1

I have this REST client in one server that will call the endpoints in another server. I understand that If I don´t have the certificates imported, calls will fail due to a SSL Handshake problem. I also understand that the certificates should be exported from my server and then imported in the client machine. So far so good.

  1. The problem is, what certificates should I export from my server? is there any kind of public certificate with a specific name? Should I create a self signed certificate in the server side, export it and then import it in the client side?

  2. What would be the required steps in order to generate the certificate (if this is the case) and export the certificate?

  3. For real world applications (in this case, one server talking to another) this(or these) certificate(s) should be self signed, public?

  4. What is the relation between the certificates and the JVM (keytool thing, keystore, etc)?

As you can see, my questions are more about basic concepts.

Thank you

4

1 回答 1

1

简要地,

  1. 您可以创建自己的自签名证书。这不会保护您的应用免受各种攻击,但您的通信将被加密。如果您在某个 Intranet 中运行它,我认为这是一个合理的解决方案。
  2. 见下文
  3. 见#1
  4. 见#2

要在您的服务器中生成证书,您可以执行类似的操作

/opt/jdk1.7.0_40/bin/keytool -genkey -alias tomcat -keypass mypassword -keystore keystore.key -storepass mypassword -keyalg RSA

然后您可能需要添加一些步骤来配置您的网络服务器。您没有指定任何内容,但如果您使用的是 tomcat,您会在 server.xml 中添加类似的内容

    <Connector 
        port="8443" 
        SSLEnabled="true"
        maxThreads="150"  
        scheme="https" 
        secure="true"
        clientAuth="false" 
        sslProtocol="TLS"
        keystoreFile="/path.to.your.keystore/keystore.key"
        keystorePass="mypassword" />

在客户端导入证书,可以使用firefox打开登录页面,在页面上右击打开“查看页面信息”,然后进入“安全”选项卡,然后点击“查看证书”,点击关于“详细信息”,然后是“导出”。

默认是 x.509 PEM,没关系。假设您已将文件保存为“TomcatUser.pem.x509”,您必须以 java 可以理解的格式将证书存储在密钥库中,就像这样

 /opt/jdk1.7.0_40/bin/keytool -import -file TomcatUser.pem.x509 -keystore ~yourUser/MyLocalKeypass -storepass xyz

最后,您的客户将需要这样的东西

System.setProperty("javax.net.ssl.trustStore","~yourUser/MyLocalKeypass");
System.setProperty("javax.net.ssl.trustStorePassword","xyz");
于 2014-02-02T15:37:50.513 回答