在Java cacerts中导入根证书和中间证书的正确方法 [英] Correct way to import root and intermediate certificates in Java cacerts
问题描述
我的公司拥有自己的 ROOT
证书。他们使用此证书签署了中级
证书。
My company has its own ROOT
certificate. Using this certificate they signed intermediate
certificate.
然后我们为服务器
证书颁发了CSR,并用 intermediate $ c对其进行了签名$ c>证书。
Then we issued CSR for server
certificate and signed it with intermediate
certificate.
导入 ROOT
证书和中级$ c的正确方法是什么Java cacerts文件中的$ c>,以便能够与具有
中间$签名的
服务器
证书的服务器建立SSL连接。 c $ c>?
What is a correct way to import the ROOT
certificate and intermediate
in Java cacerts file, in order to be able to establish SSL connection with the server which has server
certificate signed by the intermediate
?
我使用OpenSSL测试服务器上的证书链:
I used OpenSSL to test certificate chain on the server:
openssl s_client -showcerts -connect host:443
CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
推荐答案
您只需在其中导入根证书信任库。
You only need to import the root certificate in the truststore.
keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit -alias aliasName -file path/to/certificate.cer
握手期间的SSL服务器应提供证书和中间件。您的客户的TrustManager将验证证书链,直到找到根为止。
The SSL server during handshake should provide the certificate and the intermediates. The TrustManager of your client will validate the certification chain until root is found
注意:建议您使用自己的信任库,而不是修改cacerts
Note: It is recommended to use your own truststore instead of modifying cacerts
这篇关于在Java cacerts中导入根证书和中间证书的正确方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!