证书链未运送到服务器
Pet*_*der 5 java ssl google-chrome pki jks
我使用此方法将客户端证书注册到服务器证书中.
/**
* Links the user's certificate into the server's keystore/truststore.
*
* @param server
* The server party.
* @return <code>true</code> if the certificate has been bound,
* <code>false</code> if the certificate already was bound to the
* truststore.
* @throws KeyStoreException
*/
public boolean linkToServerCertificate(Party server) throws KeyStoreException {
if (keyAlias.equals(server.keyAlias)) {
throw new IllegalArgumentException("The alias of client and server must be different!");
}
keystore.setCertificateEntry(server.keyAlias, server.getAliasCert());
Certificate certificate = keystore.getCertificate(keyAlias);
server.keystore.setCertificateEntry(keyAlias, certificate);
return true;
}
重新启动AS后,我收到以下消息:
有环境变量JAVA_OPTS =" - Djavax.net.debug = ssl"我得到这个信息:
*** ServerHelloDone
https-jsse-nio-8443-exec-7, WRITE: TLSv1.2 Handshake, length = 1522
https-jsse-nio-8443-exec-8, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
https-jsse-nio-8443-exec-8, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-8, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
因此证书的证书链是空的
但是在客户端检查证书时,它指出有证书链.
我很困惑,为什么证书链没有运到服务器?
我犯了一个错误,我的证书链顺序错误。
keystore.setKeyEntry(alias, pair.getPrivate(), pass.toCharArray(),
chainSet.toArray(new Certificate[0]));
必须chainSet按照最接近的证书是第一个证书的顺序。
真正的错误是使用 pki 的内置实现。