有没有办法加载与 java_home/jre/lib/security 文件夹中指定的不同的 cacerts?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2642046/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is there a way to load a different cacerts than the one specified in the java_home/jre/lib/security folder?
提问by feniix
I have a single installation of java in a system that runs 2 or 3 applications.
我在运行 2 或 3 个应用程序的系统中只安装了一个 java。
All the applications use the same runtime.
所有应用程序都使用相同的运行时。
Is there a way to specify a different keystores for the ca certs than the one in java_home/jre/lib/security. That is, is there an option to specify an "extra" keystore that is loaded and added to the certs loaded from java_home/jre/lib/security/cacerts?
有没有办法为 ca 证书指定不同的密钥库而不是 java_home/jre/lib/security.conf 中的密钥库。也就是说,是否有一个选项可以指定加载并添加到从 java_home/jre/lib/security/cacerts 加载的证书中的“额外”密钥库?
What I want to avoid is having to re-import our local ca every time I upgrade the jdk in the box.
我想避免的是每次升级盒子中的jdk时都必须重新导入我们的本地ca。
采纳答案by CoverosGene
I think you want to specify the truststore:
我认为您要指定信任库:
java -Djavax.net.ssl.trustStore=/home/gene/mycacerts ...
Or if you are using certs through JSSE (you probably are), you can copy your truststore to jssecacertsin the $JAVA_HOME/jre/lib/security/directory (although you'd still have to do that each time a JDK got installed/reinstalled). Sun's JSSE looks for $JAVA_HOME/jre/lib/security/jssecacertsbefore $JAVA_HOME/jre/lib/security/cacerts.
或者,如果你是通过JSSE使用证书(你可能是),您可以您的信任复制到jssecacerts的$JAVA_HOME/jre/lib/security/目录(虽然你仍然必须要做到这一点得到了各安装了JDK时间/重新安装)。Sun 的 JSSE$JAVA_HOME/jre/lib/security/jssecacerts之前 寻找$JAVA_HOME/jre/lib/security/cacerts.
See http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager
请参阅http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager
回答by OscarRyz
According to this:
根据这个:
Java SSE Referece Guide - Customization
You could use the system property:
您可以使用系统属性:
javax.net.ssl.keyStore
Like:
喜欢:
java -Djavax.net.ssl.keyStore=youkeystore YourProgram
But!! I have never tried. Let me know if it works would you?
但!!我从来没有尝试过。让我知道它是否有效,你会吗?
回答by rogue lad
These both jvm options are used to locate custom truststore and their password.
这两个 jvm 选项都用于定位自定义信任库及其密码。
java -Djavax.net.ssl.trustStore=custompath/cacerts -Djavax.net.ssl.trustStorePassword=changeit
In order to make sure what trustStore is being loaded by the application, add following argument as well,
为了确保应用程序正在加载什么 trustStore,还要添加以下参数,
-Djavax.net.debug=ssl:handshake
回答by JitenS
If your JVM contains more than one application then by default all the applications will use the default cacerts store which is in $JAVA_HOME/jre/lib/security/ location . But if you want the applications should use different cert store then you have to define the custom cert store and point to that. In this way you can create your own certstore. System.setProperty("javax.net.ssl.trustStore", "C:/certStore/cusomtcacerts");-- Use this line before creating the http/https session. You can import the certificates to the cusomtcacerts by using keytool also.
如果您的 JVM 包含多个应用程序,那么默认情况下所有应用程序都将使用 $JAVA_HOME/jre/lib/security/ location 中的默认 cacerts 存储。但是,如果您希望应用程序应该使用不同的证书存储,那么您必须定义自定义证书存储并指向它。通过这种方式,您可以创建自己的证书库。System.setProperty("javax.net.ssl.trustStore", "C:/certStore/cusomtcacerts");-- 在创建 http/https 会话之前使用这一行。您也可以使用 keytool 将证书导入 cusomtcacerts。
