从Windows密钥库访问中间CA的Java? [英] Java access to intermediate CAs from Windows keystores?
问题描述
我需要在Windows上构建证书链,从X.509智能卡证书到一个或多个中间CA到根CA.当CA证书位于JKS密钥库中时,这很容易,但我也需要使用Windows密钥库。
I need to build a certificate chain on Windows, from an X.509 smart card cert through one or more intermediate CAs to a root CA. That's easy when the CA certs are in a JKS keystore, but I need to use the Windows keystores as well.
我可以从Windows-ROOT获得根CA证书,但我无法访问中级证书颁发机构密钥库。
I can get the root CA cert from "Windows-ROOT", but I can't get to the "Intermediate Certification Authorities" keystore.
有没有人这样做过?
谢谢!
SunMSCAPI加密提供程序仅支持两个密钥库: Windows-MY
(个人证书存储区)和 Windows-ROOT
(受信任机构证书存储区),因此我认为不可能直接访问其他Windows证书存储区。但是它可能没有必要,因为似乎 Windows-MY
密钥库能够使用来自其他商店的证书构建证书链。
The SunMSCAPI Cryptographic provider does only support two keystores: Windows-MY
(personal certificate store) and Windows-ROOT
(trusted authorities certificate store), thus I don't thinks it is possible to directly access to other windows certificate stores. However it may not be necessart since it seems that the Windows-MY
keystore is able to build certificate chains with the certificates from other stores.
这是我用来测试它的代码片段:
Here is a code snippet I use to test it:
KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, null) ;
Enumeration en = ks.aliases() ;
while (en.hasMoreElements()) {
String aliasKey = (String)en.nextElement() ;
Certificate c = ks.getCertificate(aliasKey) ;
System.out.println("---> alias : " + aliasKey) ;
if (ks.isKeyEntry(aliasKey)) {
Certificate[] chain = ks.getCertificateChain(aliasKey);
System.out.println("---> chain length: " + chain.length);
for (Certificate cert: chain) {
System.out.println(cert);
}
}
如果我添加一个带有私钥的证书个人证书存储链长为1.在中间CA证书存储中添加CA后,我再次启动程序,链长现在为2.
If I add a single certificate with private key in the personal certificate store the chain length is 1. After adding the CA in the intermediate CA certificate store the I launch the program a second time and the chain length is now 2.
更新(4月2日)
可以在 Windows-MY
和 Windows中以编程方式添加证书-ROOT
具有一些限制的密钥库:
UPDATE (April, 2nd)
It is possible to programmatically add certificates in the Windows-MY
and Windows-ROOT
keystore with some limitations:
- 在
Windows中添加证书时 - ROOT
提示用户进行确认 - 在
Windows-MY
密钥库中添加的所有证书均为TrustedCertificateEntry
(从密钥库的角度来看,不是Windows的观点)。密钥库似乎构建了具有所有可用证书的最长链。 - 在Windows证书存储浏览器中看不到没有关联私钥的证书,但可以以编程方式删除它们。
- when adding a certificate in the
Windows-ROOT
the user is prompted for confirmation - all certificate added in the
Windows-MY
keystore is aTrustedCertificateEntry
(from the keystore point of view, not the Windows point of view). The keystore seems to build the longest possible chain with all available certificates. - the certifcates with no associated private key are not visible in the Windows certificate store browser but it is possible to programmatically delete them.
在密钥库中添加证书非常简单:
Adding a certificate in a keystore is straightforward:
Certificate c = CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream("C:/Users/me/Downloads/myca.crt"));
KeyStore.TrustedCertificateEntry entry = new KeyStore.TrustedCertificateEntry(c);
ks.setEntry("CA1", entry , null);
这篇关于从Windows密钥库访问中间CA的Java?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!