Trust Store与Key Store - 使用keytool创建 [英] Trust Store vs Key Store - creating with keytool

问题描述

据我所知，密钥库通常包含私钥/公钥，信任存储只包含公钥（并代表您打算与之通信的可信方列表）。嗯，这是我的第一个假设，所以如果这不正确，我可能还没有开始......

I understand that the keystore would usually hold private/public keys and the trust store only public keys (and represents the list of trusted parties you intend to communicate with). Well, that's my first assumption, so if that's not correct, I probably haven't started very well...

我很感兴趣，但是我知道如何/当你在使用keytool时区分商店时。

所以，到目前为止，我已经使用

So, far I've created a keystore using

keytool -import -alias bob -file bob.crt -keystore keystore.ks

创建我的keystore.ks文件。我回答是这个问题我信任bob但是我不清楚这是否创建了密钥库文件或信任库文件？我可以将我的应用程序设置为使用该文件。

which creates my keystore.ks file. I answer yes to the question do I trust bob but it is unclear to me if this has created a keystore file or a truststore file? I can set up my application to use the file as either.

-Djavax.net.ssl.keyStore=keystore.ks -Djavax.net.ssl.keyStorePassword=x
-Djavax.net.ssl.trustStore=keystore.ks -Djavax.net.ssl.trustStorePassword=x

和 System.setProperty（javax.net.debug，ssl）设置，我可以看到受信任的证书下的证书（但不在密钥库部分下）。我导入的特定证书只有一个公钥，我打算用它通过SSL连接向Bob发送内容（但也许最好留给另一个问题！）。

and with System.setProperty( "javax.net.debug", "ssl") set, I can see the certificate under trusted certifications (but not under the keystore section). The particular certificate I'm importing has only a public key and I intend to use it to send stuff over an SSL connection to Bob (but perhaps that's best left for another question!).

非常感谢任何指示或澄清。无论你导入什么，keytool的输出都是一样的，它的惯例就是一个是密钥库而另一个是信任存储？使用SSL等时的关系是什么？

Any pointers or clarifications would be much appreciated. Is the output of keytool the same whatever you import and its just convention that says one is a keystore and the other a trust store? What's the relationship when using SSL etc?

推荐答案

术语确实有点令人困惑，但两者都是 javax .net.ssl.keyStore 和 javax.net.ssl.trustStore 用于指定要使用的密钥库，用于两个不同的目的。密钥库有各种格式，甚至不一定是文件（参见这个问题）和 keytool 只是对它们执行各种操作的工具（import / export / list /...）。

The terminology is a bit confusing indeed, but both javax.net.ssl.keyStore and javax.net.ssl.trustStore are used to specify which keystores to use, for two different purposes. Keystores come in various formats and are not even necessarily files (see this question), and keytool is just a tool to perform various operations on them (import/export/list/...).

javax.net.ssl.keyStore 和 javax.net.ssl.trustStore 参数是默认参数用于构建 KeyManager 和 TrustManager s（分别），然后用于构建 SSLContext 基本上包含通过 SSLSocketFactory 或 SSLEngine <进行SSL / TLS连接时使用的SSL / TLS设置/ code>。这些系统属性就是默认值的来源，然后由 SSLContext.getDefault（）使用，本身由 SSLSocketFactory.getDefault（）使用例如。 （如果您不想为特定目的使用默认值和特定的 SSLContext ，则可以通过API在多个位置自定义所有这些内容。 ）

The javax.net.ssl.keyStore and javax.net.ssl.trustStore parameters are the default parameters used to build KeyManagers and TrustManagers (respectively), then used to build an SSLContext which essentially contains the SSL/TLS settings to use when making an SSL/TLS connection via an SSLSocketFactory or an SSLEngine. These system properties are just where the default values come from, which is then used by SSLContext.getDefault(), itself used by SSLSocketFactory.getDefault() for example. (All of this can be customized via the API in a number of places, if you don't want to use the default values and that specific SSLContexts for a given purpose.)

KeyManager 和 TrustManager 之间的差异（因此在 javax.net.ssl.keyStore 和 javax.net.ssl.trustStore 之间如下（引用）来自 JSSE参考指南 ）：

The difference between the KeyManager and TrustManager (and thus between javax.net.ssl.keyStore and javax.net.ssl.trustStore) is as follows (quoted from the JSSE ref guide):

TrustManager：确定
远程身份验证凭据（以及
因此连接）是否应为
trusted。

TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.

KeyManager：确定要发送到
远程主机的
身份验证凭据。

KeyManager: Determines which authentication credentials to send to the remote host.

（其他参数可用，其默认值在 JSSE ref guide 。请注意，虽然信任库存在默认值，但密钥库中没有一个。）

(Other parameters are available and their default values are described in the JSSE ref guide. Note that while there is a default value for the trust store, there isn't one for the key store.)

基本上，中的密钥库javax.net.ssl.keyStore 意在包含您的私钥和证书，而 javax.net.ssl.trustStore 意在包含远程方提供证书时您愿意信任的CA证书。在某些情况下，它们可以是同一个商店，尽管使用不同的商店通常更好（特别是当它们是基于文件的时候）。

Essentially, the keystore in javax.net.ssl.keyStore is meant to contain your private keys and certificates, whereas the javax.net.ssl.trustStore is meant to contain the CA certificates you're willing to trust when a remote party presents its certificate. In some cases, they can be one and the same store, although it's often better practice to use distinct stores (especially when they're file-based).

这篇关于Trust Store与Key Store - 使用keytool创建的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！