Java和SSL证书 [英] Java and SSL certificates
问题描述
我正在尝试使用安全套接字层(HTTPS)与我的PHP脚本建立连接,但我发现为了确保最高的安全性/有效性,我必须导入我的网站使用的SSL证书进入我的应用程序......我不知道该怎么做。
I am trying to establish a connection with a PHP script of mine in Java using the secure socket layer (HTTPS), but I have found out that to ensure maximum security/validity I have to import the SSL certificate that my website uses into my application... Something I don't know how to do.
如果有帮助,我的SSL证书不是自签名的,而是由 StartSSL 我正在使用Eclipse IDE。
If it helps, my SSL Certificate is not self signed, rather provided by StartSSL AND I am using Eclipse IDE.
任何人都可以指点我正确的方向?即我需要哪些文件,我应该在哪里导入它们以及我在Java中需要哪些代码等?
Could anybody point me in the right direction? i.e. What files do I need, where should I import them and what code do I need in Java, etc?
推荐答案
我发现为确保最高安全性/有效性,我必须将我的网站使用的SSL证书导入我的应用程序
I have found out that to ensure maxium security/validity I have to import the SSL certificate that my website uses into my application
当你发表声明时,你是部分正确的。您无需导入SSL证书。导入StartSSL CA证书就足够了。
You are partially right when you make that statement. You do not need to import your SSL certificate. It is sufficient that the StartSSL CA certificate be imported.
此外,没有将证书导入Java应用程序的事情。 Java中的SSL支持依赖于密钥库和信任库的概念,而不依赖于应用程序中打包的某些证书。如果您要发布要由最终用户下载和执行的应用程序,则无需在应用程序中发布您的证书或私钥。私钥和相关证书将存储在密钥库中,只有您可以访问。
Additionally, there is no such thing as importing a certificate into a Java application. SSL support in Java relies on the concept of keystores and truststores, and not on some certificate packaged within your application. If you are publishing your application to be downloaded and executed by end-users, there is no need for your to publish your certificate or for that matter your private key in your application. The private key, and the associated certificate would be stored in a keystore, that only you may access.
您的应用程序的最终用户将依赖于SSL内部的SSL支持Java服务器,它将使应用程序在验证服务器证书后建立到站点的SSL连接。 Java运行时在信任库中附带一组默认的CA证书,并且成功建立SSL连接的唯一先决条件是服务器的SSL证书由信任库中的一个CA颁发。 StartSSL的证书不存在于Java运行时的信任库中 ,至少从版本6开始,因此:
The end-users of your application would rely on the SSL support within the Java runtime, that would enable the application to establish SSL connections to sites, after the server-certificate is verified. The Java runtime ships with a default set of CA certificates in a truststore, and the only prerequisite for SSL connections to be successfully established is that the SSL certificate of the server be issued by one of the CAs in the truststore. The certificates of StartSSL are not present in the truststore of the Java runtime, atleast as of version 6, and therefore:
- 您可以指示最终用户执行将StartSSL CA证书导入Java信任库的活动。可能有用的链接包括此StartSSL论坛帖子(仅限第一个)将CA证书导入信任库, GitHub项目和
此博客文章;免责声明 - 我没有尝试使用其中任何一种,您应该自行承担使用它的风险。 -
或者,您可以使用自己的信任库初始化您的应用程序
-Djavax.net.ssl.trustStore =< path_to_truststore> -Djavax.net.ssl.trustStorePassword =< truststore_password>JVM启动标志,或在初始化SSL连接之前执行以下代码:
- You could instruct your end users to perform the activity of importing the StartSSL CA certificate into the Java truststore. Links that may help include this StartSSL forum thread (only the first 4 steps are needed to import the CA certs into a truststore), a GitHub project, and this blog post; a disclaimer - I haven't attempted using any of those and you ought to be using it at your own risk.
Or, you could initialize your application with your own truststore using the
-Djavax.net.ssl.trustStore=<path_to_truststore> -Djavax.net.ssl.trustStorePassword=<truststore_password>JVM startup flags, or execute the following code before initializing SSL connections:
System.setProperty("javax.net.ssl.trustStore","<path_to_truststore>");
System.setProperty("javax.net.ssl.trustStorePassword","<truststore_password>");
这是一种可行的方法,只有当您的应用程序是Java SE应用程序时,它才不是applet(或对如何指定信任库具有类似限制的应用程序)。
This is a viable approach only if your application is a Java SE application that does not happen to be an applet (or an application with similar restrictions on how the truststore is specified).
这篇关于Java和SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
