java 如何在 IE 受信任的根证书颁发机构商店中自动安装自签名证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5252800/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to automatically install self signed certificate in IE Trusted Root Certification Authorities store
提问by Marquinio
I created a self signed certificate but the browser tells me "This CA Root Certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store".
我创建了一个自签名证书,但浏览器告诉我“此 CA 根证书不受信任。要启用信任,请在受信任的根证书颁发机构存储中安装此证书”。
I did by going into IE --> Internet Options --> Content --> Certificates --> ect... I actually had to export the self signed certificate and then import it into the Trusted Root Certification. Only after the certificate was located under the ROOT store in the users machine that IE did not display any WARNINGS.
我通过进入 IE --> Internet 选项 --> 内容 --> 证书 --> 等...我实际上必须导出自签名证书,然后将其导入受信任的根证书。只有在证书位于用户机器中的 ROOT 存储下之后,IE 才不会显示任何警告。
This will be deployed in a production environment, so having the users manually do the above steps is unacceptable.
这将部署在生产环境中,因此让用户手动执行上述步骤是不可接受的。
How can I automatically do this? I just want them to accept and not have that "Certificate Error" and have the URL bar turned "RED" in IE.
我怎样才能自动做到这一点?我只是希望他们接受而不是出现“证书错误”,并且在 IE 中将 URL 栏变为“红色”。
I'm using Tomcat 5.5. I also followed the same steps as in the Tomcat SSL How To Tutorial http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
我正在使用 Tomcat 5.5。我还遵循了与 Tomcat SSL How To Tutorial http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html 中相同的步骤
Thanks in advance.
提前致谢。
回答by Jcs
Java 6 provides a cryptographic provider named SunMSCAPI to access the windows cryptography libraries API. This provider implements a keystore "Windows-Root" containing all Trust Anchors certificates.
Java 6 提供了一个名为 SunMSCAPI 的加密提供程序来访问 Windows 加密库 API。该提供程序实现了一个包含所有信任锚证书的密钥库“Windows-Root”。
It is possible to insert a certificate in this keystore.
可以在此密钥库中插入证书。
KeyStore root = KeyStore.getInstance("Windows-ROOT");
root.load(null);
/* certificate must be DER-encoded */
FileInputStream in = new FileInputStream("C:/path/to/root/cert/root.der");
X509Certificate cacert = (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(in);
root.setCertificateEntry("CACert Root CA", cacert);
The user will be prompted if for confirmation. If the operation is canceled by the user then a KeyStoreException is thrown.
如果确认,将提示用户。如果操作被用户取消,则抛出 KeyStoreException。
Some technotes about the provider can be found here: http://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunMSCAPI
可以在此处找到有关提供程序的一些技术说明:http: //download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunMSCAPI
回答by Jim Garrison
Think about it. If this were possible, what would stop any fraudulent site from doing the same thing and making it look like their site was trusted? The whole point is that the user HAS to OK the certificate installation.
想想看。如果这是可能的,什么会阻止任何欺诈网站做同样的事情并使其看起来像他们的网站是可信的?重点是用户必须确定证书安装。
回答by Eugene Mayevski 'Callback
First of all, possibility to do this would compromise user's security, so it would be a security hole, so no, there's no easy way to do this.
首先,这样做的可能性会危及用户的安全,所以这将是一个安全漏洞,所以不,没有简单的方法可以做到这一点。
Next, different software has different certificate stores. Microsoft and Chrome browser use CryptoAPI stores, Firefox has it's own store (Chrome can also use firefox's one AFAIK). Adobe's software has it's own store (in addition to CryptoAPI one).
其次,不同的软件有不同的证书存储。Microsoft 和 Chrome 浏览器使用 CryptoAPI 商店,Firefox 有自己的商店(Chrome 也可以使用 firefox 的一个 AFAIK)。Adobe 的软件有自己的商店(除了 CryptoAPI 之一)。
