OpenJDK for Windows 中包含的根 CA 证书列表非常令人印象深刻,但有很多根 CA 证书受到常见浏览器(如 Firefox)的信任,而 Java 不信任这些证书。
Microsoft和Mozilla都发布了他们当前的根 CA 证书列表,但使用的文件格式似乎是专有的。
curl 项目有一个使用 Mozilla 文件作为源的自动转换器,但是这个转换器 ( mk-ca-bundle ) 是一个 Perl 脚本。
有没有办法用纯 Java 读取这些列表之一,以便之后可以用作信任存储?
1 回答
1
OpenJDK describes how they build the cacerts file in the Security files for OpenJDK repo. The script downloads the certificates from Mozilla:
wget https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt .
As per the repo instructions you could build your own cacerts file that will trust another list of certificates of your own choosing:
Download the following Perl script: https://raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl
Download the following Java application: https://github.com/use-sparingly/keyutil/releases/download/0.4.0/keyutil-0.4.0.jar (source available at https://github.com/use-sparingly/keyutil)
Run the provided
GenerateCertsFile.shscript with: bash./GenerateCertsFile.sh- this will use the above files assuming they're located in the same directory as the scriptUse the cacerts provided: it must be in the
jdk/jre/lib/securityorjdk/lib/securityfolder
于 2019-06-07T12:27:13.797 回答