当尝试将密钥库实现到Java SOAP客户端以访问WS时,我得到了异常:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我们发现原因是CA(DigiSign)不在Java可信CA中。 最初我使用了一个由我们的高级工程师给我的证书,并通过keytool将它们组合在一起:
keytool.exe -v -alias digicert_3 -import -file DigiCertHighAssuranceCA-3.pem -keystore mykeystore.jks
keytool.exe -v -alias digicert_root -import -file DigiCertHighAssuranceEVRootCA.pem -keystore mykeystore.jks
然后我将keystore.jks文件复制到src / main / resources下的Eclipse项目中。
但是,现在我得到了其他例外。我已经尝试了多种方法将证书加载到密钥库中,我得到了各种例外。
以下是我尝试实施密钥库的不同方法(一次一个):
//Load keystore from project resource
KeyStore keyStore = KeyStore.getInstance("JKS");
//Keystore created using two individual PEM certs
//Exception: java.io.IOException: Keystore was tampered with, or password was incorrect
keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("mykeystore_PEM.jks"), "password".toCharArray());
//Keystore created with two certs combined into a single file
//Exception: java.io.IOException: Keystore was tampered with, or password was incorrect
keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("mykeystore_Com.jks"), "password".toCharArray());
//Keystore created using two individual DER cert calls
//Exception: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("mykeystore_DER.jks"), "password".toCharArray());
//Keystore created using InstallCert
//Exception: java.security.cert.CertificateParsingException: java.io.IOException: insufficient data
keyStore.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("jssecacerts"), "changeit".toCharArray());
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
TrustManager[] trustManagers = trustFactory.getTrustManagers();
tlsParams.setTrustManagers(trustManagers);
conduit.setTlsClientParameters(tlsParams);
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setConnectionTimeout(36000);
httpClientPolicy.setAllowChunking(false);
httpClientPolicy.setReceiveTimeout(32000);
conduit.setClient(httpClientPolicy);
1& 2.)我已经验证并仔细检查了密码,所以我不知道为什么前两个密码失败了。
3.。)关于长度的第三个例外,我已经读过END CERTIFICATE行之后的数据通常是一个问题。我已经尝试过一个空白行(给'太大'的例外)或者最后一行是END CERTIFICATE行(给出一些其他例外)。
4.。)从here运行InstallCert类,我被提示拿一个证书,它显示在密钥库中。
知道为什么我的密钥库不能正常工作?它是Java代码,还是证书/密钥库无法正确生成?
答案 0 :(得分:0)
过去我也遇到过ssl,java和keystores的麻烦,并使用这个类将证书从某个服务器导入密钥库:
http://wiki.openkm.com/images/a/a0/InstallCert.java
或https://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java
它可以在互联网上的某些网站上找到。
导入证书的一个好工具是密钥库浏览器(适用于Windows):
http://keystore-explorer.sourceforge.net/
希望这有帮助!