如何将指纹添加到密钥库 [英] How to add fingerprint to keystore
问题描述
写入SSL套接字时出现以下异常
I had the following exception while writing to a SSL socket
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
似乎目标服务器的证书不受信任。我在Windows 7机器,jdk7和tomcat7上测试了我的实现没有问题。使用openJDK 6和tomcat7在ubuntu 10 LTS上抛出异常。我得到了套接字目标服务器的sha1和md5指纹。我是否正确,我尝试流式传输的服务器的证书不是在我的ubuntu服务器上的trustet?我能指纹到tomcats keystore吗?如果是这样,我该怎么做?
It seems like the certificate of the target server is not trusted. I tested my implementation on a windows 7 machine, jdk7 and tomcat7 with no problem. The Exception is thrown on ubuntu 10 LTS with openJDK 6 and tomcat7. I got the sha1 and md5 fingerprint of the sockets target server. Am I right that the certificat of the server I am trying to stream to is not trustet on my ubuntu server? can I can the fingerprint to the tomcats keystore? If so, how do I do this?
推荐答案
这不是你需要添加到信任商店的指纹,而是实际证书。
It's not the fingerprint that you need to add to your trust store, but the actual certificate.
您可以添加服务器证书本身或在链中添加一个CA证书(如果您希望信任来自该CA的所有证书,而不是只是那个特定的服务器)。
You can add the server certificate itself or add one of the CA certificates in the chain (if you wish to trust the all the certificates from that CA, not just that particular server).
要找出证书是什么,你可以使用OpenSSL:
To find out what the certificate is, you can use OpenSSL:
openssl s_client -showcerts -connect your.host.name:443
(用您正在使用的实际端口替换主机名和443。)
(Replace the host name and 443 by the actual ports you're using.)
之间的块 - BEGIN / END CERT ... - 是PEM格式的证书。你可以使用 openssl x509 -text -noout 检查他们的内容(并在那里粘贴每个块)。
The blocks between --BEGIN/END CERT...-- are the certificates in PEM format. You can check their content using openssl x509 -text -noout (and pasting each block there).
保存要导入纯文本文件的证书(例如 certificate.pem )。您应该只导入您信任的证书。这里有一定的信念飞跃。 (例如,您可能希望与浏览器连接并检查密钥材料是否匹配。)
Save the certificate you want to import into a plain text file (e.g. certificate.pem). You should only import certificates that you trust. There's a certain leap of faith here. (You might want to connect with your browser and check whether the key material matches, for example.)
要导入您的信任库,请使用:
To import into your truststore use:
keytool -importcert -keystore truststore.jks -file certificate.pem
(您可能需要指定别名 -alias some_name_you_choose 。)
(You may need to specify an alias wit -alias some_name_you_choose.)
如果您希望这会影响您的默认信任库,请将 truststore.jks 替换为 lib / security / cacerts 的路径在您的Java主目录中(默认密码应为 changeit )。
If you want this to affect your default truststore, replace truststore.jks with the path to lib/security/cacerts in your Java home directory (the default password should be changeit).
由于目标服务器似乎来自一个着名的CA(它适用于某些版本的JRE),最简单的解决方法当然是更新你的 cacerts 手动文件,从与其一起工作的JRE中获取副本。毕竟,正如 JSSE参考指南说:
Since the target server seems to come from a well-known CA anyway (and it works with some versions of the JRE), the easiest fix is certainly to update your cacerts file manually, taking a copy from a JRE with which it works. After all, as the JSSE Reference Guide says:
重要说明:JDK在/ lib中附带有限数量的受信任的根
证书/ security / cacerts文件。由于keytool中记录了
,如果您将此
文件用作信任库,则您有责任维护(即
添加/删除)此文件中包含的证书。
IMPORTANT NOTE: The JDK ships with a limited number of trusted root certificates in the /lib/security/cacerts file. As documented in keytool, it is your responsibility to maintain (that is, add/remove) the certificates contained in this file if you use this file as a truststore.
根据您联系的服务器的证书配置,
您可能需要添加其他根证书。从相应的供应商处获得所需的
特定根证书。
Depending on the certificate configuration of the servers you contact, you may need to add additional root certificate(s). Obtain the needed specific root certificate(s) from the appropriate vendor.
事实证明,这肯定是证书链订单(在本网站上不正确)的问题,如由 Qualys SSL Labs测试员显示。
It turns out it's certainly a problem with the certificate chain order (which is incorrect on this site), as shown by Qualys SSL Labs tester.
这篇关于如何将指纹添加到密钥库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
