Java SSLSocket：如何发送完整的服务器证书链？ [英] Java SSLSocket: How to send full server cert chain?

问题描述

当我在Java 7中创建SSLServerSocket时，服务器正确地使用我的服务器证书和密钥。该证书由大约的分部颁发。因此，从根证书到服务器cert的完整链具有四个证书。
完整的链存在于密钥库/信任库中。

When I create an SSLServerSocket in Java 7 the server correctly uses my server certificate and key. The certificate was issued by a sub-ca of a ca. Therefore the complete chain from the root cert to the server cert has four certificates. The complete chain is present in the keystore/truststore.

但是，当客户端连接服务器时，总是只发送服务器证书本身。
这也适用于基于Java的Web服务器，如Jetty。

However when a client connects the server always sends only the server certificate itself. This also applies to Java based web servers like Jetty.

因为大多数客户端只安装根CA证书，而不是两个子CA证书一个大问题。

Because most clients have only the root ca certificate installed and not the two sub-ca certificates this is a big problem.

如何强制Java在SSL / TLS握手中发送完整的证书链？

How can I force Java to send the full certificate chain in the SSL/TLS handshake?

推荐答案

密钥库中的密钥条目不仅仅用于单个证书，而是用于证书链（请参阅 KeyStore.setKeyEntry ，它需要一个 Certificate [] chain 参数）。

A key entry in a keystore isn't just for a single certificate, but for a certificate chain (see KeyStore.setKeyEntry, which takes a Certificate[] chain parameter).

如果要使用特定的链，需要在具有证书及其私钥的条目中将其设置为链。是否中间证书也在同一密钥库中，在不同的条目中并不重要。

If you want a specific chain to be used, it needs to be set up as a chain in the entry where you have the certificate and its private key. Whether the intermediate certificates are also in the same keystore, in different entries doesn't really matter.

这是一个非常类似的问题，让客户端发送完整的客户端证书链。如同此问题中所述，相同的密钥库配置步骤也应从服务器角度出发。

This is a very similar problem to getting a client to send the full client-certificate chain. The same keystore configuration steps should also work from a server point of view, as described in this question.

这篇关于Java SSLSocket：如何发送完整的服务器证书链？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！