将证书添加到密钥库和信任库

时间:2017-08-16 11:07:56

标签: java ssl docker https keytool

证书私钥(客户端)和客户端证书都是pem格式 我必须在信任库和密钥库中添加这些。我怎么能这样做? 到目前为止我在cmd(windows)中有命令:

  1. 生成pkcs(密钥:客户端私钥,证书:客户端证书,ca:cacert):openssl pkcs12 -inkey key.pem -in cert.pem -export -out keystored.p12 -certfile ca. PEM

  2. keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12

  3. 这些命令是否正确?

    我编写了一个通过ssl连接服务器的程序。但它显示错误 线程“main”中的异常javax.net.ssl.SSLPeerUnverifiedException:peer未经过身份验证 at sun.security.ssl.SSLSessionImpl.getPeerCertificates(未知来源)

    以下程序: (程序是获取docker信息)

    package test_abc;
    import java.io.File;
    import java.io.FileInputStream;
    import java.io.InputStream;
    import java.security.KeyStore;
    import java.security.SecureRandom;
    import javax.net.ssl.KeyManager;
    import javax.net.ssl.KeyManagerFactory;
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.TrustManager;
    import javax.net.ssl.TrustManagerFactory;
    import org.apache.http.HttpEntity;
    import org.apache.http.HttpResponse;
    import org.apache.http.client.methods.HttpGet;
    import org.apache.http.conn.ClientConnectionManager;
    import org.apache.http.conn.scheme.Scheme;
    import org.apache.http.conn.ssl.SSLSocketFactory;
    import org.apache.http.conn.ssl.StrictHostnameVerifier;
    import org.apache.http.impl.client.DefaultHttpClient;
    import org.apache.http.util.EntityUtils;
    public class TrustHttp {
    public static void main(String[] args) throws Exception {
    DefaultHttpClient httpClient = new DefaultHttpClient();
    try {
    SSLContext ctx = SSLContext.getInstance("TLS");
    TrustManager[] trustManagers = getTrustManagers("jks", new FileInputStream(new File("C:\\Users\\akarki\\Desktop\\certi\\abcd\\mykeystore.jks")), "password1");
    KeyManager[] keyManagers = getKeyManagers("pkcs12", new FileInputStream(new File("C:\\Users\\akarki\\Desktop\\certi\\abcd\\KeyStore.p12")), "password1");
    ctx.init(keyManagers, trustManagers, new SecureRandom());
    SSLSocketFactory factory = new SSLSocketFactory(ctx, new StrictHostnameVerifier());
    ClientConnectionManager manager = httpClient.getConnectionManager();
    manager.getSchemeRegistry().register(new Scheme("https", 443, factory));
    //as before
    HttpGet httpget = new HttpGet("https://URL:2376/images/json");
    System.out.println("executing request" + httpget.getRequestLine());
    HttpResponse response = httpClient.execute(httpget);
    HttpEntity entity = response.getEntity();
    System.out.println("----------------------------------------");
    System.out.println(response.getStatusLine());
    if (entity != null) {
    System.out.println("Response content length: " + entity.getContentLength());
    }
    EntityUtils.consume(entity);
    }finally {
    // When HttpClient instance is no longer needed,
    // shut down the connection manager to ensure
    // immediate deallocation of all system resources
    httpClient.getConnectionManager().shutdown();
    }
    }
    protected static KeyManager[] getKeyManagers(String keyStoreType, InputStream keyStoreFile, String keyStorePassword) throws Exception {
    KeyStore keyStore = KeyStore.getInstance(keyStoreType);
    keyStore.load(keyStoreFile, keyStorePassword.toCharArray());
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(keyStore, keyStorePassword.toCharArray());
    return kmf.getKeyManagers();
    }
    protected static TrustManager[] getTrustManagers(String trustStoreType, InputStream trustStoreFile, String trustStorePassword) throws Exception {
    KeyStore trustStore = KeyStore.getInstance(trustStoreType);
    trustStore.load(trustStoreFile, trustStorePassword.toCharArray());
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(trustStore);
    return tmf.getTrustManagers();
    }
    }
    

1 个答案:

答案 0 :(得分:1)

使用此命令可以将证书导入现有密钥库或新密钥库:

keytool -import -alias aliasForCert -file /path/to/ca.pem -keystore cacerts –storepass changeit

重命名aliasForCert,cacerts满足您的需求,如果是新的密钥库,则更改密码。