java - 创建java识别的证书链的过程

Question

tl;dr - 获取 KeyStore Explorer ( http://keystore-explorer.org/ ) 并为自己省去一个麻烦。

ps - 密钥库别名设置对于某些 java 应用程序非常重要（例如：iDempiere 在其 Jetty 提供程序 ssl 配置中（.../jettyhome/etc/jetty-ssl-context.xml）。在这些情况下，必须确保java 正在查找的证书的别名与它实际用于查找它的别名匹配。

OP

我需要在 Java 应用程序中使用私有 CA 及其证书。我无法发现如何将私有 CA 根证书及其中间证书添加到 Java 受信任证书中。我已经找到并阅读了多篇关于如何做到这一点的文章，但我的努力无法完成我所需要的。

我正在使用 OpenJDK11。java cacerts fie 位于/usr/local/openjdk11/lib/security/cacerts. 我相信这包含 Java 使用的可信证书列表。

我已手动将私有 CA 根证书和中间证书添加到此存储：

cp -p /usr/local/openjdk11/lib/security/cacerts /usr/local/openjdk11/lib/security/cacerts.cln
cp -p /usr/local/openjdk11/lib/security/cacerts /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -import   \
  -trustcacerts   \
  -file /usr/local/etc/pki/tls/certs/CA_HLL_ROOT_2016.crt  \
  -alias 'hartelyneroot2016 [hll]'  \
  -keystore /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -import  \
   -trustcacerts  \
   -file /usr/local/etc/pki/tls/certs/CA_HLL_ISSUER_2016.crt \
   -alias 'hartelyneissuer2016 [hll]'  \
   -keystore /root/hll_jdk11_cacerts

JAVA_VERSION="11" keytool -list  -rfc  -keystore /root/hll_jdk11_cacerts | grep hll
Enter keystore password:  changeit
Alias name: hartelyneissuer2016 [hll]
Alias name: hartelyneroot2016 [hll]

cp -p /root/hll_jdk11_cacerts /usr/local/openjdk11/lib/security/cacerts

据我所知，CA_HLL_ISSUER_2016 和 CA_HLL_ROOT_2016 颁发的证书现在应该被此主机上的 java 识别为信任。但是，他们不是。我需要找出原因。

JAVA_VERSION="11" java SSLPoke google.ca 443
Successfully connected

JAVA_VERSION="11" java SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchor

但我没有问题openssl s_client：

openssl s_client -connect webmail.harte-lyne.ca:443
CONNECTED(00000003)
depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
verify return:1
depth=1 CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
verify return:1
depth=0 CN = webmail.hamilton.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca
verify return:1
---
Certificate chain
 0 s:CN = webmail.hamilton.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca
   i:CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
 1 s:CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
   i:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
 2 s:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
   i:CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
---
Server certificate
-----BEGIN CERTIFICATE-----

. . .

---
Acceptable client certificate CA names
. . .
CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
. . .
CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
. . .

我在这里想念什么？如何将私有 CA 添加到 Java 信任库？

按照答案中给出的建议，我按照给定的顺序完全做到了这一点：

openssl s_client -connect webmail.harte-lyne.ca:443 -showcerts > harte.crt

JAVA_VERSION="11" keytool -import -alias harte -file harte.crt -keystore cacerts -storepass changeit
. . .
Trust this certificate? [no]:  yes
Certificate was added to keystore

JAVA_VERSION="11" java  SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我在 OpenJDK 中遇到错误？

score 0 · Accepted Answer

我了解到您希望对某些 HTTPS 调用执行客户端证书身份验证。信任证书是不够的。您需要使用已使用此 CA 签名的密钥对才能成功进行 HTTPS 握手。

尝试这样的事情

String keyPassphrase = "";

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("cert-key-pair.pfx"), keyPassphrase.toCharArray());

SSLContext sslContext = SSLContexts.custom()
        .loadKeyMaterial(keyStore, null)
        .build();

HttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
HttpResponse response = httpClient.execute(new HttpGet("https://example.com"));

score 0 · Accepted Answer

不，别名对于默认信任管理器（由 SSLPoke 使用）以及我所见过的任何其他内容都无关紧要。您必须在用作信任库的密钥库中拥有正确的证书（必须包含正确的 CN），但别名无关紧要。由于难以理解且无法重现系统上存在的内容，因此这里是使用 Amazon Linux 2 ami-0a0ad6b70e61be944 的 AWS EC2 t2.micro 实例的从头开始的日志，以及可用于该系统（即 Amazon Corretto）的 openjdk 11，任何人都应该能够复制。

第 1 部分 - 无法使用默认 cacerts 进行验证

[ec2-user@ip-172-31-21-185 ~]$ sudo yum install java-11-amazon-corretto-headless
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                               | 3.7 kB     00:00
Resolving Dependencies
--> Running transaction check
---> Package java-11-amazon-corretto-headless.x86_64 1:11.0.9+12-1.amzn2 will be installed
--> Processing Dependency: fontconfig for package: 1:java-11-amazon-corretto-headless-11.0.9+12-1.amzn2.x86_64
--> Processing Dependency: jpackage-utils for package: 1:java-11-amazon-corretto-headless-11.0.9+12-1.amzn2.x86_64
--> Running transaction check
---> Package fontconfig.x86_64 0:2.13.0-4.3.amzn2 will be installed
--> Processing Dependency: fontpackages-filesystem for package: fontconfig-2.13.0-4.3.amzn2.x86_64
--> Processing Dependency: dejavu-sans-fonts for package: fontconfig-2.13.0-4.3.amzn2.x86_64
---> Package javapackages-tools.noarch 0:3.4.1-11.amzn2 will be installed
--> Processing Dependency: python-javapackages = 3.4.1-11.amzn2 for package: javapackages-tools-3.4.1-11.amzn2.noarch
--> Processing Dependency: libxslt for package: javapackages-tools-3.4.1-11.amzn2.noarch
--> Running transaction check
---> Package dejavu-sans-fonts.noarch 0:2.33-6.amzn2 will be installed
--> Processing Dependency: dejavu-fonts-common = 2.33-6.amzn2 for package: dejavu-sans-fonts-2.33-6.amzn2.noarch
---> Package fontpackages-filesystem.noarch 0:1.44-8.amzn2 will be installed
---> Package libxslt.x86_64 0:1.1.28-6.amzn2 will be installed
---> Package python-javapackages.noarch 0:3.4.1-11.amzn2 will be installed
--> Processing Dependency: python-lxml for package: python-javapackages-3.4.1-11.amzn2.noarch
--> Running transaction check
---> Package dejavu-fonts-common.noarch 0:2.33-6.amzn2 will be installed
---> Package python-lxml.x86_64 0:3.2.1-4.amzn2.0.2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                          Arch   Version               Repository  Size
================================================================================
Installing:
 java-11-amazon-corretto-headless x86_64 1:11.0.9+12-1.amzn2   amzn2-core 163 M
Installing for dependencies:
 dejavu-fonts-common              noarch 2.33-6.amzn2          amzn2-core  64 k
 dejavu-sans-fonts                noarch 2.33-6.amzn2          amzn2-core 1.4 M
 fontconfig                       x86_64 2.13.0-4.3.amzn2      amzn2-core 253 k
 fontpackages-filesystem          noarch 1.44-8.amzn2          amzn2-core  10 k
 javapackages-tools               noarch 3.4.1-11.amzn2        amzn2-core  73 k
 libxslt                          x86_64 1.1.28-6.amzn2        amzn2-core 240 k
 python-javapackages              noarch 3.4.1-11.amzn2        amzn2-core  31 k
 python-lxml                      x86_64 3.2.1-4.amzn2.0.2     amzn2-core 1.0 M

Transaction Summary
================================================================================
Install  1 Package (+8 Dependent packages)

Total download size: 166 M
Installed size: 312 M
Is this ok [y/d/N]: y
Downloading packages:
(1/9): dejavu-fonts-common-2.33-6.amzn2.noarch.rpm         |  64 kB   00:00
(2/9): dejavu-sans-fonts-2.33-6.amzn2.noarch.rpm           | 1.4 MB   00:00
(3/9): fontconfig-2.13.0-4.3.amzn2.x86_64.rpm              | 253 kB   00:00
(4/9): fontpackages-filesystem-1.44-8.amzn2.noarch.rpm     |  10 kB   00:00
(5/9): javapackages-tools-3.4.1-11.amzn2.noarch.rpm        |  73 kB   00:00
(6/9): libxslt-1.1.28-6.amzn2.x86_64.rpm                   | 240 kB   00:00
(7/9): python-javapackages-3.4.1-11.amzn2.noarch.rpm       |  31 kB   00:00
(8/9): python-lxml-3.2.1-4.amzn2.0.2.x86_64.rpm            | 1.0 MB   00:00
(9/9): java-11-amazon-corretto-headless-11.0.9+12-1.amzn2. | 163 MB   00:02
--------------------------------------------------------------------------------
Total                                               69 MB/s | 166 MB  00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : fontpackages-filesystem-1.44-8.amzn2.noarch                  1/9
  Installing : libxslt-1.1.28-6.amzn2.x86_64                                2/9
  Installing : python-lxml-3.2.1-4.amzn2.0.2.x86_64                         3/9
  Installing : python-javapackages-3.4.1-11.amzn2.noarch                    4/9
  Installing : javapackages-tools-3.4.1-11.amzn2.noarch                     5/9
  Installing : dejavu-fonts-common-2.33-6.amzn2.noarch                      6/9
  Installing : dejavu-sans-fonts-2.33-6.amzn2.noarch                        7/9
  Installing : fontconfig-2.13.0-4.3.amzn2.x86_64                           8/9
  Installing : 1:java-11-amazon-corretto-headless-11.0.9+12-1.amzn2.x86_6   9/9
  Verifying  : 1:java-11-amazon-corretto-headless-11.0.9+12-1.amzn2.x86_6   1/9
  Verifying  : python-lxml-3.2.1-4.amzn2.0.2.x86_64                         2/9
  Verifying  : libxslt-1.1.28-6.amzn2.x86_64                                3/9
  Verifying  : dejavu-sans-fonts-2.33-6.amzn2.noarch                        4/9
  Verifying  : fontconfig-2.13.0-4.3.amzn2.x86_64                           5/9
  Verifying  : python-javapackages-3.4.1-11.amzn2.noarch                    6/9
  Verifying  : fontpackages-filesystem-1.44-8.amzn2.noarch                  7/9
  Verifying  : dejavu-fonts-common-2.33-6.amzn2.noarch                      8/9
  Verifying  : javapackages-tools-3.4.1-11.amzn2.noarch                     9/9

Installed:
  java-11-amazon-corretto-headless.x86_64 1:11.0.9+12-1.amzn2

Dependency Installed:
  dejavu-fonts-common.noarch 0:2.33-6.amzn2
  dejavu-sans-fonts.noarch 0:2.33-6.amzn2
  fontconfig.x86_64 0:2.13.0-4.3.amzn2
  fontpackages-filesystem.noarch 0:1.44-8.amzn2
  javapackages-tools.noarch 0:3.4.1-11.amzn2
  libxslt.x86_64 0:1.1.28-6.amzn2
  python-javapackages.noarch 0:3.4.1-11.amzn2
  python-lxml.x86_64 0:3.2.1-4.amzn2.0.2

Complete!
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ curl https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class -O
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1959  100  1959    0     0  13992      0 --:--:-- --:--:-- --:--:-- 13992
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ java SSLPoke webmail.harte-lyne.ca 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:819)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1189)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1161)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 20 more
[ec2-user@ip-172-31-21-185 ~]$

第 2 部分 -- 使用 openssl 获取根证书

[ec2-user@ip-172-31-21-185 ~]$ openssl s_client -connect webmail.harte-lyne.ca:443 -showcerts </dev/null 2>/dev/null | awk '/-BEGIN CERT/&&++n==3,/-END CERT/' | tee cert.pem | openssl x509  -subject -issuer -dates -fingerprint
subject= /CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
issuer= /CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
notBefore=Nov  1 00:00:00 2016 GMT
notAfter=Oct 31 23:59:59 2036 GMT
SHA1 Fingerprint=09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
-----BEGIN CERTIFICATE-----
MIIJDTCCBvWgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBvjEZMBcGA1UEAxQQQ0Ff
SExMX1JPT1RfMjAxNjEQMA4GA1UECBMHT250YXJpbzEdMBsGA1UEChQUSGFydGUg
JiBMeW5lIExpbWl0ZWQxIDAeBgNVBAsTF05ldHdvcmtlZCBEYXRhIFNlcnZpY2Vz
MQswCQYDVQQGEwJDQTEaMBgGCgmSJomT8ixkARkTCmhhcnRlLWx5bmUxEjAQBgoJ
kiaJk/IsZAEZEwJjYTERMA8GA1UEBxMISGFtaWx0b24wIhgPMjAxNjExMDEwMDAw
MDBaGA8yMDM2MTAzMTIzNTk1OVowgb4xGTAXBgNVBAMUEENBX0hMTF9ST09UXzIw
MTYxEDAOBgNVBAgTB09udGFyaW8xHTAbBgNVBAoUFEhhcnRlICYgTHluZSBMaW1p
dGVkMSAwHgYDVQQLExdOZXR3b3JrZWQgRGF0YSBTZXJ2aWNlczELMAkGA1UEBhMC
Q0ExGjAYBgoJkiaJk/IsZAEZEwpoYXJ0ZS1seW5lMRIwEAYKCZImiZPyLGQBGRMC
Y2ExETAPBgNVBAcTCEhhbWlsdG9uMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAulIsSVsyYwmUIk2C6TvpPolRPPGR4R24ikRF2deR3Re0JHvhl4pAxdRb
LjVeOKg6729Ovue6WYryaveTerNfXEzkz2jyK8m1C1uvTKjKOT1rQJGtb/Okn8Ka
dU2KrSrQLzm5y5qSZC+oRtuqIpBLshkvm80vWz9NJSd00h/B1He5KPYM7OR5M5IB
Fs/oYkFJPNNGAGEsPxHEgmCQkCj3caf7mBBgi+ZTEXV2wloZiKt4C+9OZoM4hSAK
NqhViFmljWnoHWcDFn2/XdPmVaVMxGK1Mp7M+uOvcIDTQCwKcmsDvhtprEksq7FL
kI7LniJkkctUgvCM9yniTXZUvAxp7Yse7YGowjUDBcUWFV2PeYG9e2fvM/SFf/KT
SjE+2qds4PHDHpG7KwQ0AVZvnMG1SVjwtS2r/1sRoOU8Rvdgz9Ugxw9y93arywS8
xDZtm0zlvQRN8rFg5fvFEmOTRYE9Au8g3XuZP7eB9V4rDL0fH5OgLYEm3+O8JQuo
7E8rKOBysO13AwU7upbVQZXvKbgXpcQ4tM7mTPnUh8ZS39SRWqj0fJs0n3j2EgOi
B8HEMaf+z/+t6XGGxcTkQsRp+2eBFK+5d5FA+HAFmYxnpHBYFoFe02/DJvlxH/JY
Wpct0U/UlS9R3EcbW93G4cR0y9sFlMl+uo0wRDA1j4lqCSc/wScCAwEAAaOCAw4w
ggMKMB0GA1UdDgQWBBSX5KGHlEmRjdrdWqYxi1XPyg9lyzCB6wYDVR0jBIHjMIHg
gBSX5KGHlEmRjdrdWqYxi1XPyg9ly6GBxKSBwTCBvjEZMBcGA1UEAxQQQ0FfSExM
X1JPT1RfMjAxNjEQMA4GA1UECBMHT250YXJpbzEdMBsGA1UEChQUSGFydGUgJiBM
eW5lIExpbWl0ZWQxIDAeBgNVBAsTF05ldHdvcmtlZCBEYXRhIFNlcnZpY2VzMQsw
CQYDVQQGEwJDQTEaMBgGCgmSJomT8ixkARkTCmhhcnRlLWx5bmUxEjAQBgoJkiaJ
k/IsZAEZEwJjYTERMA8GA1UEBxMISGFtaWx0b26CAQEwPgYDVR0SBDcwNYEaY2Vy
dGlmaWNhdGVzQGhhcnRlLWx5bmUuY2GGF2h0dHA6Ly9jYS5oYXJ0ZS1seW5lLmNh
MCUGA1UdEQQeMByBGmNlcnRpZmljYXRlc0BoYXJ0ZS1seW5lLmNhMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzCBiAYD
VR0gBIGAMH4wfAYNKwYBBAGC3lBkCgoCATBrMCcGCCsGAQUFBwIBFhtodHRwOi8v
Y2EuaGFydGUtbHluZS5jYS9DUFMwQAYIKwYBBQUHAgIwNBoyTGltaXRlZCBMaWFi
aWxpdHksIHNlZSBodHRwOi8vY2EuaGFydGUtbHluZS5jYS9DUFMwQgYJYIZIAYb4
QgEEBDUWM2h0dHA6Ly9jYS5oYXJ0ZS1seW5lLmNhL0NBX0hMTF9ST09UXzIwMTYv
Y3JsLXYxLmNybDBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9j
YS5oYXJ0ZS1seW5lLmNhL0NBX0hMTF9ST09UXzIwMTYvY2EuY3J0MEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jYS5oYXJ0ZS1seW5lLmNhL0NBX0hMTF9ST09UXzIw
MTYvY3JsLXYyLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAPnbB2OznhgKcBn2WklGL
8BN6XDvXpShSPh+Myf+yaOYQUvrghQj9fTHnYkV98XFT/YgNbcd0B8x4O/BXosZj
PkbNZkiluWZLK/rZ0nEDAxVbrANJna7V3+zbppGZqo0FkZdDoYvqy+3AaUpDAvFG
ZLYhiY5nVrnGi3IYu88D+EKSoO0+nGMtFFMmb1e/j8xv4aw8pzWt+DrJb8id1WmR
1Y8uq0BsAPTJOipMRPWpDrSl6kgTk/iFyHa1z6l+9H/gKZ5o1YteSde4VPVPQ1fX
FOBVcPoT4IpycjzPhuMfxRzb7pMWYr3YIabv9Te2Sk49xGDt3y8w8ZQqNBH28e7N
DcX8P2rw9BWDIO966uuMc3kgAcb8WcPxuwHiy0xrFknOYkZz5ATzRInS3DRhfRo2
I6YnXmKeV2dy43+5Ry+tDzt/WEdMn9JHnxNlRr0HFMfHgi0J+xyQDAyL6qbVZkVE
28c7x6aKGM2F3h6/o/XpreFKXElk+gD+ZabOyvWF5wuRPZ4huY6G9IX+HOZjKehO
7P3BvDcbVgOFFasM6AJAQ26GuiRX+aAhsf/x2BbFfFFLogB7g3/+NCZx5jli4X4w
WlBbbD9hVQQGLDwa8ZhIrY0ANM8BxHBHTbq8NojS63/Jdbb/fAhIwo6R1XwvpYmZ
FQ3+QhcVPUI8v6WZF2wOxcU=
-----END CERTIFICATE-----
[ec2-user@ip-172-31-21-185 ~]$

Part 3——修改和使用cacerts；别名可以是任何东西

[ec2-user@ip-172-31-21-185 ~]$ 
[ec2-user@ip-172-31-21-185 ~]$ sudo cp /usr/lib/jvm/java-11-amazon-corretto.x86_64/lib/security/cacerts save
[ec2-user@ip-172-31-21-185 ~]$ sudo keytool -cacerts -storepass changeit -importcert -file cert.pem -alias cookiemonster
Owner: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Issuer: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Serial number: 1
Valid from: Tue Nov 01 00:00:00 UTC 2016 until: Fri Oct 31 23:59:59 UTC 2036
Certificate fingerprints:
         SHA1: 09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
         SHA256: 88:11:D6:A7:95:2A:DD:AE:0E:7E:B7:3B:74:BF:E5:0F:12:00:AF:18:F9:5F:1A:CC:A3:51:DF:DB:7F:14:B5:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 33 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .3http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 52 4F 4F 54 5F 32 30   31 36 2F 63 72 6C 2D 76  _ROOT_2016/crl-v
0030: 31 2E 63 72 6C                                     1.crl


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/ca.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    01]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/crl-v2.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.2.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
  URIName: http://ca.harte-lyne.ca
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
]

#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ java SSLPoke webmail.harte-lyne.ca 443
Successfully connected
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ sudo cp save /usr/lib/jvm/java-11-amazon-corretto.x86_64/lib/security/cacerts
[ec2-user@ip-172-31-21-185 ~]$ sudo keytool -cacerts -storepass changeit -importcert -file cert.pem -alias 'bigbird [xyz]'
Owner: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Issuer: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Serial number: 1
Valid from: Tue Nov 01 00:00:00 UTC 2016 until: Fri Oct 31 23:59:59 UTC 2036
Certificate fingerprints:
         SHA1: 09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
         SHA256: 88:11:D6:A7:95:2A:DD:AE:0E:7E:B7:3B:74:BF:E5:0F:12:00:AF:18:F9:5F:1A:CC:A3:51:DF:DB:7F:14:B5:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 33 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .3http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 52 4F 4F 54 5F 32 30   31 36 2F 63 72 6C 2D 76  _ROOT_2016/crl-v
0030: 31 2E 63 72 6C                                     1.crl


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/ca.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    01]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/crl-v2.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.2.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
  URIName: http://ca.harte-lyne.ca
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
]

#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[ec2-user@ip-172-31-21-185 ~]$ java SSLPoke webmail.harte-lyne.ca 443           Successfully connected
[ec2-user@ip-172-31-21-185 ~]$

第 4 部分——使用自己的（自定义）密钥库；同上

[ec2-user@ip-172-31-21-185 ~]$ sudo cp save /usr/lib/jvm/java-11-amazon-corretto.x86_64/lib/security/cacerts
[ec2-user@ip-172-31-21-185 ~]$ keytool -keystore sep1 -storepass changeit -importcert -file cert.pem -alias cookiemonster
Owner: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Issuer: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Serial number: 1
Valid from: Tue Nov 01 00:00:00 UTC 2016 until: Fri Oct 31 23:59:59 UTC 2036
Certificate fingerprints:
         SHA1: 09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
         SHA256: 88:11:D6:A7:95:2A:DD:AE:0E:7E:B7:3B:74:BF:E5:0F:12:00:AF:18:F9:5F:1A:CC:A3:51:DF:DB:7F:14:B5:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 33 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .3http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 52 4F 4F 54 5F 32 30   31 36 2F 63 72 6C 2D 76  _ROOT_2016/crl-v
0030: 31 2E 63 72 6C                                     1.crl


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/ca.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    01]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/crl-v2.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.2.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
  URIName: http://ca.harte-lyne.ca
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
]

#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[ec2-user@ip-172-31-21-185 ~]$ 
[ec2-user@ip-172-31-21-185 ~]$ java -Djavax.net.ssl.trustStore=sep1 -Djavax.net.ssl.trustStorePassword=changeit SSLPoke webmail.harte-lyne.ca 443
Successfully connected
[ec2-user@ip-172-31-21-185 ~]$
[ec2-user@ip-172-31-21-185 ~]$ keytool -keystore sep2 -storepass changeit -importcert -file cert.pem -alias 'big bird [xyz]'
Owner: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Issuer: L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016
Serial number: 1
Valid from: Tue Nov 01 00:00:00 UTC 2016 until: Fri Oct 31 23:59:59 UTC 2036
Certificate fingerprints:
         SHA1: 09:84:38:AD:7C:E7:E1:7D:78:FE:93:CD:2A:2F:3F:3E:AF:98:C2:0F
         SHA256: 88:11:D6:A7:95:2A:DD:AE:0E:7E:B7:3B:74:BF:E5:0F:12:00:AF:18:F9:5F:1A:CC:A3:51:DF:DB:7F:14:B5:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 33 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .3http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 52 4F 4F 54 5F 32 30   31 36 2F 63 72 6C 2D 76  _ROOT_2016/crl-v
0030: 31 2E 63 72 6C                                     1.crl


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/ca.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    01]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ROOT_2016/crl-v2.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.2.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
  URIName: http://ca.harte-lyne.ca
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
]

#11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 97 E4 A1 87 94 49 91 8D   DA DD 5A A6 31 8B 55 CF  .....I....Z.1.U.
0010: CA 0F 65 CB                                        ..e.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
[ec2-user@ip-172-31-21-185 ~]$ java -Djavax.net.ssl.trustStore=sep2 -Djavax.net.ssl.trustStorePassword=changeit SSLPoke webmail.harte-lyne.ca 443
Successfully connected
[ec2-user@ip-172-31-21-185 ~]$

PS：在证明方（通常是服务器）上使用的密钥管理器是不同的。默认的 keymanager 不使用别名，但我见过很多其他的，尤其是 Tomcat。在这些情况下，别名与配置匹配至关重要，但与 CN 或证书中的任何其他数据不匹配。

java - 创建java识别的证书链的过程

2 回答 2

Related

Reference