密钥库类型:使用哪一种? [英] Keystore type: which one to use?
问题描述
通过查看我的 JRE 的文件 java.security,我看到默认使用的密钥库类型设置为 JKS.这里,有一个列表可以使用的密钥库类型.
By looking at the file java.security of my JRE, I see that the keystore type to use by default is set to JKS. Here, there is a list of the keystore types that can be used.
有推荐的密钥库类型吗?不同密钥库类型的优缺点是什么?
Is there a recommended keystore type? What are the pros/cons of the different keystore types?
推荐答案
除了您链接到的标准名称列表中列出的类型之外,还有一些类型.您可以在加密提供程序文档中找到更多信息.最常见的当然是 JKS(默认)和 PKCS12(对于 PKCS#12 文件,通常带有扩展名 .p12 或有时 .pfx).
There are a few more types than what's listed in the standard name list you've linked to. You can find more in the cryptographic providers documentation. The most common are certainly JKS (the default) and PKCS12 (for PKCS#12 files, often with extension .p12 or sometimes .pfx).
如果您留在 Java 世界中,JKS 是最常见的.PKCS#12 不是 Java 特定的,使用从浏览器备份或来自基于 OpenSSL 的工具的证书(带有私钥)特别方便(keytool 无法转换密钥库并在Java 6之前导入其私钥,因此您必须使用其他工具).
JKS is the most common if you stay within the Java world. PKCS#12 isn't Java-specific, it's particularly convenient to use certificates (with private keys) backed up from a browser or coming from OpenSSL-based tools (keytool wasn't able to convert a keystore and import its private keys before Java 6, so you had to use other tools).
如果您已经有一个 PKCS#12 文件,那么直接使用 PKCS12 类型通常更容易.可以进行格式转换,但如果可以直接选择keystore类型,则很少需要.
If you already have a PKCS#12 file, it's often easier to use the PKCS12 type directly. It's possible to convert formats, but it's rarely necessary if you can choose the keystore type directly.
在 Java 7 中,PKCS12 主要用作 keystore,但对于 truststore 用处不大(请参阅 密钥库和信任库之间的区别),因为没有私钥就无法存储证书条目.相比之下,JKS 不要求每个条目都是私钥条目,因此您可以拥有仅包含证书的条目,这对于信任存储很有用,您可以在其中存储信任的证书列表(但您没有他们的私钥).
In Java 7, PKCS12 was mainly useful as a keystore but less for a truststore (see the difference between a keystore and a truststore), because you couldn't store certificate entries without a private key. In contrast, JKS doesn't require each entry to be a private key entry, so you can have entries that contain only certificates, which is useful for trust stores, where you store the list of certificates you trust (but you don't have the private key for them).
这在 Java 8 中发生了变化,因此您现在也可以在 PKCS12 存储中拥有仅证书条目.(有关这些更改和进一步计划的更多详细信息,请参见 JEP 229:默认创建 PKCS12 密钥库.)
This has changed in Java 8, so you can now have certificate-only entries in PKCS12 stores too. (More details about these changes and further plans can be found in JEP 229: Create PKCS12 Keystores by Default.)
还有一些其他的密钥库类型,可能不太常用(取决于上下文),包括:
There are a few other keystore types, perhaps less frequently used (depending on the context), those include:
PKCS11,用于 PKCS#11 库,通常用于访问硬件加密令牌,但 Sun 提供程序实现也通过此支持 NSS 存储(来自 Mozilla).BKS,使用 BouncyCastle 提供程序(常用于 Android).Windows-MY/Windows-ROOT,如果您想直接访问 Windows 证书存储.KeychainStore,如果您想直接使用 OSX 钥匙串.
PKCS11, for PKCS#11 libraries, typically for accessing hardware cryptographic tokens, but the Sun provider implementation also supports NSS stores (from Mozilla) through this.BKS, using the BouncyCastle provider (commonly used for Android).Windows-MY/Windows-ROOT, if you want to access the Windows certificate store directly.KeychainStore, if you want to use the OSX keychain directly.
这篇关于密钥库类型:使用哪一种?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
