在java程序中使用浏览器的证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23465472/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using browser's certificate in java program
提问by Arvind
I am trying to make HTTP GET request using HttpURLConnection in java. When I make get using browser it says me certificate is not trusted do you want to proceed. I accept certificate and GET request get data. but i am getting certificate exception in java( given below )
我正在尝试使用 java 中的 HttpURLConnection 发出 HTTP GET 请求。当我使用浏览器时,它说我的证书不受信任,你想继续吗?我接受证书和 GET 请求获取数据。但我在 Java 中收到证书异常(如下所示)
What i understood from this exception is, I need to download that certificate and put this java system property berfore making GET request.
我从这个异常中了解到,我需要下载该证书并在发出 GET 请求之前放置这个 java 系统属性。
My questions are.
我的问题是。
- How will download this certificate from browser?
- Can I use browser's certificate store in my java program, what do I need to know to use that?
- If i want to install certificate in my keystore then what do I need to do?
- 如何从浏览器下载此证书?
- 我可以在我的 java 程序中使用浏览器的证书存储,我需要知道什么才能使用它?
- 如果我想在我的密钥库中安装证书,那么我需要做什么?
THANKS A LOT :)
多谢 :)
I am trying to download certificate using keytool command. I do not have any idea where certificate is stored in server, but i gave the path of server which i use in browser and browser says certificate is not trusted.
我正在尝试使用 keytool 命令下载证书。我不知道证书在服务器中的存储位置,但我给出了我在浏览器中使用的服务器路径,浏览器说证书不受信任。
URL gatewayServiceUrl = new URL("http://192.168.55.179:56400/nwa");
HttpURLConnection connection = (HttpURLConnection) gatewayServiceUrl.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("Authorization", getExample.getBasicAuth());
connection.connect();
if (HttpURLConnection.HTTP_OK == connection.getResponseCode()) {
System.out.println("success");
System.out.println(getExample.getDataFromStream(connection.getInputStream()));
} else {
System.out.println("success");
System.out.println(getExample.getDataFromStream(connection.getErrorStream()));
}
System.out.println(connection.getResponseCode());
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at com.testweb.GetExample.main(GetExample.java:18)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
采纳答案by albciff
You have to add the issuer CA's of your server certificate (or directly the server certificate in case of for example your cds is selfsigned) to the truststore in order to avoid PKIX path builder exception.
您必须将服务器证书的颁发者 CA(或直接添加服务器证书,例如您的 cds 是自签名的)到信任库,以避免 PKIX 路径构建器异常。
By default java truststore is on JAVA_HOME/jre/lib/security/cacerts (you can specify another trust store with javax.net.ssl.trustStore property).
默认情况下,java 信任库位于 JAVA_HOME/jre/lib/security/cacerts(您可以使用 javax.net.ssl.trustStore 属性指定另一个信任库)。
To do this, first download the server certificate. You can download the server certificate for example with Chrome connecting to the server url and click on the green lock, then select the tab connection and click on certificate information:
为此,首先下载服务器证书。您可以下载服务器证书,例如 Chrome 连接到服务器 url 并单击绿色锁,然后选择选项卡连接并单击证书信息:
Then save this certificate on disc.
然后将此证书保存在光盘上。
Now you have to add this certificate to java trust store, you can do it with java keytool (if is in your path use keytool if not keytool is on JAVA_HOME/bin/keytool):
现在您必须将此证书添加到 java 信任库,您可以使用 java keytool 来完成(如果在您的路径中,则使用 keytool 如果不是 keytool 在 JAVA_HOME/bin/keytool 上):
keytool -import -trustcacerts -alias myServerCertificate -file path/myServerCert.crt -keystore JAVA_HOME/jre/lib/security/cacerts
The default password for cacerts is: changeit
cacerts 的默认密码是:changeit
Hope this helps,
希望这可以帮助,
回答by Tonino
Otherwise, Try to follow solution that you can found in this link: https://stackoverflow.com/a/3685601/2088039
否则,请尝试遵循您可以在此链接中找到的解决方案:https: //stackoverflow.com/a/3685601/2088039
You can export a certificate using Firefox, this sitehas instructions. Then you use keytoolto add the certificate.
回答by Jeff Sheets
The other answers work, but I find exporting the cert in browsers to be troublesome. Here's my steps for exporting then importing the cert all from the command line: https://gist.github.com/jeffsheets/d2880dc1e2ea241b19f140c54809f750
其他答案有效,但我发现在浏览器中导出证书很麻烦。这是我从命令行导出然后导入证书的步骤:https: //gist.github.com/jeffsheets/d2880dc1e2ea241b19f140c54809f750
Command to export a cert from a website to a .cer file (example uses google.com):
将证书从网站导出到 .cer 文件的命令(示例使用 google.com):
openssl s_client -servername google.com -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -inform PEM -outform DER -out google.com.cer
Command to import into local java truststore (use your own location of JAVA_HOME)
导入本地java信任库的命令(使用自己的JAVA_HOME位置)
"$JAVA_HOME"/bin/keytool -keystore "$JAVA_HOME"/jre/lib/security/cacerts -importcert -alias google.com -file google.com.cer
default java keystore password is changeit
if you get an update denied message, in Windows File Explorer set security on cacerts file to MODIFY for all Users (or chmod on linux)
- if keytool is not found, define a JAVA_HOME environment variable (or replace $JAVA_HOME with the full path)
默认的 Java 密钥库密码是 changeit
如果您收到更新被拒绝的消息,请在 Windows 文件资源管理器中将 cacerts 文件的安全性设置为所有用户的修改(或 linux 上的 chmod)
- 如果找不到 keytool,请定义一个 JAVA_HOME 环境变量(或将 $JAVA_HOME 替换为完整路径)
