macos 如何跨更新保留 Mac 上的 CAcerts 密钥库?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4428901/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to preserve the CAcerts keystore on Mac across updates?
提问by Bernd Haug
Mac OS X has the CA keystore in /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts. This keystore seems to be overwritten by every Java update, which is very annoying since we have internal CAs for development environments, testing…
Mac OS X 在 /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts 中有 CA 密钥库。这个密钥库似乎被每次 Java 更新覆盖,这很烦人,因为我们有用于开发环境的内部 CA,测试......
Is there a way to preserve keystore changes across Apple JSRs, and now, with Snow Leo JSR3, also across updates for the separate Java developer packages (whose JDKs use the same keystore)?
有没有办法在 Apple JSR 之间保留密钥库更改,现在使用 Snow Leo JSR3,还可以跨单独 Java 开发人员包(其 JDK 使用相同密钥库)的更新?
采纳答案by Barry Wark
[ This is outdated info - see the answer below for 10.6+ ]
[这是过时的信息 - 请参阅下面 10.6+ 的答案]
/System/Library/Frameworks/JavaVM.framework/Home/is a symlink to Versions/CurrentJDK/Homewithin JavaVM.framework. Obviously this will change with a new Version. Use the full path (e.g. /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home) and it won't change across updates.
/System/Library/Frameworks/JavaVM.framework/Home/是Versions/CurrentJDK/HomeJavaVM.framework 中的符号链接。显然,这将随着新版本而改变。使用完整路径(例如/System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home),它不会随着更新而改变。
回答by kldavis4
The following parameters can be used to specify the location of the cacerts file to java:
以下参数可用于指定cacerts文件到java的位置:
-Djavax.net.ssl.trustStore=<cacerts.location>
-Djavax.net.ssl.trustStorePassword=changeit
Make a copy of the cacerts in the java home directory (with internal CAs) and put it somewhere in your home directory. Then put the full path to the cacerts file location as the value of javax.net.ssl.trustStore property above. That copy will not get overwritten by Java updates. The default password is 'changeit'.
在 java 主目录(带有内部 CA)中制作 cacerts 的副本,并将其放在您的主目录中的某个位置。然后将 cacerts 文件位置的完整路径作为上述 javax.net.ssl.trustStore 属性的值。该副本不会被 Java 更新覆盖。默认密码是“changeit”。
Two downsides to this approach are:
这种方法的两个缺点是:
- Your file won't get any updates to the cacerts file in the sdk. This is primarily an issue if a certificate authority is compromised.
- Everywhere you need the custom cacerts (build tools, app server, etc), these parameters need to be specified.
- 您的文件不会对 sdk 中的 cacerts 文件进行任何更新。如果证书颁发机构遭到破坏,这主要是一个问题。
- 在任何需要自定义 cacerts(构建工具、应用服务器等)的地方,都需要指定这些参数。
回答by Hans-Christoph Steiner
It seems things have changed in Mac OS X 10.6.8 Snow Leopard. Now /System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacertsis a symlink to /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts, which won't change on updates, if we're lucky.
Mac OS X 10.6.8 Snow Leopard 似乎发生了变化。现在/System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts是到 的符号链接 /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts,如果幸运的话,它不会随着更新而改变。
