如何信任Java中的证书颁发机构? [英] How to trust a certificate authority in Java?

问题描述

我的应用程序连接到SSL Web服务，该服务使用证书来验证其身份.最近，此证书已更改，并且由于它不是由受信任的权威机构签名的，因此我的应用程序的一部分失败了.该服务建议将来防止这种情况发生，我应该开始信任现有证书的签名机构，而不是单个证书.

My application connects to an SSL web service which uses a certificate to verify its identity. Recently, this certificate changed and since it is not signed by a trusted authority, part of my application failed. The service's advice to protect against this situation in the future is that I should start trusting the existing certificate's signing authority, instead of the individual certificates.

如何用Java实现?

当前，我正在使用keytool将它们提供的证书添加到密钥库中，并将其组成如下所示的TrustManagerFactory:

Currently I'm adding the certificate they provide into a keystore using keytool and composing it into a TrustManagerFactory something like:

public static TrustManager[] getTrustManagers() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    KeyStore tks = KeyStore.getInstance(KeyStore.getDefaultType());
    tks.load(StarTrustManagerFactory.class.getResourceAsStream("webservice.ks"), "password".toCharArray());
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(tks);
    return tmf.getTrustManagers();
}; 

是否有一种方法可以适应这种方法，以返回信任我所拥有证书的签名权限的?另外，如何从我拥有的证书中提取有关证书签名者的信息?

Is there a way of adapting this approach to return a TrustManager which trusts the signing authority of the certificates I have? Additionally, how can I extract the information regarding the signer of the certificate from the certificate I have?

谢谢，丹.

推荐答案

假定发布的代码在证书更改之前有效，请保持不变.而是修改webservice.ks密钥库，并导入要连接到的站点的中间和根ca证书.

Assuming that code posted worked before the certificate changed, leave it as is. Instead modify the webservice.ks keystore and import the intermediate and root ca certificates of the site you are connecting to.

您可以通过在Web浏览器中访问地址并将其保存到磁盘来获取这些证书.有关如何在Firefox中执行此操作的信息，请参见 https://superuser.com/a/97203/172370 .但是，在链接的说明的第4步中，选择要导出的根/intermediate ca证书(在所需证书上单击证书层次结构框中).

You can get these certificates by visiting the address in a web browser and saving them to disk. For how you'd do this in firefox, see https://superuser.com/a/97203/172370. However at step 4 in the linked instructions, select the root/intermediate ca certs to export (click in the certificate hierarchy box on the desired one).

然后假设.ks文件是jks密钥库，请使用keytool将证书导入到密钥库中.

Then assuming the .ks file is a jks keystore, use keytool to import the certificates into the keystore.

更新:忽略我对中间证书的说法，您不需要它(请参阅信任库是否需要子证书证书?).只需导入根ca证书即可.

Update: ignore what I said about the intermediate certificate, you shouldn't need it (see Does a truststore need the sub-ca certificate?). Just import the root ca certificate.

这篇关于如何信任Java中的证书颁发机构?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！