客户端的证书？ [英] Certificate on the client's side?

问题描述

我有一个服务器应用程序和一个客户端应用程序。

服务器使用https，并有一个.jks文件。除此之外，我使用身份验证与登录和密码。

我想知道客户端是否应该使用.cert证书。我认为客户端的证书应该匹配服务器证书，但似乎是我错了。

我有一些麻烦阐述主题，所以请理解。

解决方案

Keystore

Java KeyStore（JKS）的安全证书 - 授权证书或公钥证书 - 用于例如SSL加密。

• 在IBM WebSphere Application Server和Oracle Weblogic Server中，扩展名为jks的文件用作密钥库。


• Java开发工具包在文件夹jre / lib / security / cacerts中维护一个CA密钥库。

Keystore有两种风格： / p>

1。信任：

信任存储包含由您信任的人颁发的证书，例如来自CA的根证书。

2。身份：

• 身份存储包含您自己的证书，用于在您访问外部服务时对其进行身份验证。


• 信任存储不包含敏感信息，而身份存储包含非常敏感的信息，如私钥。


• 包含服务器的演示私钥。此密钥库为服务器建立身份。

---

我不知道客户端是否应该使用.cert证书。

HTTPS服务，那么您应该导出服务器的SSL证书并在您的服务器的密钥库中导入，可能您可以导入 jre / lib / security / cacerts 。

如果客户端是双向SSL，则只需要有SSL证书，这意味着客户端还需要向服务器发送SSL证书，因为服务器已请求相同。

为什么是必需的，因为使用SSL握手服务器将发送其SSL证书，客户端将从其密钥库中存在的可信证书列表中验证此证书。如果它不被验证，则SSL握手不能完成，因此不能建立通信。因此，您必须在您信任的证书存储区中具有服务器的SSL证书。

我认为客户端的证书应该匹配服务器证书，
，但似乎我错了。

是的，你是对的，两个不同方的SSL证书会有所不同。

需要SSL证书的每一方都将在其末端生成公钥 - 私钥对，并向证书颁发机构（CA）提出CSR请求，CA将生成使用提供的密钥的SSL证书。

---

如何汇出及汇入SSL凭证

要导出证书：

如果可以使用网络访问，请单击HTTPS图标，查看证书并按照导出命令

如果无法使用web访问，请使用 openssl 导出证书。
使用以下命令

  openssl s_client -connect host：port -key our_private_key.pem -showcerts -cert our_server-signed_cert .pem 
  

要导入证书：

使用命令 - keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $ JAVA_HOME / jre / lib / security / cacerts

进一步阅读导出和导入：

• a href =http://stackoverflow.com/questions/3685548/java-keytool-easy-way-to-add-server-cert-from-url-port> Java keytool简单的方法来添加服务器证书从url /港口


• http：//www.grim .se / guide / jre-cert


• https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html


• 使用openssl从服务器获取证书

I have a server application and a client application.

The server uses https, and has a .jks file. Apart from that, I use authentication with login and password.

I wonder if the client side should use a .cert certificate. I thought the client's certificate should match servers certificate, but it seems that I was wrong.

I have some troubles understatding the topic, so please be understanding.

解决方案

Keystore

A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – used for instance in SSL encryption.

• In IBM WebSphere Application Server and Oracle Weblogic Server, a file with extension jks serves as keystore.
• The Java Development Kit maintains a CA keystore in folder jre/lib/security/cacerts.

Keystore comes in two flavors:

1. Trust:
A trust store contains certificates that are issued by somebody you trust, like a root certificate from a CA.

2. Identity:

• An identity store contains your own certificates and they are used to authenticate you when you access an external service.
• A trust store does not contain sensitive information, while identity stores contain very sensitive information like private keys.
• Contains a demonstration private key for server. This keystore establishes an identity for the server.

---

I wonder if the client side should use a .cert certificate.

If you mean to connect to a HTTPS service, then you should export the server's SSL certificate and import in your server's keystore, probably you can import in jre/lib/security/cacerts.

Client is only required to have a SSL certificate if it is a 2 way SSL, meaning client is also required to send a SSL certificate to server because server has requested the same.

Why it is required because using SSL handshake server will send its SSL certificate and client will validate this certificate from its trusted list of certificates present in his keystore. If it is not validated then SSL handshake cannot be completed, and hence no communication can be established. So, you must have server's SSL certificate inside your trusted store of certificates.

I thought the client's certificate should match servers certificate, but it seems that I was wrong.

Yes, you are right, SSL certificates of 2 different parties will be different.

Each party who requires a SSL certificate will generate the public-private key pair at their end and will raise a CSR request to a Certificate Authority (CA), who will generate the SSL certificate using the provided key.

---

How to export and import SSL certificates

To export certificate:

If it can be accessed using web then click on HTTPS icon, view certificate and follow export commands.

If it cannot be accessed using web then use openssl to export certificate. Use below command

openssl s_client -connect host:port -key our_private_key.pem -showcerts -cert our_server-signed_cert.pem

To import certificate:

Use command - keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Further reading on export and import:

• Java keytool easy way to add server cert from url/port
• http://www.grim.se/guide/jre-cert
• https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
• Using openssl to get the certificate from a server

这篇关于客户端的证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！