寻找一种方法来了解默认情况下JDK信任的证书,而无需购买试用证书。
JDK拥有它信任的这个CA列表,但它并没有真正帮助,因为在购买之前,不清楚该证书将由哪个CA签署(大多数证书都由中级机构签名。)
是否有任何证书列表/数据库可以保证默认的JDK安装受信任?
答案 0 :(得分:6)
除非您配置了不同的信任库,否则具有默认设置的JRE会信任以某种方式链接到jre/lib/security/cacerts
中的某个证书的所有证书。实际上这个过程有点复杂(google PKIX路径验证),但这个解释对我们来说已经足够了。如果您的证书由中间CA签名(大多数证书都是如此),请确保提供证书链。例如,如果您在apache Web服务器上将其用于https,请使用SSLCertificateChainFile
选项配置带有中间件的文件。这样,只要中间链接到cacerts中的CA,哪个中间符号就无关紧要。顺便说一句:这里解释了将证书送入信任库的过程:http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html
由于Oracle保留从此列表中删除CA的权利,因此没有列表可以保证在将来的版本中有效。根据您的应用程序,通过属性javax.net.ssl.trustStore
提供您自己的信任库可能是一种选择。
答案 1 :(得分:0)
https://openjdk.java.net/jeps/319中有一个自Java 10起默认受信任的根证书列表。
为方便起见,在此复制:
Actalis S.p.A.
CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
Buypass AS
CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Camerfirma
CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Certum
CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
Chunghwa Telecom Co., Ltd.
OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
Comodo CA Ltd.
CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Digicert Inc.
CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
OU=Equifax Secure Certificate Authority, O=Equifax, C=US
CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
DocuSign
CN=Class 2 Primary CA, O=Certplus, C=FR
CN=Class 3P Primary CA, O=Certplus, C=FR
CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
D-TRUST GmbH
CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE
IdenTrust
CN=DST Root CA X3, O=Digital Signature Trust Co.
CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
Let's Encrypt
CN=ISRG Root X1, O=Internet Security Research Group, C=US
LuxTrust
CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU
QuoVadis Ltd.
CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
Secom Trust Systems
OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
SwissSign AG
CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Telia
CN=Sonera Class2 CA, O=Sonera, C=FI
Trustwave
CN=SecureTrust CA, O=SecureTrust Corporation, C=US
CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US