Java 密钥库中的中间 CA 证书 [英] Intermediate CA certificate in Java keystore

问题描述

我的 Dev OP 团队希望在我们的 Java 密钥库中使用中间 CA 证书.我相信将中间证书添加到密钥库与添加常规证书"的过程相同，对吗?有什么我需要注意的陷阱"吗?另外，我如何在测试中验证 Java 是否使用中间证书，而不是向 CA 核对?

My Dev OPs team would like to make use of an Intermediate CA certificate in our Java keystore. I believe adding an intermediate certificate into the keystore is the same process as as adding a "regular cert", correct? Are there any "gotchas" I need to be aware of? Also, how do I verify in testing that Java is using the intermediate cert as opposed to checking back with the CA?

推荐答案

你需要在证书链方面进行推理.中间 CA 证书的目标是让远程方在终端实体证书(例如服务器或客户端证书本身)和链上的另一个 CA 证书之间建立一个链.

You need to reason in terms of certificate chain. The goal of intermediate CA certificates is to let the remote party build a chain between the End-Entity Certificate (e.g. the server or the client certificate itself) and another CA certificate further up the chain.

如果您正在谈论将此中间 CA 证书导入将用作信任库的密钥库，那么该 CA 证书是中间证书还是根"CA 证书并不重要:它将成为一个像另一个使用该信任库的应用程序的受信任锚点一样.

If you're talking about importing this intermediate CA certificate into a keystore that will be used as a truststore, whether that CA certificate is an intermediate one or a "root" CA certificate doesn't really matter: it will become a trusted anchor like another for the application using that truststore.

如果您谈论用作密钥库的密钥库，您需要确保您的 EEC 将与正确的链一起显示.

If you're talking about a keystore used as a keystore, you need to make sure your EEC will be presented along with the correct chain.

例如，假设 CA_1 为 CA_2 颁发证书，CA_2 为服务器 S 颁发证书.您的客户在其受信任的锚点中拥有证书 CA_1(但不一定是 CA_2):您需要提供一个链S，CA_2"，以便他们可以通过 CA_2 验证该链(否则，他们将不知道如何链接CA_1 到 S).

For example, let's assume CA_1 issues the cert for CA_2, which issues the cert for server S. Your clients have cert CA_1 in their trusted anchors (but not necessarily CA_2): you'll need to present a chain "S, CA_2", so that they can verify the chain via CA_2 (otherwise, they wouldn't know how to link CA_1 to S).

为此，您需要确保 S 及其私钥的条目包含它需要发送的链(S，CA_2)，而不仅仅是证书 S.在您的密钥库中的单独条目中导入 CA_2 不会使JSSE在提供证书S时为您构建链.

To do so, you need to make sure the entry for S and its private key contains the chain it needs to send (S, CA_2), not just certificate S. Importing CA_2 in a separate entry in your keystore will not make the JSSE build the chain for you when presenting certificate S.

此答案 中描述了如何执行此操作(尽管这是从客户端证书的角度来看).

How to do so is described in this answer (although this was from a client-cert point of view).

这篇关于Java 密钥库中的中间 CA 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！