nat*_*ath 6 java ssl certificate keytool
我在Web应用程序中使用的密钥库文件已于上周过期.我很久以前就生成了它.所以我开始使用keytool生成新证书.我使用此证书连接事务服务器和Web服务器.我想为此应用程序使用自签名证书.我使用以下命令生成它以生成事务服务器的自签名密钥.
keytool -genkey -keystore keys/SvrKeyStore -keyalg rsa -validity 365 -alias Svr -storepass 123456 -keypass abcdefg -dname "CN=One1, OU=Development1, O=One, L=Bamba, S=Western Prov1, C=S1"
以下commnad为Web应用程序生成密钥库
keytool -genkey -keystore keys/ClientKeyStore -keyalg rsa -validity 365 -alias Web -storepass 123456 -keypass abcdefg -dname "CN=One, OU=Development, O=One, L=Bamba, S=Western Prov, C=SL"
我在事务服务器中使用以下代码来创建套接字连接
String KEYSTORE = Config.KEYSTORE_FILE;//SvrKeyStore keystore file
char[] KEYSTOREPW = "123456".toCharArray();
char[] KEYPW = "abcdefg".toCharArray();
com.sun.net.ssl.TrustManagerFactory tmf;
boolean requireClientAuthentication;
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.
Provider());
java.security.KeyStore keystore = java.security.KeyStore.getInstance(
"JKS");
keystore.load(new FileInputStream(KEYSTORE), KEYSTOREPW);
com.sun.net.ssl.KeyManagerFactory kmf = com.sun.net.ssl.
KeyManagerFactory.getInstance("SunX509");
kmf.init(keystore, KEYPW);
com.sun.net.ssl.SSLContext sslc = com.sun.net.ssl.SSLContext.
getInstance("SSLv3");
tmf = com.sun.net.ssl.TrustManagerFactory.getInstance("sunx509");
tmf.init(keystore);
sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLServerSocketFactory ssf = sslc.getServerSocketFactory();
SSLServerSocket ssocket = (SSLServerSocket) ssf.createServerSocket(port);
ssocket.setNeedClientAuth(true);
但是当我在我的应用程序中使用它并尝试通过Web服务器连接到事务服务器时,它会给出以下异常
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHands
hakeException: java.security.cert.CertificateException: Untrusted Server Certifi
cate Chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.jav
a:1172)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:
65)
at net.schubart.fixme.internal.MessageInput.readExactly(MessageInput.jav
a:166)
at net.schubart.fixme.internal.MessageInput.readMessage(MessageInput.jav
a:78)
at cc.aot.itsWeb.ClientWriterThread.run(ClientWriterThread.java:241)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateEx
ception: Untrusted Server Certificate Chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1
520)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien
tHandshaker.java:975)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHa
ndshaker.java:123)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:5
11)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.jav
a:449)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.j
ava:817)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SS
LSocketImpl.java:1029)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.
java:621)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.ja
va:59)
at java.io.OutputStream.write(OutputStream.java:58)
任何人都可以告诉我问题出在哪里
Bru*_*uno 11
首先,避免com.sun.net.ssl直接使用包和类.构建JSSE的体系结构,以便您可以使用工厂并在以后指定提供程序.使用javax.net.ssl.TrustManagerFactory(相同KeyManagerFactory和SSLContext)相反.(我建议使用"PKIX"而不是"SunX509"信任管理器算法,因为它通常是Sun提供商的默认设置,或者更好,使用TrustManagerFactory.getDefaultAlgorithm()).
其次,除非您使用客户端证书身份验证,否则无需在客户端设置密钥管理器.
最后(也许是最重要的),您需要导出您在服务器端生成的自签名证书(仅限证书,而不是私钥),并将其导入您用作信任存储的密钥库中.客户端.
生成证书时,应确保使用CN=the.server.host.name.
keytool -genkey -keystore server-keystore.jks -alias server_alias \
-dname "CN=the.server.host.name,OU=whateveryoulike" \
-keyalg "RSA" -sigalg "SHA1withRSA" -keysize 2048 -validity 365
keytool -export -keystore server-keystore.jks -alias server_alias -file server.crt
keytool -import -keystore client-truststore.jks -file server.crt
如果要使用客户端证书身份验证,则需要分别使用client-keystore和server-truststore替换server-keystore和client-truststore来重复此操作.
在这种情况下,server-keystore.jks并且server-truststore.jks可以在同一个文件,但你并不需要(相同的客户端).