如何正确导入自签名证书到Java密钥库,默认情况下所有Java应用程序都可用? [英] How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
问题描述
我想将自签名证书导入Java,因此任何尝试建立SSL连接的Java应用程序都将信任此证书。
到目前为止,我可以导入到
keytool -import -trustcacerts -noprompt -storepass changeit -alias $ REMHOST -file $ REMHOST.pem
keytool -import -trustcacerts -noprompt -keystore cacerts -storepass changeit -alias $ REMHOST -file $ REMHOST.pem
仍然,当我尝试运行 HTTPSClient .class
我仍然得到:
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException :PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径
解决方案在Windows上,最简单的方法是使用程序 portecle 。
- 下载并安装portecle。
- 首先确保您知道使用哪个JRE或JDK来运行程序。在64位Windows 7上可能有相当多的JRE。 Process Explorer可以帮助你,或者你可以使用:
System.out.println(System.getProperty(java.home));
- 将文件JAVA_HOME \lib \security \cacerts复制到另一个文件夹。
- 在Portecle中,单击文件>打开密钥库文件
- 选择cacerts文件
- 输入此密码:changeit
- 单击工具>导入受信任的证书
- 点击导入
- 点击确定以获取有关信任路径的警告。
- 当它显示证书的详细信息时,单击确定。
- 单击是接受证书作为受信任的证书。
- 确定,然后再次输入证书时,再次单击确定。
- 单击保存。
$ b在Linux上:
您可以从已经在使用它的网络服务器上下载SSL证书, p>
$ echo -n | openssl s_client -connect www.example.com:443 | \
sed -ne'/ -BEGIN CERTIFICATE - /,/ - END CERTIFICATE- / p'> /tmp/examplecert.crt
选择验证凭证资讯:
$ openssl x509 -in /tmp/examplecert.crt -text
将证书导入Java cacerts密钥库:
$ keytool -import -trustcacerts -keystore / opt / java / jre / lib / security / cacerts \
-storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
编辑:
这些天,我们不常需要向密钥库添加证书,因为您可以获取证书从 ssls.com 每年$ 5美元。以防万一这是您的选择。
I do want to import a self signed certificate into Java so any Java application that will try to establish a SSL connection will trust this certificate.
So far, I managed to import it in
keytool -import -trustcacerts -noprompt -storepass changeit -alias $REMHOST -file $REMHOST.pem keytool -import -trustcacerts -noprompt -keystore cacerts -storepass changeit -alias $REMHOST -file $REMHOST.pem
Still, when I try to run
HTTPSClient.class
I still get:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
解决方案On Windows the easiest way is to use the program portecle.
- Download and install portecle.
- First make 100% sure you know which JRE or JDK is being used to run your program. On a 64 bit Windows 7 there could be quite a few JREs. Process Explorer can help you with this or you can use:
System.out.println(System.getProperty("java.home"));
- Copy the file JAVA_HOME\lib\security\cacerts to another folder.
- In Portecle click File > Open Keystore File
- Select the cacerts file
- Enter this password: changeit
- Click Tools > Import Trusted Certificate
- Browse for the file mycertificate.pem
- Click Import
- Click OK for the warning about the trust path.
- Click OK when it displays the details about the certificate.
- Click Yes to accept the certificate as trusted.
- When it asks for an alias click OK and click OK again when it says it has imported the certificate.
- Click save. Don’t forget this or the change is discarded.
- Copy the file cacerts back where you found it.
On Linux:
You can download the SSL certificate from a web server that is already using it like this:
$ echo -n | openssl s_client -connect www.example.com:443 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/examplecert.crt
Optionally verify the certificate information:
$ openssl x509 -in /tmp/examplecert.crt -text
Import the certificate into the Java cacerts keystore:
$ keytool -import -trustcacerts -keystore /opt/java/jre/lib/security/cacerts \ -storepass changeit -noprompt -alias mycert -file /tmp/examplecert.crt
Edit:
These days we don't often have to add a certificate to the keystore because you can get a certificate for $5 per year from ssls.com. Just in case that's an option for you.
这篇关于如何正确导入自签名证书到Java密钥库,默认情况下所有Java应用程序都可用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!