什么是Keystore? [英] What is Keystore?
问题描述
我一直在:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
.
.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.
ValidatorException: PKIX path building failed: sun.security.provider.
certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
搜索如何解决此异常我遇到了 Keystore 这个词,我不明白。简单来说,Keystore是什么?如何与SSL相关?
Searching on how to resolve this exception I have come across the term Keystore which I do not understand. What is Keystore in simple terms? How it is related to SSL?
推荐答案
Java中的密钥库可以参考三件事,具体取决于上下文。 (它们都是密切相关但略有不同。)
Keystore in Java can refer to three things, depending on the context. (They're all closely related but subtly different.)
-
密钥库可以是私钥,证书和对称的存储库密钥可以存储。这通常是一个文件,但存储也可以用不同的方式处理(例如加密令牌或使用操作系统自己的机制。)
A keystore can be a repository where private keys, certificates and symmetric keys can be stored. This is typically a file, but the storage can also be handled in different ways (e.g. cryptographic token or using the OS's own mechanism.)
KeyStore 也是一个属于标准API的类。它本质上是一种加载,保存并通常与如上所述的物理密钥库之一交互的方式。如果您只需要应用程序的API抽象,那么 KeyStore 也可以纯粹在内存中。
KeyStore is also a class which is part of the standard API. It is essentially a way to load, save and generally interact with one of the "physical" keystores as described above. A KeyStore can also be purely in memory, if you just need the API abstraction for your application.
如何加载和处理这样的 KeyStore 实例取决于支持它的密钥库文件(或其他存储系统)的格式。 多种格式可用。一些最常见的是JKS和PKCS#12(.p12)。
How to load and handle such a KeyStore instance depends on the format of the keystore file (or other storage system) that backs it. Multiple formats are available. Some of the most common are JKS and PKCS#12 (.p12).
keystore也可以用作truststore的对应物。这是令人困惑的地方,因为keystore和truststore都是密钥库,它们只是用于不同的目的。您可以在此答案中找到更多详细信息。密钥库用于初始化密钥管理器,而信任库用于初始化信任管理器。来自 JSSE参考指南 :
"keystore" can also be used as the counterpart of "truststore". This is where it can get confusing, since both "keystore" and "truststore" are keystores, they're just used for different purposes. You can find more details in this answer. The keystore is used to initialise the key manager, whereas the truststore is used to initialise the trust manager. From the JSSE reference guide:
A
TrustManager确定是否远程认证
凭证(以及连接)应该是可信的。
A
TrustManagerdetermines whether the remote authentication credentials (and thus the connection) should be trusted.
A KeyManager 确定将
发送到远程主机的身份验证凭据。
A KeyManager determines which authentication credentials to send
to the remote host.
实质上,用作信任库的密钥库将包含您愿意信任的许多(CA)证书:这些证书是您将用于验证您尚不了解和信任的远程证书的信任锚。相反,用作密钥库的密钥库将包含您自己的证书及其私钥:这是您将用于向远程方验证自己的时间(如果需要)。
Essentially, a keystore used as a truststore will contain a number of (CA) certificates that you're willing to trust: those are the trust anchors you are going to use to verify remote certificates you don't already know and trust. In contrast, a keystore used as a keystore will contain your own certificate and its private key: this is what you're going to use to authenticate yourself to a remote party (when required).
有一个与JRE捆绑在一起的默认信任库( / lib / security / cacerts )。没有默认的密钥库,因为它通常是用户更明确的步骤。
There is a default truststore bundled with the JRE (/lib/security/cacerts). There isn't a default keystore, since it's usually a more explicit step for the user.
在上下文中SSL / TLS,密钥库(用作密钥库的密钥库)将是服务器存储其证书和私钥的位置(或者,当使用客户端证书身份验证时,客户端存储其证书和私钥)。信任库(用作信任库的密钥库)将是客户端存储其愿意信任的CA的CA证书的位置,以便能够在连接到SSL / TLS服务器时验证服务器证书(类似地,在服务器端,这也是用于验证客户端证书的CA证书的存储位置。)
In the context of SSL/TLS, a keystore (keystore used as a keystore) will be where a server stores its certificate and private key (or, when client-certificate authentication is used, where the client stores its certifcate and private key). A truststore (keystore used as a truststore) will be where the client stores the CA certificates of the CAs it is willing to trust, so as to be able to verify the server certificate when making a connection to an SSL/TLS server (similarly, on the server side, this is also where the CA certificates used to verify the client certificates are stored).
通常,您得到的错误( ValidatorException:PKIX路径构建失败)当您正在连接的服务器的证书无法使用您正在使用的信任库中的任何证书进行验证时发生。您通常需要在您的信任库中直接在您的信任库中存储服务器证书(只能在小规模上管理)或者用于颁发该服务器证书的CA的CA证书(或链中的证书之一)礼物,当有链时)。
Typically, the error you're getting ("ValidatorException: PKIX path building failed") happens when the certificate of the server you're connecting to cannot be verified using any certificate in the truststore you're using. You would generally need to have in your truststore either the server certificate directly in your truststore (which is only manageable on a small scale) or the CA certificate of the CA used to issue that server certificate (or one of the certificates in the chain it presents, when there is a chain).
这篇关于什么是Keystore?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
