将证书导入 Java 密钥库，JVM 忽略新证书 [英] Imported certificate to Java keystore, JVM ignores the new cert

问题描述

我正在尝试让一个在 Tomcat 6 上运行的应用程序通过 SSL 连接到 LDAP 服务器.

I'm trying to get an application running on top of Tomcat 6 to connect to an LDAP server over SSL.

我使用以下方法将服务器证书导入密钥库:

I imported certificate of the server to keystore using:

C:Program FilesJavajdk1.6.0_32jrelibsecurity>keytool -importcert -trustcacerts -file mycert -alias ca_alias -keystore "c:Program FilesJavajdk1.6.0_32jrelibsecuritycacerts"

当我在 SSL 调试打开的情况下启动 Tomcat 时，根据日志 Tomcat 正在使用正确的证书文件:

When I start Tomcat with SSL debugging turned on, according to logs Tomcat is using the correct certificate file:

trustStore is: C:Program FilesJavajdk1.6.0_32jrelibsecuritycacerts

但是，Tomcat 并没有添加我刚刚导入的证书 - cacerts 文件中的所有其他证书都打印到日志中 - 并且连接失败:

However, Tomcat does not add the cert I just imported - all other certs in the cacerts file are printed to the log - and connection fails:

handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

重新启动 Tomcat 没有帮助.我已使用 keytool -list 命令验证文件中确实存在新证书.

Restarting Tomcat does not help. I have verified with keytool -list command that the new cert indeed exists on the file.

为什么 Tomcat 一直忽略我的新证书?

Why Tomcat keeps on ignoring my new cert?

问题似乎是由 Windows 7 VirtualStore 引起的.Keytool 创建了 cacert 文件的新副本，Tomcat 使用了原始文件.

Seems that the issue was caused by Windows 7 VirtualStore. Keytool created a new copy of the cacert file, and Tomcat used the original file.

推荐答案

将证书导入密钥库后需要重启JVM.

JVM needs restart after importing certs to the keystore.

这篇关于将证书导入 Java 密钥库，JVM 忽略新证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！