java.lang.Exception:回复和密钥库中的公钥不匹配 [英] java.lang.Exception: Public keys in reply and keystore don't match
问题描述
我必须访问在443端口托管的网络服务。服务提供商已经与我们共享了三个证书。
I have to access a webservice hosted at port 443.Service provider has shared three certificate with us.
- ABCD.cer
- CA_Certificate.cer
- CCA_Certificate.cer
I必须通过为SSL通信创建表单链将它们添加到密钥库。我已按照以下步骤操作。
I have to add them to keystore by creating a form chain for the SSL communication.I have followed below steps.
-
keytool -keystore npci_keystore_test.jks -genkey -alias npci_client_testore
Result :- keystore npci_keystore_test.jks created.
keytool -import -keystore npci_keystore_test.jks -file CA_Certificate。 cer -alias theCARoot
Result :- certificate CA_Certificate.cer is added to keystore.
keytool -import -keystore npci_keystore_test.jks -file CCA_Certificate。 cer -alias theCCARoot
Result :- certificate CCA_Certificate.cer is added to keystore.
keytool -import -keystore npci_keystore_test.jks -file ABCD。 cer -alias npci_client_testore
在步骤4我有以下异常
输入密钥库密码:(当我输入密码时,我有以下异常)
Enter keystore password: (and when i enter password i have below exception)
keytool错误:java.lang.Exception:回复中的公钥和密钥库不匹配
我已经在SO中进行了搜索,但到目前为止还没有运气。
I have already done search in SO,but so far no luck.
我在下面的源代码下创建商店并导入证书。
JKS Keystore
I am following below source to create the store and import certificate in it. JKS Keystore
编辑:---
我通过更改证书的导入顺序对其进行了测试,但到目前为止没有运气。
I have tested it by changing the import order of certificate,but no luck so far.
推荐答案
您问题中的链接解释了如何为服务器创建SSL密钥库,不是你想做的。你做的是:
The link in your question explains how to create an SSL keystore for a server, which is not what you want to do. What you did was:
- 创建一个新密钥对
- 将一个可信证书添加到密钥库
- 将另一个可信证书添加到密钥库
- 尝试将服务器的SSL证书作为密钥对的证书导入
- Create a new key pair
- Add a trusted certificate to the keystore
- Add another trusted certificate to the keystore
- Try to import the SSL certificate of the server as a certificate for your key pair
步骤4失败,因为SSL证书是为完全不同的密钥对生成的。
Step 4 fails because the SSL certificate was generated for a completely different key pair.
三个证书可能是:
- webservice的SSL证书
- 签署了该证书的CA证书SSL证书
- 签署CA的根证书
您现在要做的是将信任锚添加到您的信任库(默认情况下: $ {JAVA_HOME} / jre / lib / security / cacerts ),结果是您的客户端接受SSL证书网络服务。
What you have to do now is to add a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts), with the result that your client accepts the SSL certificate of the webservice.
SSL握手期间,SSL服务器通常会将除根证书之外的整个链发送到客户端。这意味着您必须将根证书添加到您的信任库:
Usually the SSL server sends the whole chain except for the root certificate to the client during SSL handshake. This means that you have to add the root certificate to your truststore:
keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot
如果webservice需要,则需要执行其他步骤SSL客户端身份验证,但您从未提及客户端身份验证,因此我认为没有必要。
Additional steps are necessary if the webservice requires SSL client authentication, but you have never mentioned client authentication, so I assume that it is not necessary.
这篇关于java.lang.Exception:回复和密钥库中的公钥不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
