从Windows密钥库访问中间CA的Java？ [英] Java access to intermediate CAs from Windows keystores?

问题描述

我需要在Windows上构建证书链，从X.509智能卡证书到一个或多个中间CA到根CA.当CA证书位于JKS密钥库中时，这很容易，但我也需要使用Windows密钥库。

I need to build a certificate chain on Windows, from an X.509 smart card cert through one or more intermediate CAs to a root CA. That's easy when the CA certs are in a JKS keystore, but I need to use the Windows keystores as well.

我可以从Windows-ROOT获得根CA证书，但我无法访问中级证书颁发机构密钥库。

I can get the root CA cert from "Windows-ROOT", but I can't get to the "Intermediate Certification Authorities" keystore.

有没有人这样做过？

谢谢！

解决方案

SunMSCAPI加密提供程序仅支持两个密钥库： Windows-MY （个人证书存储区）和 Windows-ROOT （受信任机构证书存储区），因此我认为不可能直接访问其他Windows证书存储区。但是它可能没有必要，因为似乎 Windows-MY 密钥库能够使用来自其他商店的证书构建证书链。

The SunMSCAPI Cryptographic provider does only support two keystores: Windows-MY (personal certificate store) and Windows-ROOT (trusted authorities certificate store), thus I don't thinks it is possible to directly access to other windows certificate stores. However it may not be necessart since it seems that the Windows-MY keystore is able to build certificate chains with the certificates from other stores.

这是我用来测试它的代码片段：

Here is a code snippet I use to test it:

KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, null) ;
Enumeration en = ks.aliases() ;
while (en.hasMoreElements()) {
    String aliasKey = (String)en.nextElement() ;
    Certificate c = ks.getCertificate(aliasKey) ;
    System.out.println("---> alias : " + aliasKey) ;
    if (ks.isKeyEntry(aliasKey)) {
        Certificate[] chain = ks.getCertificateChain(aliasKey);
        System.out.println("---> chain length: " + chain.length);
        for (Certificate cert: chain) {
            System.out.println(cert);
    }
}

如果我添加一个带有私钥的证书个人证书存储链长为1.在中间CA证书存储中添加CA后，我再次启动程序，链长现在为2.

If I add a single certificate with private key in the personal certificate store the chain length is 1. After adding the CA in the intermediate CA certificate store the I launch the program a second time and the chain length is now 2.

更新（4月2日）
可以在 Windows-MY 和 Windows中以编程方式添加证书-ROOT 具有一些限制的密钥库：

UPDATE (April, 2nd) It is possible to programmatically add certificates in the Windows-MY and Windows-ROOT keystore with some limitations:

• 在 Windows中添加证书时 - ROOT 提示用户进行确认


• 在 Windows-MY 密钥库中添加的所有证书均为 TrustedCertificateEntry （从密钥库的角度来看，不是Windows的观点）。密钥库似乎构建了具有所有可用证书的最长链。


• 在Windows证书存储浏览器中看不到没有关联私钥的证书，但可以以编程方式删除它们。

• when adding a certificate in the Windows-ROOT the user is prompted for confirmation
• all certificate added in the Windows-MY keystore is a TrustedCertificateEntry (from the keystore point of view, not the Windows point of view). The keystore seems to build the longest possible chain with all available certificates.
• the certifcates with no associated private key are not visible in the Windows certificate store browser but it is possible to programmatically delete them.

在密钥库中添加证书非常简单：

Adding a certificate in a keystore is straightforward:

Certificate c = CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream("C:/Users/me/Downloads/myca.crt"));
KeyStore.TrustedCertificateEntry entry = new KeyStore.TrustedCertificateEntry(c);
ks.setEntry("CA1", entry , null);

这篇关于从Windows密钥库访问中间CA的Java？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！