将证书导入Java密钥库,JVM将忽略新证书 [英] Imported certificate to Java keystore, JVM ignores the new cert
问题描述
我正在尝试在Tomcat 6上运行一个应用程序,以通过SSL连接到LDAP服务器。
I'm trying to get an application running on top of Tomcat 6 to connect to an LDAP server over SSL.
我使用服务器的证书导入到密钥库:
I imported certificate of the server to keystore using:
C:\Program Files\Java\jdk1.6.0_32\jre\lib\security>keytool -importcert -trustcacerts -file mycert -alias ca_alias -keystore "c:\Program Files\Java\jdk1.6.0_32\jre\lib\security\cacerts"
当我启动Tomcat并启用SSL调试时,根据日志Tomcat使用正确的证书文件:
When I start Tomcat with SSL debugging turned on, according to logs Tomcat is using the correct certificate file:
trustStore is: C:\Program Files\Java\jdk1.6.0_32\jre\lib\security\cacerts
但是,Tomcat不会添加我刚导入的证书 - cacerts文件中的所有其他证书都会打印到日志中 - 并且连接失败:
However, Tomcat does not add the cert I just imported - all other certs in the cacerts file are printed to the log - and connection fails:
handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
重启Tomcat没有帮助。我已经使用keytool -list命令验证了新证书确实存在于该文件中。
Restarting Tomcat does not help. I have verified with keytool -list command that the new cert indeed exists on the file.
为什么Tomcat一直忽略我的新证书?
Why Tomcat keeps on ignoring my new cert?
编辑:
似乎问题是由Windows 7 VirtualStore引起的。 Keytool创建了一个cacert文件的新副本,Tomcat使用了原始文件。
Seems that the issue was caused by Windows 7 VirtualStore. Keytool created a new copy of the cacert file, and Tomcat used the original file.
推荐答案
将证书导入后,JVM需要重启密钥库。
JVM needs restart after importing certs to the keystore.
这篇关于将证书导入Java密钥库,JVM将忽略新证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!