将证书导入Java密钥库，JVM将忽略新证书 [英] Imported certificate to Java keystore, JVM ignores the new cert

问题描述

我正在尝试在Tomcat 6上运行一个应用程序，以通过SSL连接到LDAP服务器。

I'm trying to get an application running on top of Tomcat 6 to connect to an LDAP server over SSL.

我使用服务器的证书导入到密钥库：

I imported certificate of the server to keystore using:

C:\Program Files\Java\jdk1.6.0_32\jre\lib\security>keytool -importcert -trustcacerts -file mycert -alias ca_alias -keystore "c:\Program Files\Java\jdk1.6.0_32\jre\lib\security\cacerts"

当我启动Tomcat并启用SSL调试时，根据日志Tomcat使用正确的证书文件：

When I start Tomcat with SSL debugging turned on, according to logs Tomcat is using the correct certificate file:

trustStore is: C:\Program Files\Java\jdk1.6.0_32\jre\lib\security\cacerts

但是，Tomcat不会添加我刚导入的证书 - cacerts文件中的所有其他证书都会打印到日志中 - 并且连接失败：

However, Tomcat does not add the cert I just imported - all other certs in the cacerts file are printed to the log - and connection fails:

handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

重启Tomcat没有帮助。我已经使用keytool -list命令验证了新证书确实存在于该文件中。

Restarting Tomcat does not help. I have verified with keytool -list command that the new cert indeed exists on the file.

为什么Tomcat一直忽略我的新证书？

Why Tomcat keeps on ignoring my new cert?

编辑：

似乎问题是由Windows 7 VirtualStore引起的。 Keytool创建了一个cacert文件的新副本，Tomcat使用了原始文件。

Seems that the issue was caused by Windows 7 VirtualStore. Keytool created a new copy of the cacert file, and Tomcat used the original file.

推荐答案

将证书导入后，JVM需要重启密钥库。

JVM needs restart after importing certs to the keystore.

这篇关于将证书导入Java密钥库，JVM将忽略新证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！