0

I generated selfsigned certifiacte to use it to authenticate my web appliaction. Clients instead of web browser use client application to comunicate with web server. Client application uses httpclient. The internet is full of examples of how to trust all the ssl certificates in httpclient. I don't want to trust all certificate, I want trust only one, my selfsigned certificate (of course every CA trusted certificate also). I know that I can add my certificate to trusted keystore using keytool, but I don't want to interface in JSSE keystore. I want to say httpclient to trust one specific selfsigned certificate.

First question:

Is it possible?

Second question:

Described solution is ok in development environment. I'm think that is bad practice, but I wonder that is it acceptable in production environment?

4

1 回答 1

1

可能吗?

当然是。您可能只需要做更多的工作来管理您的信任材料并为您的应用程序初始化 SSL 上下文。您可以选择信任一个且唯一的证书,或者您可以选择使用 JRE 随附的信任材料,然后有选择地添加特定于您的应用程序的信任材料。

您可以使用SSLContextBuilderApache HttpClient 4.3简化信任和密钥材料管理和初始化的过程

在生产环境中可以接受吗?

这在很大程度上取决于应用程序的安全上下文和要求。仅信任一个特定证书而不信任任何标准 CA 可能会使您的应用程序不太容易受到中间人攻击,但每次相关证书过期或被吊销时都需要重新配置并可能重新部署。确保私钥不会落入坏人之手也将成为您的责任。这是优点和缺点的结合。

于 2013-08-12T08:50:15.943 回答