我使用此方法将客户端证书注册到服务器证书中。
/**
* Links the user's certificate into the server's keystore/truststore.
*
* @param server
* The server party.
* @return <code>true</code> if the certificate has been bound,
* <code>false</code> if the certificate already was bound to the
* truststore.
* @throws KeyStoreException
*/
public boolean linkToServerCertificate(Party server) throws KeyStoreException {
if (keyAlias.equals(server.keyAlias)) {
throw new IllegalArgumentException("The alias of client and server must be different!");
}
keystore.setCertificateEntry(server.keyAlias, server.getAliasCert());
Certificate certificate = keystore.getCertificate(keyAlias);
server.keystore.setCertificateEntry(keyAlias, certificate);
return true;
}
重新启动AS后,我收到此消息:
拥有环境变量JAVA_OPTS =&#34; -Djavax.net.debug = ssl&#34;我得到这个信息:
*** ServerHelloDone
https-jsse-nio-8443-exec-7, WRITE: TLSv1.2 Handshake, length = 1522
https-jsse-nio-8443-exec-8, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
https-jsse-nio-8443-exec-8, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-8, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
因此证书的证书链是空的
但在客户端检查证书时,它指出存在证书链。
我很困惑,为什么证书链没有被传送到服务器?
答案 0 :(得分:1)
您可以复制完整的证书链,如下所示。
Key key = keystore.getKey(keyAlias, clientKeyStorePassPhrase);
Certificate[] chain = keystore.getCertificateChain(keyAlias);
server.keystore.setKeyEntry(keyAlias, key, serverKeyStorePassPhrase, chain);
请参阅 - http://www.java2s.com/Code/Java/Security/Importakeycertificatepairfromapkcs12fileintoaregularJKSformatkeystore.htm,了解有关如何将证书从一个密钥库复制到另一个密钥库的更多详细信息。
更新 -
Java api docs还建议keystore.getCertificate(keyAlias);
仅返回证书链的第一个元素。参考 - https://docs.oracle.com/javase/8/docs/api/index.html?java/security/KeyStore.html
参考 - 有关加载证书链的更多示例 - https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12
答案 1 :(得分:0)
我弄错了,我的证书链顺序错误。
keystore.setKeyEntry(alias, pair.getPrivate(), pass.toCharArray(),
chainSet.toArray(new Certificate[0]));
chainSet
的顺序必须是最接近的证书是第一个证书。
真正的错误是使用pki的内置实现。