基于 https 的 Java Web 服务 - 如何将自签名证书添加到客户端 api 中?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2224030/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java web service over https - How to add a self-signed certificate into a client api?
提问by albertototo
I have a "Hello World" web service created with axis2. I would like to write a client api which could use this service over httpswith a self-signed certificate. I have a self-signed certificate myCertificate.cerand a keystorecontaining it.
我有一个用axis2 创建的“Hello World”Web 服务。我想编写一个客户端 api,它可以通过https自签名证书使用此服务。我有一个自签名证书myCertificate.cer和一个keystore包含它的证书。
Here is my client API :
这是我的客户端 API:
public class MyApi{
public Object callMyService(){
Axis2TestStub stub = new Axis2TestStub(
"https://localhost:8443/axis2/services/Axis2Test");
System.setProperty("javax.net.ssl.trustStore",
"src/main/resources/myKeystore.jks")
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Hello request = new Hello();
request.setMot("World");
HelloResponse response = stub.hello(request);
Object mot = response.get_return();
return mot;
It works but I would like to use myCertificate.cerand not a keystorecontaining it. Does someone know how to do that? I tried to override httpsprotocol with no success :
它有效,但我想使用myCertificate.cer而不是keystore包含它。有人知道怎么做吗?我试图覆盖https协议但没有成功:
HttpSecureProtocol myHttpsProtocol = new HttpSecureProtocol();
myHttpsProtocol .setCheckHostname(false);
myHttpsProtocol .addTrustMaterial(new TrustMaterial("myCertificate.cer"));
Protocol customHttps = new Protocol("https",
(ProtocolSocketFactory) myHttpsProtocol , 8443);
Protocol.registerProtocol("https", customHttps);
回答by Pascal Thivent
I would like to write a client api which could use this service over https with a self-signed certificate. I have a self-signed certificate myCertificate.cer and a keystore containing it.
我想编写一个客户端 api,它可以通过带有自签名证书的 https 使用此服务。我有一个自签名证书 myCertificate.cer 和一个包含它的密钥库。
The server key storedo contain the server's self-signed certificate and private key and is used by the server to sign messages and to return credentials to the client.
该服务器密钥存储确实包含服务器的自签名的证书和私钥,并使用由服务器对邮件签名和证书返回给客户端。
On the client-side, you need to import the server certificate into the client trust store(and generally, you don't want the private key in the client trust store so you extract a stand-alone certificate file i.e. without the private key and then you import that server certificate in the trust store).
在客户端,您需要将服务器证书导入客户端信任库(通常,您不希望客户端信任库中的私钥,因此您提取一个独立的证书文件,即没有私钥和然后在信任库中导入该服务器证书)。
It works but I would like to use myCertificate.cer and not a keystore containing it.
它有效,但我想使用 myCertificate.cer 而不是包含它的密钥库。
It's not a key store but a trust store and adding the certificate to the client trust store is required because self-signed certificates are not signed by a root CA and are not trusted by default. So you need to create a chain of trust.
它不是密钥库,而是信任库,需要将证书添加到客户端信任库,因为自签名证书不是由根 CA 签名的,默认情况下不受信任。所以你需要创建一个信任链。
Now, you can maybe distribute the trust store in the JAR of the client API. This approach is discussed in this thread(the biggest problem being that you'll have to redistribute the JAR when the server certificate expires). Personally, I don't really like this solution.
现在,您可以在客户端 API 的 JAR 中分发信任存储。此线程中讨论了此方法(最大的问题是您必须在服务器证书到期时重新分发 JAR)。就个人而言,我不太喜欢这个解决方案。
IMHO, the good solution if you want to skip the trust store stuff would be to buy a real certificate from a widely-known certificate vendor for which you already have root CA certificates in the trust store (like Verisign, Thawte).
恕我直言,如果您想跳过信任存储的内容,好的解决方案是从广为人知的证书供应商处购买真实证书,您已经在信任存储中拥有根 CA 证书(如 Verisign、Thawte)。
回答by Taylor Leese
I would just add the certificate to the cacerts file of the JDK running your app. If you do this then you won't have to do anything else. The code you have above wouldn't be required. You add the certificate to the keystore by running a command similar to below:
我只是将证书添加到运行您的应用程序的 JDK 的 cacerts 文件中。如果你这样做了,那么你就不需要做任何其他事情了。不需要您上面的代码。您可以通过运行类似于以下的命令将证书添加到密钥库:
C:/<jdk-version/bin/keytool -import -alias myalias -file mycert.crt -keystore C:/<jdk-version>/jre/lib/security/cacerts
