信任存储与密钥存储 - 使用 keytool 创建 [英] Trust Store vs Key Store - creating with keytool

问题描述

我知道密钥库通常会保存私钥/公钥，而信任库只会保存公钥(并代表您打算与之通信的受信任方的列表).嗯，这是我的第一个假设，所以如果这不正确，我可能还没有开始很好......

I understand that the keystore would usually hold private/public keys and the trust store only public keys (and represents the list of trusted parties you intend to communicate with). Well, that's my first assumption, so if that's not correct, I probably haven't started very well...

我很想了解在使用 keytool 时如何/何时区分商店.

到目前为止，我已经使用

So, far I've created a keystore using

keytool -import -alias bob -file bob.crt -keystore keystore.ks

它创建了我的 keystore.ks 文件.对于我是否信任 bob 的问题，我回答 yes 但我不清楚这是否创建了密钥库文件或信任库文件?我可以将我的应用程序设置为使用该文件.

which creates my keystore.ks file. I answer yes to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file? I can set up my application to use the file as either.

-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x
-Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x

并且使用 System.setProperty("javax.net.debug", "ssl") 设置，我可以在受信任的证书下看到证书(但不在密钥库部分下).我要导入的特定证书只有一个公钥，我打算用它通过 SSL 连接向 Bob 发送内容(但也许最好留给另一个问题！).

and with System.setProperty( "javax.net.debug", "ssl") set, I can see the certificate under trusted certifications (but not under the keystore section). The particular certificate I'm importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob (but perhaps that's best left for another question!).

任何指示或澄清将不胜感激.无论您导入什么，keytool 的输出是否都相同，并且只是约定一个是密钥库，另一个是信任库?使用SSL等有什么关系?

Any pointers or clarifications would be much appreciated. Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store? What's the relationship when using SSL etc?

推荐答案

这个术语确实有点混乱，但是 javax.net.ssl.keyStore 和 javax.net.ssl.trustStore 用于指定要使用的密钥库，用于两个不同的目的.密钥库有多种格式，甚至不一定是文件(参见这个问题), 而 keytool 只是对它们进行各种操作的工具(import/export/list/...).

The terminology is a bit confusing indeed, but both javax.net.ssl.keyStore and javax.net.ssl.trustStore are used to specify which keystores to use, for two different purposes. Keystores come in various formats and are not even necessarily files (see this question), and keytool is just a tool to perform various operations on them (import/export/list/...).

javax.net.ssl.keyStore 和 javax.net.ssl.trustStore 参数是用于构建 KeyManager 的默认参数和 TrustManagers(分别)，然后用于构建一个 SSLContext，它基本上包含通过 SSLSocketFactory 建立 SSL/TLS 连接时使用的 SSL/TLS 设置 或 SSLEngine.这些系统属性正是默认值的来源，然后由 SSLContext.getDefault() 使用，例如，它本身由 SSLSocketFactory.getDefault() 使用.(如果您不想使用默认值和特定的 SSLContext 用于给定目的，所有这些都可以在许多地方通过 API 进行自定义.)

The javax.net.ssl.keyStore and javax.net.ssl.trustStore parameters are the default parameters used to build KeyManagers and TrustManagers (respectively), then used to build an SSLContext which essentially contains the SSL/TLS settings to use when making an SSL/TLS connection via an SSLSocketFactory or an SSLEngine. These system properties are just where the default values come from, which is then used by SSLContext.getDefault(), itself used by SSLSocketFactory.getDefault() for example. (All of this can be customized via the API in a number of places, if you don't want to use the default values and that specific SSLContexts for a given purpose.)

KeyManager 和 TrustManager 之间的区别(以及 javax.net.ssl.keyStore 和 javax.net.ssl.trustStore) 如下(引自 JSSE 参考指南):

The difference between the KeyManager and TrustManager (and thus between javax.net.ssl.keyStore and javax.net.ssl.trustStore) is as follows (quoted from the JSSE ref guide):

TrustManager:确定是否远程身份验证凭据(和因此连接)应该是值得信赖.

TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.

KeyManager:确定哪个要发送到的身份验证凭据远程主机.

KeyManager: Determines which authentication credentials to send to the remote host.

(其他参数可用，它们的默认值在 JSSE 参考指南.请注意，虽然信任存储有默认值，但密钥存储没有.)

(Other parameters are available and their default values are described in the JSSE ref guide. Note that while there is a default value for the trust store, there isn't one for the key store.)

本质上，javax.net.ssl.keyStore 中的密钥库旨在包含您的私钥和证书，而 javax.net.ssl.trustStore 意味着包含您愿意在远程方出示其证书时信任的 CA 证书.在某些情况下，它们可以是同一个存储，但使用不同的存储通常是更好的做法(尤其是当它们基于文件时).

Essentially, the keystore in javax.net.ssl.keyStore is meant to contain your private keys and certificates, whereas the javax.net.ssl.trustStore is meant to contain the CA certificates you're willing to trust when a remote party presents its certificate. In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based).

这篇关于信任存储与密钥存储 - 使用 keytool 创建的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！