Simply speaking, to establish a connection to an SSL-endpoint, you have to trust its public certificate. To trust a certificate, either itself or the certificate of its issuer has to be in the keystore.

简单地说，要建立到 SSL 端点的连接，您必须信任其公共证书。要信任证书，证书本身或其颁发者的证书必须在密钥库中。

Think of the keystore as a set of folders or a database/repository which contains certificates. Physically, it is a file in the JRE (/lib/security/cacerts).

将密钥库视为一组文件夹或包含证书的数据库/存储库。从物理上讲，它是 JRE ( /lib/security/cacerts)中的一个文件。

This repository can be modified with the keytoolcommand that ships with the JRE. See this linkfor some common commands. Another way is to use the Certificate Dialog of the Java Control Panel (this is also installed with the JRE):

可以keytool使用 JRE 附带的命令修改此存储库。有关一些常用命令，请参阅此链接。另一种方法是使用 Java 控制面板的证书对话框（这也与 JRE 一起安装）：

Keystorein Java can refer to three things, depending on the context. (They're all closely related but subtly different.)

Java 中的密钥库可以指三件事，具体取决于上下文。（它们都密切相关，但又略有不同。）

• A keystore can be a repository where private keys, certificates and symmetric keys can be stored. This is typically a file, but the storage can also be handled in different ways (e.g. cryptographic token or using the OS's own mechanism.)

• KeyStoreis also a class which is part of the standard API. It is essentially a way to load, save and generally interact with one of the "physical" keystores as described above. A KeyStorecan also be purely in memory, if you just need the API abstraction for your application.

  How to load and handle such a KeyStoreinstance depends on the format of the keystore file (or other storage system) that backs it. Multiple formatsare available. Some of the most common are JKS and PKCS#12 (.p12).

• "keystore" can also be used as the counterpart of "truststore". This is where it can get confusing, since both "keystore" and "truststore" are keystores, they're just used for different purposes. You can find more details in this answer. The keystore is used to initialise the key manager, whereas the truststore is used to initialise the trust manager. From the JSSE reference guide:

  • A TrustManagerdetermines whether the remote authentication credentials (and thus the connection) should be trusted.

  • A KeyManagerdetermines which authentication credentials to send to the remote host.

  Essentially, a keystore used as a truststore will contain a number of (CA) certificates that you're willing to trust: those are the trust anchors you are going to use to verify remote certificates you don't already know and trust. In contrast, a keystore used as a keystore will contain your own certificate and its private key: this is what you're going to use to authenticate yourself to a remote party (when required).

  There is a default truststore bundled with the JRE (/lib/security/cacerts). There isn't a default keystore, since it's usually a more explicit step for the user.

• 密钥库可以是可以存储私钥、证书和对称密钥的存储库。这通常是一个文件，但也可以以不同的方式处理存储（例如，加密令牌或使用操作系统自己的机制。）

• KeyStore也是一个类，它是标准 API 的一部分。它本质上是一种加载、保存和通常与上述“物理”密钥库之一交互的方式。KeyStore如果您只需要应用程序的 API 抽象，A也可以完全在内存中。

  如何加载和处理此类KeyStore实例取决于支持它的密钥库文件（或其他存储系统）的格式。有多种格式可供选择。一些最常见的是 JKS 和 PKCS#12 (.p12)。

• “keystore”也可以用作“truststore”的对应物。这就是它可能令人困惑的地方，因为“密钥库”和“信任库”都是密钥库，它们只是用于不同的目的。您可以在此答案中找到更多详细信息。密钥库用于初始化密钥管理器，而信任库用于初始化信任管理器。从JSSE 参考指南：

  • ATrustManager确定是否应该信任远程身份验证凭据（以及连接）。

  • AKeyManager确定将哪些身份验证凭据发送到远程主机。

  本质上，用作信任库的密钥库将包含许多您愿意信任的 (CA) 证书：这些是您将用来验证您还不知道和信任的远程证书的信任锚。相比之下，用作密钥库的密钥库将包含您自己的证书及其私钥：这是您将用于向远程方（需要时）验证自己的内容。

  有一个与 JRE ( /lib/security/cacerts)捆绑在一起的默认信任库。没有默认的密钥库，因为它通常是用户更明确的步骤。

In the context of SSL/TLS, a keystore (keystore used as a keystore) will be where a server stores its certificate and private key (or, when client-certificate authentication is used, where the client stores its certifcate and private key). A truststore (keystore used as a truststore) will be where the client stores the CA certificates of the CAs it is willing to trust, so as to be able to verify the server certificate when making a connection to an SSL/TLS server (similarly, on the server side, this is also where the CA certificates used to verify the client certificates are stored).

在 SSL/TLS 的上下文中，密钥库（用作密钥库的密钥库）将是服务器存储其证书和私钥的位置（或者，当使用客户端证书身份验证时，客户端存储其证书和私钥的位置）。信任库（用作信任库的密钥库）将是客户端存储它愿意信任的 CA 的 CA 证书的地方，以便在连接到 SSL/TLS 服务器时能够验证服务器证书（类似地，在服务器端，这也是用于验证客户端证书的 CA 证书的存储位置）。

Typically, the error you're getting ("ValidatorException: PKIX path building failed") happens when the certificate of the server you're connecting to cannot be verified using any certificate in the truststore you're using. You would generally need to have in your truststore either the server certificate directly in your truststore (which is only manageable on a small scale) or the CA certificate of the CA used to issue that server certificate (or one of the certificates in the chain it presents, when there is a chain).

通常，ValidatorException: PKIX path building failed当您连接到的服务器的证书无法使用您正在使用的信任库中的任何证书进行验证时，您收到的错误 (" ") 就会发生。您通常需要在您的信任库中拥有直接在您的信任库中的服务器证书（只能在小范围内进行管理）或用于颁发该服务器证书的 CA 的 CA 证书（或链中的证书之一）礼物，当有链时）。

I had this problem too because I was importing a certificate in a JDK that wasn't used by my java program so check the current JDK of you're program then run key tool command:

我也遇到了这个问题，因为我在我的 java 程序未使用的 JDK 中导入了一个证书，因此请检查您程序的当前 JDK，然后运行关键工具命令：

keytool -importcert –trustcacerts -alias [certificate name] -keystore "C:\Program Files\Java\jdk1.7.0_71\jre\lib\security\cacerts" -storepass changeit -file [certificate name].cer