Java 如何使用 StartTLS 获取 LDAP 服务器的 SSL 证书?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18833524/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I get the SSL certificate for an LDAP server using StartTLS?
提问by Eric
I am trying to configure my application to access an LDAP server that is listening onlyon port 389 using the StartTLS extension for security. I want to get a copy of the SSL certificate so I can specify it as a known certificate (in a jssecacerts file, since my application is written in Java).
我正在尝试将我的应用程序配置为使用 StartTLS 扩展来访问仅侦听端口 389的 LDAP 服务器以确保安全。我想获取 SSL 证书的副本,以便可以将其指定为已知证书(在 jssecacerts 文件中,因为我的应用程序是用 Java 编写的)。
If it was running on port 636, I would use openssl like so:
如果它在端口 636 上运行,我会像这样使用 openssl:
openssl s_client -host myhost -port 636
and grab the certificate from the output.
并从输出中获取证书。
My first though was to try using:
我的第一个是尝试使用:
openssl s_client -host myhost -port 389 -starttls ...
but that doesn't support the LDAP version of starttls.
但这不支持 starttls 的 LDAP 版本。
Then, I tried using ldapsearch with a high debug level:
然后,我尝试使用具有高调试级别的 ldapsearch:
ldapsearch -ZZ -h myhost -d99 ...
and I could see that the over-the-wire data includes the certificate, but it's not in a form that I know how to use.
我可以看到在线数据包括证书,但它不是我知道如何使用的形式。
Is there an easy way to get the certificate, either through command line tools or a short program? (I don't particularly care which language, but Java would be ideal)
是否有通过命令行工具或短程序获取证书的简单方法?(我并不特别关心哪种语言,但 Java 是理想的)
采纳答案by Sergey Ushakov
A new revision of the well-known InstallCertprogram now supports STARTTLS for several protocols, LDAP included.
著名的InstallCert程序的新修订版现在支持多种协议的 STARTTLS,包括 LDAP。
Just run it like this:
像这样运行它:
java -jar installcert-usn-20131123.jar host_name:389
and it will save the certificate for you in the jssecacertskeystore file in your JRE file tree, and also in the extracertskeystore file in your current directory. You can then use Java keytoolto export the certificate(s) to other formats.
它会将证书保存jssecacerts在 JRE 文件树中的extracerts密钥库文件中,以及当前目录中的密钥库文件中。然后您可以使用 Java keytool将证书导出为其他格式。
You are welcome to visit my blog page Yet another InstallCert for Java, now with STARTTLS supportfor download and instructions.
欢迎您访问我的博客页面Yet another InstallCert for Java,现在支持 STARTTLS下载和说明。
回答by user207421
Do a connect as described in the Javadoc, using the sample code at the top.
That gives you the
SSLSession,from which you can get the peer certificate chain, from which you can get theX509Certificateof the peer as element zero.Then save that wherever you need to, using
Certificate.getEncoded()to get the certificate as abyte[]array. Or you could add it directly to a new or oldKeyStoreobject and save that.
使用顶部的示例代码按照Javadoc中的说明进行连接。
这为您提供了
SSLSession,可以从中获取对等证书链的信息,您可以从中获取X509Certificate对等方的 0 作为元素。然后将其保存在任何需要的地方,
Certificate.getEncoded()用于将证书作为byte[]数组获取。或者您可以将其直接添加到新KeyStore对象或旧对象并保存。
回答by jwilleke
We have documented some of the different methods.
我们已经记录了一些不同的方法。
And yes, openSSL last time I looked STILL does not have the ability to use the LDAP ptotocol for starttls option. It should be like:
是的,上次我查看的 openSSL 仍然无法使用 LDAP ptotocol for starttls 选项。它应该是这样的:
openssl s_client -connect remote.host:25 -starttls LDAP
