Java 我们可以在密钥库中加载多个证书和密钥吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6370745/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can we load multiple Certificates & Keys in a Key Store?
提问by Jay
Can we load multiple Certificates & Keys in a Key Store?
我们可以在密钥库中加载多个证书和密钥吗?
Is it always required to load only Pairs (i.e. Certificates & Keys together)?
是否总是只需要加载对(即证书和密钥一起)?
If a Key Store has multiple Certificates and Keys, which one will get selected when Java SSL tries to establish connection as a Server?
如果一个密钥库有多个证书和密钥,当 Java SSL 尝试建立作为服务器的连接时,会选择哪一个?
采纳答案by Bruno
Although this depends on the KeyStore type, generally, you can store multiple private keys and certificates in a single store.
尽管这取决于 KeyStore 类型,但通常您可以在单个存储中存储多个私钥和证书。
Which key and certificate combination is used for a Java-based server will depend on how the application was implemented. A number of applications let you select a given certificate using the aliasname. The key and certificate getters in KeyStoretake an aliasparameter to make this choice. Usually, when this is not specified in the configuration, the application or framework will use the first suitable one it finds based on the KeyStore.aliases()enumeration.
用于基于 Java 的服务器的密钥和证书组合将取决于应用程序的实现方式。许多应用程序允许您使用别名来选择给定的证书。KeyStore 中的密钥和证书获取器采用一个alias参数来进行此选择。通常,当配置中没有指定时,应用程序或框架将使用它根据KeyStore.aliases()枚举找到的第一个合适的。
Tomcat, for example, uses the keyAliasattribute in its Connector configuration:
例如,TomcatkeyAlias在其连接器配置中使用该属性:
keyAlias: The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used.
keyAlias:用于密钥库中服务器证书的别名。如果未指定,将使用在密钥库中读取的第一个密钥。
Regarding key pairs, some KeyStores (again, depending on the type) can be used to store SecretKeys (e.g. DES), that is shared keys, as well as public-private key pairs.
关于密钥对,一些 KeyStores(同样,取决于类型)可用于存储SecretKeys(例如 DES),即共享密钥,以及公私密钥对。
回答by musiKk
You can have a keystore with as many certificates and keys as you like.
您可以拥有一个包含任意数量的证书和密钥的密钥库。
If there are multiple certificates in a keystore a client uses as its truststore, all certificates are being looked at until one is found that fits. You can look at the preinstalled certificates, they are in /lib/security/cacerts. It's just a big collection of root CAs' certificates.
如果客户端用作其信任库的密钥库中有多个证书,则会查看所有证书,直到找到适合的证书。您可以查看预安装的证书,它们在 /lib/security/cacerts 中。它只是根 CA 证书的大集合。
Regarding the keys I don't know. I'd reckon the client uses a key that is signed by the same CA as the certificate that is provided by the server and if there are multiple, the first is used. But I can't say that for sure.
关于我不知道的钥匙。我认为客户端使用由与服务器提供的证书相同的 CA 签名的密钥,如果有多个,则使用第一个。但我不能肯定地说。
