网络服务提供者和消费者之间的证书机制 [英] certificate mechanism between webservice provider and consumer
问题描述
服务器和客户端在 Web 服务调用中放置 ssl 证书机制的确切步骤是什么?谁(客户端/服务器/两者)将生成 .keystore、.p7b/.cer 文件?我用谷歌搜索了很多,但找不到答案.就我而言,我是运行 Java 应用程序的客户端,该应用程序使用了一个肥皂网络服务调用.我有一个由 WebService 提供商提供的 .p7b 文件.我知道将文件(.keystore、.cer)放在哪里以及如何在应用程序中使用它.
What are the exact steps done by server and client to place a ssl certificate mechanism in a webservice call? Who(client/server/both) will generate .keystore,.p7b/.cer files? I have googled a lot but couldn't find the answer to it. In my case, i am the client running a java application which consumes a soap webservice call. I have a .p7b file given by WebService provider. I know where to place the files(.keystore, .cer) and how to use it in the application.
但是,我的问题是
- 我需要生成密钥库文件还是应该从网络服务提供商?如果我需要生成,如何生成?我需要私人吗密钥/密码?
- 我需要一个 .cer 文件,所以我如何使用 keytool 将 .p7b 转换为 .cer文件?
提前感谢您的帮助.
推荐答案
看起来您正在调用一个 Web 服务,其中 HTTP 连接受使用 X509 证书的 TLS/SSL 保护.这意味着服务器已经使用这些证书以及相应的私钥设置了一个密钥库.当您调用 Web 服务时,服务器将从其密钥库中检索用于建立信任(即保护与 Web 服务的 TLS 连接)的证书并将其发送给客户端.当客户端收到来自服务器的响应时,它将检查该证书的信任度.现在我们有两种情况:
It looks like you're calling a web service where the HTTP connection is protected by TLS/SSL using X509 certificates. That means the server has set up a keystore with those certificates as well as the corresponding private keys. When you call the web service, the server will retrieve from its keystore the certificate used for the trust establishment (that is, to protect the TLS connection to the web service) and sends it to the client. When the client receives the response from the server it will check the trust of that certificate. Now we have two scenarios:
如果服务器使用自签名证书(可用于开发和测试,但不能用于生产),则客户端将不会将其识别为受信任的,因为它未存储在客户端的信任库中.默认情况下,在 Java 环境中,在以下两个位置(按顺序)搜索信任库:
$JAVA_HOME/lib/security/jssecacerts和$JAVA_HOME/lib/security/cacerts.自定义信任库也可以通过使用-Djavax.net.ssl.trustStore和运行客户端来使用>-Djavax.net.ssl.trustStorePassword或使用自定义TrustManager.因此,如果服务器自签名证书未存储在这些位置之一,则安全连接将失败.因此,客户端必须将证书导入其信任库.为了避免将自签名证书导入客户端的信任库,您可以创建自定义X509TrustManager,如此处.
If the server uses a self-signed certificate (can be used for developments and testing, but not in production), then the client won't recognize it as trusted because it's not stored in the client's truststore. By default, in a Java environment, the truststore is searched (by order) in the following two locations:
$JAVA_HOME/lib/security/jssecacertsand$JAVA_HOME/lib/security/cacerts. A custom truststore can also be used by running the client with-Djavax.net.ssl.trustStoreand-Djavax.net.ssl.trustStorePasswordor by using a customTrustManager. As such, if the server self-signed certificate is not stored in one of these locations, the secure connection will fail. So the client will have to import the certificate into its truststore. To circumvent the import of self-signed certificates into the client's truststore, you can create a customX509TrustManageras stated here.
如果服务器使用由公认的根 CA 机构之一签署的证书,那么它会被自动验证,因为这些 CA 的证书已经安装在 Java 的默认信任库中.因此,可信 TLS 连接将成功.
If the server uses a certificate signed by one of the recognized root CA authorities, then it'll be validated automagically because those CA's certificates are already installed in Java's default truststore. As such, the trusted TLS connection will be successful.
如果服务器不需要客户端身份验证,则过程结束(这是通过浏览器连接到大多数 HTTPS 网站时发生的情况).
In the case where the server does not require client authentication the process is over (this is what happens when you connect to most HTTPS websites via browser).
如果服务器需要客户端身份验证,则客户端需要从其密钥库向服务器提供自己的证书,并且服务器需要将其安装在其信任库中.Web 服务提供商必须向客户端提供客户端应使用的证书配置文件的规范.
If the server requires client authentication, then the client will need to provide its own certificate from its keystore to the server, and the server will need to have it installed in its truststore. The web service provider must provide to the client the specification for the certificate profile that the client should use.
此处您可以找到对密钥库与信任库术语的很好的说明.
Here you can find a good clarification to the keystore vs truststore terminology.
默认情况下,在 Java 环境中,密钥库和信任库是 JKS 文件.
所以您是说您有一个由网络服务提供商提供的 .p7b 文件.引用 this 页面:
So you're saying you have a .p7b file provided by the web service provider. Quoting from this page:
PKCS#7/P7B 格式
PKCS#7/P7B Format
PKCS#7 或 P7B 格式通常以 Base64 ASCII 格式存储,文件扩展名为 .p7b 或 .p7c.P7B 证书包含-----BEGIN PKCS7-----"和-----END PKCS7-----"声明.P7B 文件只包含证书和链证书,不包含私钥.多个平台支持 P7B 文件,包括 Microsoft Windows 和 Java Tomcat.
The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.
P7B 文件包含服务器证书或证书链(更多关于此 这里).
So that P7B file contains the server certificate or certificate chain (more on this here).
我相信您处于无客户端身份验证的情况.因此,您不需要自己的密钥库.您只需将服务器的证书(P7B 文件)导入您正在使用的信任库.您可以直接导入 P7B 文件,无需将其转换为 CER 格式:
I believe you're in a no-client-auth scenario. Therefore, you won't need your own keystore. You'll only need to import the server's certificate (P7B file) into the truststore you're using. You can directly import a P7B file without converting it to CER format:
keytool -import -trustcacerts -alias web_service -keystore my_truststore.jks -file web_service.p7b
如果您仍然需要 CER 格式的证书,您可以像这样从 P7B 转换为 CER(回答您的第二个问题):
In the case you still want a CER formatted certificate, you can convert from P7B to CER like this (to answer to your 2nd question):
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
如果实际上需要客户端身份验证,那么您需要使用您的私钥和公共证书创建您的密钥库,并通过 -Djavax.net.ssl.keyStore 和 -Djavax.net.ssl.keyStorePassword 参数 或通过 KeyManager.之前解释的相同工作流程现在适用于相反的方向.
If in fact client authentication is needed, then you'll need to create your keystore with your private key and public certificate and provide it to the connection by either the -Djavax.net.ssl.keyStore and -Djavax.net.ssl.keyStorePassword parameters or through a KeyManager. The same workflow previously explained applies now in the opposite direction.
这篇关于网络服务提供者和消费者之间的证书机制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
