCS12 certificate for tomcat. The tomcat is configured to use this certificate as keystore. Do I need to import CA certificates as well from customer? If yes why?

推荐答案

如果颁发您的证书的CA证书是根" CA证书(即，它是自签名的)，则无所谓:如果一方正在验证该证书尚未在其信任锚中包含它，没有任何东西可以使它信任它.

If the CA certificate issuing your certificate is a "root" CA certificate (i.e. it is self-signed), it doesn't matter: if a party verifying that certificate doesn't already have it in its trust anchors, nothing will make it trust it.

当CA证书是中间CA证书时，通常更有用.在这种情况下，服务器必须显示完整的证书链(根CA除外，根CA出于上述原因是可选的).由于远程方可能没有这些中间CA证书作为已知的信任锚，但是可能信任发布该中间CA证书的CA证书，因此这使他们更有可能能够建立从其信任锚到证书的信任链.进行验证.

It is generally more useful when the CA certificate is an intermediate CA certificate. In this case, it is relevant for the server to present the full certificate chain (except the root CA, which would be optional for the reasons stated above). Since the remote party might not have these intermediate CA certificates as known trust anchors, but might trust the CA cert that issued that intermediate CA certificate, this makes them more likely to be able to build a chain of trust from their trust anchors to the certificate to verify.

严格来说，您不需要提供完整的链，但是这样做可以使您的证书更有可能被接受.

Strictly speaking, you don't need to present the full chain, but doing so makes it more likely for your certificate to be accepted.

(此问题与此问题大致相同.此外，您在谈论的是PKCS#12存储，因此您通常无论如何都要使用正确的别名"(使用Java术语)导入CA文件.)

(This is more or less the same problem as in this question. In addition, you're talking about a PKCS#12 store, so you would generally import the CA files in against the right "alias" (using the Java terminology) anyway.)

这就是说，私钥通常应该保持私密.如果您要实施自己的CA，则可以使用在浏览器中执行此操作的机制，而无需发送私钥在任何地方，这将使用户得到一个PKCS#12文件作为回报(如果他们选择从那里导出自己的cert +密钥).

This being said, private keys should generally stay private. If you're trying to implement your own CA, there are mechanisms to do this in the browser, without sending the private key anywhere, which will let the user have a PKCS#12 file in return (if they choose to export their cert+key from there).

这篇关于是否有必要将Tomcat的Ca证书添加到pkcs12证书中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！