在 Java cacerts 中导入根证书和中间证书的正确方法

我的公司有自己的 ROOT 证书.他们使用此证书签署了 intermediate 证书.

My company has its own ROOT certificate. Using this certificate they signed intermediate certificate.

然后我们为 server 证书颁发 CSR 并使用 intermediate 证书对其进行签名.

Then we issued CSR for server certificate and signed it with intermediate certificate.

在Java cacerts文件中导入ROOT证书和intermediate的正确方法是什么,以便能够与具有server 证书由 intermediate 签名?

What is a correct way to import the ROOT certificate and intermediate in Java cacerts file, in order to be able to establish SSL connection with the server which has server certificate signed by the intermediate?

我使用 OpenSSL 在服务器上测试证书链:

I used OpenSSL to test certificate chain on the server:

openssl s_client -showcerts -connect host:443

CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
   i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA

推荐答案

只需要导入信任库中的根证书即可.

You only need to import the root certificate in the truststore.

 keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

握手期间的 SSL 服务器应提供证书和中间件.您客户端的 TrustManager 将验证证书链,直到找到根目录

The SSL server during handshake should provide the certificate and the intermediates. The TrustManager of your client will validate the certification chain until root is found

注意:建议使用自己的truststore,不要修改cacerts

Note: It is recommended to use your own truststore instead of modifying cacerts

相关文章