在Java cacerts中导入根证书和中间证书的正确方法 [英] Correct way to import root and intermediate certificates in Java cacerts

问题描述

我的公司拥有自己的 ROOT 证书。他们使用此证书签署了中级证书。

My company has its own ROOT certificate. Using this certificate they signed intermediate certificate.

然后我们为服务器证书颁发了CSR，并用 intermediate 证书。

Then we issued CSR for server certificate and signed it with intermediate certificate.

导入 ROOT 证书和中级，以便能够与具有中间服务器证书的服务器建立SSL连接。 c $ c>？

What is a correct way to import the ROOT certificate and intermediate in Java cacerts file, in order to be able to establish SSL connection with the server which has server certificate signed by the intermediate?

我使用OpenSSL测试服务器上的证书链：

I used OpenSSL to test certificate chain on the server:

openssl s_client -showcerts -connect host:443

CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
   i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA

推荐答案

您只需在其中导入根证书信任库。

You only need to import the root certificate in the truststore.

 keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

握手期间的SSL服务器应提供证书和中间件。您的客户的TrustManager将验证证书链，直到找到根为止。

The SSL server during handshake should provide the certificate and the intermediates. The TrustManager of your client will validate the certification chain until root is found

注意：建议您使用自己的信任库，而不是修改cacerts

Note: It is recommended to use your own truststore instead of modifying cacerts

这篇关于在Java cacerts中导入根证书和中间证书的正确方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！