在开发Java web服务客户端期间,我遇到了一个问题。web服务的身份验证使用客户端证书、用户名和密码。我从webservice背后的公司收到的客户端证书是.cer格式的。当我使用文本编辑器检查文件时,它有以下内容:
-----BEGIN CERTIFICATE-----
[Some base64 encoded data]
-----END CERTIFICATE-----
我可以在Internet Explorer中导入该文件作为证书(无需输入密码!),并使用它进行webservice的身份验证。
I was able to import this certificate into a keystore by first stripping the first and last line, converting to unix newlines and running a base64-decode. The resulting file can be imported into a keystore (using the keytool command). When I list the entries in the keystore, this entry is of the type trustedCertEntry. Because of this entry type (?) I cannot use this certificate to authenticate with the webservice. I'm beginning to think that the provided certificate is a public certificate which is being used for authentication...
我发现的一个解决办法是在IE中导入证书,并将其导出为.pfx文件。该文件可以作为密钥存储库加载,并可用于使用webservice进行身份验证。但是,我不能期望我的客户每次收到新证书时都执行这些步骤。因此,我想将.cer文件直接加载到Java中。任何想法吗?
附加信息:webservice背后的公司告诉我,应该向稍后将导入证书的PC和用户请求证书(使用IE和网站)。
您已经拥有的证书可能是服务器证书,或者用于签署服务器证书的证书。您将需要它,这样您的web服务客户机才能对服务器进行身份验证。
But if additionally you need to perform client authentication with SSL, then you need to get your own certificate, to authenticate your web service client. For this you need to create a certificate request; the process involves creating your own private key, and the corresponding public key, and attaching that public key along with some of your info (email, name, domain name, etc) to a file that's called the certificate request. Then you send that certificate request to the company that's already asked you for it, and they will create your certificate, by signing your public key with their private key, and they'll send you back an X509 file with your certificate, which you can now add to your keystore, and you'll be ready to connect to a web service using SSL requiring client authentication.
要生成证书请求,使用"keytool -certreq -alias -file -keypass -keystore "。将生成的文件发送给将要签署该文件的公司。
当你取回你的证书时,运行"keytool -importcert -alias -keypass -keystore "。
如果密钥存储库受到保护(这是个好主意),那么在这两种情况下都可能需要使用-storepass。
将从浏览器下载的.cer证书文件(打开url并挖掘详细信息)导入到java_home\jre\lib\security中的cacerts密钥存储库中,而不是尝试生成和使用我自己的密钥存储库。
转到java_home\jre\lib\security
(Windows)使用cmd和CTRL+SHIFT+ENTER打开管理命令行
2 .执行keytool命令导入证书。
(替换你的aliasname和路径\到\证书。cer)
..\..\bin\keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias yourAliasName -file path\to\certificate.cer
这样您就不必指定任何额外的JVM选项,并且证书应该可以被JRE识别。
您已经拥有的证书可能是服务器证书,或者用于签署服务器证书的证书。您将需要它,这样您的web服务客户机才能对服务器进行身份验证。
But if additionally you need to perform client authentication with SSL, then you need to get your own certificate, to authenticate your web service client. For this you need to create a certificate request; the process involves creating your own private key, and the corresponding public key, and attaching that public key along with some of your info (email, name, domain name, etc) to a file that's called the certificate request. Then you send that certificate request to the company that's already asked you for it, and they will create your certificate, by signing your public key with their private key, and they'll send you back an X509 file with your certificate, which you can now add to your keystore, and you'll be ready to connect to a web service using SSL requiring client authentication.
要生成证书请求,使用"keytool -certreq -alias -file -keypass -keystore "。将生成的文件发送给将要签署该文件的公司。
当你取回你的证书时,运行"keytool -importcert -alias -keypass -keystore "。
如果密钥存储库受到保护(这是个好主意),那么在这两种情况下都可能需要使用-storepass。
虽然已经提供了很多很好的答案,但我想给出一个以编程方式加载ssl材料的替代方案。您可以尝试下面的代码片段:
Path certificatePath = Paths.get("/path/to/certificate.cer");
List<Certificate> certificates = CertificateUtils.loadCertificate(certificatePath);
SSLFactory sslFactory = SSLFactory.builder()
.withTrustMaterial(certificates)
.build();
SSLContext sslContext = sslFactory.getSslContext();
它可以处理pem, der(二进制)和p7b格式的文件。这个示例代码片段来自库:GitHub - SSLContext Kickstart你可以添加下面的代码片段:
<dependency>
<groupId>io.github.hakky54</groupId>
<artifactId>sslcontext-kickstart</artifactId>
<version>7.0.2</version>
</dependency>