我正在编写一个 Java 8 应用程序,并希望使用自签名证书设置一个简单的 keystore 和信任库。
通常情况如下:
- 使用
openssl
创建 key 对 + 证书。 - 使用
keytool
创建 .jks keystore + .jks 信任库
现在我只想使用 openssl
并创建 .p12 keystore 而不是 .jks keystore 。
使用以下命令创建 .p12 keystore 效果很好:
# Create private key and certificate
openssl req -x509 -newkey rsa:"${rsa}" -sha256 \
-keyout "${key}" \
-out "${cert}" \
-days "${days}"
# Create .p12 keystore
openssl pkcs12 -export -in "${cert}" -inkey "${key}" -out "${keystore}"
此 keystore 似乎工作正常,因为在我的 Java 应用程序中提供相应的 .jks 信任库将使 TLS 连接正常运行。但是我无法使 .p12 信任库正常工作。
我尝试按照建议创建信任库 here :
# Create .p12 truststore
openssl pkcs12 -export -nokeys -in "${cert}" -out "${truststore}"
然后像这样加载它:
FileInputStream fis = new FileInputStream(new File(trustorePath));
KeyStore trustStore = KeyStore.getInstance("PKCS12");
trustStore.load(fis, truststorePassword.toCharArray());
fis.close();
但我在我的 java 代码中收到以下异常:
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
知道我做错了什么吗?
(非常感谢使用 .p12 truststore 和 Java 8 的工作片段。)
最佳答案
对此行为的可能解释:
The standard PKCS#12 provider up to Java 7 did not allow trusted certificate entries at all. The JSSE Reference Guide says this:
Storing trusted certificates in a PKCS12 keystore is not supported. PKCS12 is mainly used to deliver private keys with the associated certificate chains. It does not have any notion of "trusted" certificates. In terms of interoperability, other PKCS12 vendors have the same restriction. Browsers such as Mozilla and Internet Explorer do not accept a PKCS12 file with only trusted certificates.
This has changed a bit in Java 8, which supports trusted certificates in PKCS#12 - if they are marked with a special attribute (OID 2.16.840.1.113894.746875.1.1):
openssl pkcs12 -in microsoft.p12 -info MAC Iteration 1024 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024 Certificate bag Bag Attributes friendlyName: microsoft it ssl sha2 (baltimore cybertrust root) 2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
来源:
关于java - 使用 openssl 创建 .p12 信任库,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28042288/