将证书导入 Java 密钥库,JVM 忽略新证书
我正在尝试让一个在 Tomcat 6 上运行的应用程序通过 SSL 连接到 LDAP 服务器.
I'm trying to get an application running on top of Tomcat 6 to connect to an LDAP server over SSL.
我使用以下方法将服务器证书导入密钥库:
I imported certificate of the server to keystore using:
C:Program FilesJavajdk1.6.0_32jrelibsecurity>keytool -importcert -trustcacerts -file mycert -alias ca_alias -keystore "c:Program FilesJavajdk1.6.0_32jrelibsecuritycacerts"
当我在 SSL 调试打开的情况下启动 Tomcat 时,根据日志 Tomcat 正在使用正确的证书文件:
When I start Tomcat with SSL debugging turned on, according to logs Tomcat is using the correct certificate file:
trustStore is: C:Program FilesJavajdk1.6.0_32jrelibsecuritycacerts
但是,Tomcat 并没有添加我刚刚导入的证书 - cacerts 文件中的所有其他证书都打印到日志中 - 并且连接失败:
However, Tomcat does not add the cert I just imported - all other certs in the cacerts file are printed to the log - and connection fails:
handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
重新启动 Tomcat 没有帮助.我已使用 keytool -list 命令验证文件中确实存在新证书.
Restarting Tomcat does not help. I have verified with keytool -list command that the new cert indeed exists on the file.
为什么 Tomcat 一直忽略我的新证书?
Why Tomcat keeps on ignoring my new cert?
问题似乎是由 Windows 7 VirtualStore 引起的.Keytool 创建了 cacert 文件的新副本,Tomcat 使用了原始文件.
Seems that the issue was caused by Windows 7 VirtualStore. Keytool created a new copy of the cacert file, and Tomcat used the original file.
推荐答案
将证书导入密钥库后需要重启JVM.
JVM needs restart after importing certs to the keystore.
相关文章