我知道,关于这个问题有很多不同的问题和很多答案......但是我无法理解......
我有:ubuntu-9.10-desktop-amd64 + NetBeans6.7.1“按原样”安装。代表。 我需要通过HTTPS连接到某个站点。为此,我使用了Apache的HttpClient。
从教程我读到:
“正确安装JSSE后,通过SSL进行的安全HTTP通信应该如同 简单的HTTP通信。“还有一些例子:
HttpClient httpclient = new HttpClient();
GetMethod httpget = new GetMethod("https://www.verisign.com/");
try {
httpclient.executeMethod(httpget);
System.out.println(httpget.getStatusLine());
} finally {
httpget.releaseConnection();
}
到现在为止,我写了这个:
HttpClient client = new HttpClient();
HttpMethod get = new GetMethod("https://mms.nw.ru");
//get.setDoAuthentication(true);
try {
int status = client.executeMethod(get);
System.out.println(status);
BufferedInputStream is = new BufferedInputStream(get.getResponseBodyAsStream());
int r=0;byte[] buf = new byte[10];
while((r = is.read(buf)) > 0) {
System.out.write(buf,0,r);
}
} catch(Exception ex) {
ex.printStackTrace();
}
结果我有一组错误:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1627)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:204)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:198)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:994)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:142)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:533)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:471)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1132)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:643)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:78)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at simpleapachehttp.Main.main(Main.java:41)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:302)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:205)
at sun.security.validator.Validator.validate(Validator.java:235)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:973)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:191)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:297)
... 23 more
我该怎么做才能创建最简单的SSL连接? (可能没有KeyManager和信任经理等。)
答案 0 :(得分:152)
https://mms.nw.ru使用自签名证书,该证书显然未包含在默认的信任管理器集中。
您需要执行以下操作之一:
使用接受任何证书的TrustManager配置SSLContext(见下文)
使用包含证书
将该站点的证书添加到默认的Java信任库。
这是一个示例程序,它创建一个(几乎没有价值的)SSL上下文,它接受任何证书:
import java.net.URL;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
public class SSLTest {
public static void main(String [] args) throws Exception {
// configure the SSLContext with a TrustManager
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(new KeyManager[0], new TrustManager[] {new DefaultTrustManager()}, new SecureRandom());
SSLContext.setDefault(ctx);
URL url = new URL("https://mms.nw.ru");
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
});
System.out.println(conn.getResponseCode());
conn.disconnect();
}
private static class DefaultTrustManager implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
@Override
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
}
答案 1 :(得分:44)
https://mms.nw.ru可能使用非证书颁发机构颁发的证书。因此,您需要按照unable to find valid certification path to requested target:
中的说明将证书添加到受信任的Java密钥存储区在有效的客户端上工作时 启用了SSL的服务器 https协议,你可能会收到错误 '无法找到有效的认证 请求目标的路径'如果 服务器证书不是由。颁发的 认证机构,但一个自我 由私人CMS签署或签发。
不要惊慌。你需要做的就是 将服务器证书添加到您的 如果您的客户端是受信任的Java密钥库 是用Java编写的。你可能是 想知道你怎么不能访问 服务器所在的机器 安装。有一个简单的程序 可以帮助你。请下载Java program并运行
% java InstallCert _web_site_hostname_这个程序打开了一个连接 指定的主机并启动了SSL 握手。它打印了例外 堆栈发生的错误的痕迹 并显示您使用的证书 服务器。现在它会提示你添加 证书到您信任的KeyStore。
如果你改变主意,请输入 'Q'。如果你真的想添加 证书,输入'1'或其他 要添加其他证书的数字, 即使是CA证书,但通常也是如此 不想那样做。一旦你有了 做出了你的选择,该计划将 显示完整的证书和 然后将其添加到名为的Java KeyStore 'jssecacerts'在当前 。目录
要在您的程序中使用它 配置JSSE将其用作信任 存储或复制到您的 $ JAVA_HOME / jre / lib / security目录。 如果您想要所有Java应用程序 将证书识别为可信任 而且不仅仅是JSSE,你也可以 在那里覆盖cacerts文件 。目录
毕竟,JSSE将能够 完成与主持人的握手, 您可以通过运行来验证 程序再次。
要了解更多详情,您可以查看 Leeland的博客No more 'unable to find valid certification path to requested target'
答案 2 :(得分:23)
除了Pascal Thivent的正确答案外,另一种方法是从Firefox(查看证书 - >详细信息 - >导出)或openssl s_client保存证书并将其导入信任库。
如果您有办法验证该证书,则只应执行此操作。如果失败了,请在第一次连接时执行,如果证书在后续连接中意外更改,它至少会给您一个错误。
要在信任库中导入它,请使用:
keytool -importcert -keystore truststore.jks -file servercert.pem
默认情况下,默认信任库应为lib/security/cacerts,密码应为changeit,有关详细信息,请参阅JSSE Reference guide。
如果您不想全局允许该证书,但仅限于这些连接,则可以为其创建SSLContext:
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance("JKS");
FileInputStream fis = new FileInputStream("/.../truststore.jks");
ks.load(fis, null);
// or ks.load(fis, "thepassword".toCharArray());
fis.close();
tmf.init(ks);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
然后,您需要通过实现一个SecureProtocolSocketFactory来使用此SSLContext来为Apache HTTP Client 3.x设置它。 (有例子here)。
Apache HTTP Client 4.x(除了最早的版本)直接支持传递SSLContext。
答案 3 :(得分:11)
Apache HttpClient 4.5方式:
org.apache.http.ssl.SSLContextBuilder sslContextBuilder = SSLContextBuilder.create();
sslContextBuilder.loadTrustMaterial(new org.apache.http.conn.ssl.TrustSelfSignedStrategy());
SSLContext sslContext = sslContextBuilder.build();
org.apache.http.conn.ssl.SSLConnectionSocketFactory sslSocketFactory =
new SSLConnectionSocketFactory(sslContext, new org.apache.http.conn.ssl.DefaultHostnameVerifier());
HttpClientBuilder httpClientBuilder = HttpClients.custom().setSSLSocketFactory(sslSocketFactory);
httpClient = httpClientBuilder.build();
注意:org.apache.http.conn.ssl.SSLContextBuilder 已弃用,org.apache.http.ssl.SSLContextBuilder是新的(通知conn,后者的软件包名称缺失)。
答案 4 :(得分:10)
来自 http://hc.apache.org/httpclient-3.x/sslguide.html:
Protocol.registerProtocol("https",
new Protocol("https", new MySSLSocketFactory(), 443));
HttpClient httpclient = new HttpClient();
GetMethod httpget = new GetMethod("https://www.whatever.com/");
try {
httpclient.executeMethod(httpget);
System.out.println(httpget.getStatusLine());
} finally {
httpget.releaseConnection();
}
可以找到MySSLSocketFactory示例here。它引用了TrustManager,您可以修改它以信任所有内容(尽管您必须考虑这一点!)
答案 5 :(得分:6)
对于Apache HttpClient 4.5+& Java8:
SSLContext sslContext = SSLContexts.custom()
.loadTrustMaterial((chain, authType) -> true).build();
SSLConnectionSocketFactory sslConnectionSocketFactory =
new SSLConnectionSocketFactory(sslContext, new String[]
{"SSLv2Hello", "SSLv3", "TLSv1","TLSv1.1", "TLSv1.2" }, null,
NoopHostnameVerifier.INSTANCE);
CloseableHttpClient client = HttpClients.custom()
.setSSLSocketFactory(sslConnectionSocketFactory)
.build();
但是如果您的HttpClient使用ConnectionManager寻求连接,例如像这样:
PoolingHttpClientConnectionManager connectionManager = new
PoolingHttpClientConnectionManager();
CloseableHttpClient client = HttpClients.custom()
.setConnectionManager(connectionManager)
.build();
HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory)无效,问题无法解决。
因为HttpClient使用指定的connectionManager来寻求连接,并且指定的connectionManager没有注册我们的自定义SSLConnectionSocketFactory。要解决此问题,应在connectionManager中注册自定义的SSLConnectionSocketFactory。正确的代码应该是这样的:
PoolingHttpClientConnectionManager connectionManager = new
PoolingHttpClientConnectionManager(RegistryBuilder.
<ConnectionSocketFactory>create()
.register("http",PlainConnectionSocketFactory.getSocketFactory())
.register("https", sslConnectionSocketFactory).build());
CloseableHttpClient client = HttpClients.custom()
.setConnectionManager(connectionManager)
.build();
答案 6 :(得分:4)
获得Java Cert Store后(通过使用上面创建的 great InstallCert类),您可以通过在java上传递“javax.net.ssl.trustStore”参数来让java使用它启动。
例如:
java -Djavax.net.ssl.trustStore=/path/to/jssecacerts MyClassName
答案 7 :(得分:3)
自签名测试证书可能遇到的另一个问题是:
java.io.IOException:HTTPS主机名错误:应该是......
当您尝试访问HTTPS网址时,会发生此错误。您可能已经将服务器证书安装到JRE的密钥库中。但是,此错误意味着服务器证书的名称与URL中提到的服务器的实际域名不匹配。当您使用非CA颁发的证书时,通常会发生这种情况。
此示例显示如何编写忽略证书服务器名称的HttpsURLConnection DefaultHostnameVerifier:
答案 8 :(得分:2)
有关在运行时轻松添加您信任的主机而不会丢弃所有检查的方法,请尝试以下代码:http://code.google.com/p/self-signed-cert-trust-manager/。
答案 9 :(得分:1)
EasySSLProtocolSocketFactory给了我一些问题所以我最终实现了自己的ProtocolSocketFactory。
首先你需要注册它:
Protocol.registerProtocol("https", new Protocol("https", new TrustAllSSLSocketFactory(), 443));
HttpClient client = new HttpClient();
...
然后实现ProtocolSocketFactory:
class TrustAllSSLSocketFactory implements ProtocolSocketFactory {
public static final TrustManager[] TRUST_ALL_CERTS = new TrustManager[]{
new X509TrustManager() {
public void checkClientTrusted(final X509Certificate[] certs, final String authType) {
}
public void checkServerTrusted(final X509Certificate[] certs, final String authType) {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
};
private TrustManager[] getTrustManager() {
return TRUST_ALL_CERTS;
}
public Socket createSocket(final String host, final int port, final InetAddress clientHost,
final int clientPort) throws IOException {
return getSocketFactory().createSocket(host, port, clientHost, clientPort);
}
@Override
public Socket createSocket(final String host, final int port, final InetAddress localAddress,
final int localPort, final HttpConnectionParams params) throws IOException {
return createSocket(host, port);
}
public Socket createSocket(final String host, final int port) throws IOException {
return getSocketFactory().createSocket(host, port);
}
private SocketFactory getSocketFactory() throws UnknownHostException {
TrustManager[] trustAllCerts = getTrustManager();
try {
SSLContext context = SSLContext.getInstance("SSL");
context.init(null, trustAllCerts, new SecureRandom());
final SSLSocketFactory socketFactory = context.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
return socketFactory;
} catch (NoSuchAlgorithmException | KeyManagementException exception) {
throw new UnknownHostException(exception.getMessage());
}
}
}
注意:这是使用HttpClient 3.1和Java 8
答案 10 :(得分:1)
想在这里粘贴答案:
在Apache HttpClient 4.5.5中
How to handle invalid SSL certificate with Apache client 4.5.5?
@Entity
public class Address {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Integer id;
private Integer apt_id;
private String streetNum;
private String street;
private String city;
private String state;
private String zipCode;
//getters and setters
答案 11 :(得分:0)
使用InstallCert生成jssecacerts文件并执行此操作
-Djavax.net.ssl.trustStore=/path/to/jssecacerts效果很好。
答案 12 :(得分:0)
这link解释了您一步一步的要求。如果您不关心哪个证书可以继续下面的链接进程。
注意您可能需要仔细检查自己在做什么,因为这是一种不安全的操作。
答案 13 :(得分:0)
我正在使用httpclient 3.1.X,这对我有用
try {
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManager trustManager = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
sslContext.init(null, new TrustManager[]{trustManager}, null);
SslContextSecureProtocolSocketFactory socketFactory = new SslContextSecureProtocolSocketFactory(sslContext,false);
Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) socketFactory, 443));//同样会影响到HttpUtils
} catch (Throwable e) {
e.printStackTrace();
public class SslContextSecureProtocolSocketFactory implements SecureProtocolSocketFactory {
private SSLContext sslContext;
private boolean verifyHostname;
public SslContextSecureProtocolSocketFactory(SSLContext sslContext, boolean verifyHostname) {
this.verifyHostname = true;
this.sslContext = sslContext;
this.verifyHostname = verifyHostname;
}
public SslContextSecureProtocolSocketFactory(SSLContext sslContext) {
this(sslContext, true);
}
public SslContextSecureProtocolSocketFactory(boolean verifyHostname) {
this((SSLContext)null, verifyHostname);
}
public SslContextSecureProtocolSocketFactory() {
this((SSLContext)null, true);
}
public synchronized void setHostnameVerification(boolean verifyHostname) {
this.verifyHostname = verifyHostname;
}
public synchronized boolean getHostnameVerification() {
return this.verifyHostname;
}
public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
SSLSocketFactory sf = this.getSslSocketFactory();
SSLSocket sslSocket = (SSLSocket)sf.createSocket(host, port, clientHost, clientPort);
this.verifyHostname(sslSocket);
return sslSocket;
}
public Socket createSocket(String host, int port, InetAddress localAddress, int localPort, HttpConnectionParams params) throws IOException, UnknownHostException, ConnectTimeoutException {
if(params == null) {
throw new IllegalArgumentException("Parameters may not be null");
} else {
int timeout = params.getConnectionTimeout();
Socket socket = null;
SSLSocketFactory socketfactory = this.getSslSocketFactory();
if(timeout == 0) {
socket = socketfactory.createSocket(host, port, localAddress, localPort);
} else {
socket = socketfactory.createSocket();
InetSocketAddress localaddr = new InetSocketAddress(localAddress, localPort);
InetSocketAddress remoteaddr = new InetSocketAddress(host, port);
socket.bind(localaddr);
socket.connect(remoteaddr, timeout);
}
this.verifyHostname((SSLSocket)socket);
return socket;
}
}
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
SSLSocketFactory sf = this.getSslSocketFactory();
SSLSocket sslSocket = (SSLSocket)sf.createSocket(host, port);
this.verifyHostname(sslSocket);
return sslSocket;
}
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
SSLSocketFactory sf = this.getSslSocketFactory();
SSLSocket sslSocket = (SSLSocket)sf.createSocket(socket, host, port, autoClose);
this.verifyHostname(sslSocket);
return sslSocket;
}
private void verifyHostname(SSLSocket socket) throws SSLPeerUnverifiedException, UnknownHostException {
synchronized(this) {
if(!this.verifyHostname) {
return;
}
}
SSLSession session = socket.getSession();
String hostname = session.getPeerHost();
try {
InetAddress.getByName(hostname);
} catch (UnknownHostException var10) {
throw new UnknownHostException("Could not resolve SSL sessions server hostname: " + hostname);
}
X509Certificate[] certs = (X509Certificate[])((X509Certificate[])session.getPeerCertificates());
if(certs != null && certs.length != 0) {
X500Principal subjectDN = certs[0].getSubjectX500Principal();
List cns = this.getCNs(subjectDN);
boolean foundHostName = false;
Iterator i$ = cns.iterator();
AntPathMatcher matcher = new AntPathMatcher();
while(i$.hasNext()) {
String cn = (String)i$.next();
if(matcher.match(cn.toLowerCase(),hostname.toLowerCase())) {
foundHostName = true;
break;
}
}
if(!foundHostName) {
throw new SSLPeerUnverifiedException("HTTPS hostname invalid: expected \'" + hostname + "\', received \'" + cns + "\'");
}
} else {
throw new SSLPeerUnverifiedException("No server certificates found!");
}
}
private List<String> getCNs(X500Principal subjectDN) {
ArrayList cns = new ArrayList();
StringTokenizer st = new StringTokenizer(subjectDN.getName(), ",");
while(st.hasMoreTokens()) {
String cnField = st.nextToken();
if(cnField.startsWith("CN=")) {
cns.add(cnField.substring(3));
}
}
return cns;
}
protected SSLSocketFactory getSslSocketFactory() {
SSLSocketFactory sslSocketFactory = null;
synchronized(this) {
if(this.sslContext != null) {
sslSocketFactory = this.sslContext.getSocketFactory();
}
}
if(sslSocketFactory == null) {
sslSocketFactory = (SSLSocketFactory)SSLSocketFactory.getDefault();
}
return sslSocketFactory;
}
public synchronized void setSSLContext(SSLContext sslContext) {
this.sslContext = sslContext;
}
}
答案 14 :(得分:0)
对于HttpClient,我们可以这样做:
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(new KeyManager[0], new TrustManager[] {new DefaultTrustManager()}, new SecureRandom());
SSLContext.setDefault(ctx);
String uri = new StringBuilder("url").toString();
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
};
HttpClient client = HttpClientBuilder.create().setSSLContext(ctx)
.setSSLHostnameVerifier(hostnameVerifier).build()
答案 15 :(得分:0)
按照下面针对Java 1.7的说明,使用InstallCert.java程序文件创建SSL证书。
https://github.com/escline/InstallCert
您必须重新启动Tomcat
答案 16 :(得分:0)
将以下内容与DefaultTrustManager一起使用,并且可以像魅力一样在httpclient中使用。万分感谢!! @Kevin和其他所有贡献者
SSLContext ctx = null;
SSLConnectionSocketFactory sslsf = null;
try {
ctx = SSLContext.getInstance("TLS");
ctx.init(new KeyManager[0], new TrustManager[] {new DefaultTrustManager()}, new SecureRandom());
SSLContext.setDefault(ctx);
sslsf = new SSLConnectionSocketFactory(
ctx,
new String[] { "TLSv1" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
} catch (Exception e) {
e.printStackTrace();
}
CloseableHttpClient client = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
答案 17 :(得分:0)
我碰到同样的问题,突然间我所有的进口品都丢失了。我尝试删除.m2文件夹中的所有内容。并尝试重新导入所有内容,但仍然无济于事。 最终,我所做的是打开了一个网站,IDE抱怨该网站无法在我的浏览器中下载。并看到了它正在使用的证书,并在我的
中看到了$ keytool -v -list PATH_TO_JAVA_KEYSTORE
我的密钥库的路径是/Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts
该特定证书不存在。
因此,您要做的就是再次将证书放入JAVA JVM密钥库中。 可以使用以下命令完成。
$ keytool -import -alias ANY_NAME_YOU_WANT_TO_GIVE -file PATH_TO_YOUR_CERTIFICATE -keystore PATH_OF_JAVA_KEYSTORE
如果要求输入密码,请尝试使用默认密码“ changeit” 如果运行上述命令时出现权限错误。 在Windows中,以管理模式打开它。 在Mac和Unix中,请使用sudo。
成功添加密钥后, 您可以使用:
查看它$ keytool -v -list /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts
您可以使用teh命令仅查看SHA-1
$ keytool -list /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts