信任库和密钥库定义

发布于 2024-07-08 18:45:40 字数 20 浏览 17 评论 0原文

密钥库和信任库有什么区别?

What's the difference between a keystore and a truststore?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

渡你暖光 2024-07-15 18:45:41

密钥库包含私钥以及证书及其相应的公钥。

信任库包含来自您希望与之通信的其他方的证书,或者来自您信任的可识别其他方的证书颁发机构的证书。

A keystore contains private keys, and the certificates with their corresponding public keys.

A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties.

暖伴 2024-07-15 18:45:41
  1. 密钥库包含私钥。 仅当您是时才需要这个
    服务器,或者服务器需要客户端身份验证。

  2. 信任库包含要信任的 CA 证书。 如果你的服务器的
    证书由公认的 CA(默认信任库)签名
    随 JRE 一起提供的将已经信任它(因为它已经
    信任值得信赖的 CA),因此您无需构建自己的,
    或向 JRE 中的证书添加任何内容。

来源

  1. A keystore contains private keys. You only need this if you are
    a server, or if the server requires client authentication.

  2. A truststore contains CA certificates to trust. If your server’s
    certificate is signed by a recognized CA, the default truststore
    that ships with the JRE will already trust it (because it already
    trusts trustworthy CAs), so you don’t need to build your own,
    or to add anything to the one from the JRE.

Source

ˇ宁静的妩媚 2024-07-15 18:45:41

在 SSL 握手中,trustStore 的目的是验证凭据keyStore 的目的是提供凭据

Java中的keyStore

keyStore存储私钥和与其公钥相对应的证书,如果您是SSL服务器或SSL需要客户端身份验证,则需要。

TrustStore

TrustStore 存储来自第三方、您的 Java 应用程序通信的证书或由 CA(Verisign、Thawte、Geotrust 或 GoDaddy 等证书颁发机构)签名的证书,可用于识别第三方。

TrustManager

TrustManager 确定远程连接是否可信,即远程方是否是其所声明的人,KeyManager 决定在 SSL 握手期间应将哪些身份验证凭据发送到远程主机进行身份验证。

如果您是 SSL 服务器,您将在密钥交换算法期间使用私钥,并将与您的公钥相对应的证书发送给客户端,该证书是从 keyStore 获取的。 在SSL客户端,如果是用Java编写的,它将使用存储在trustStore中的证书来验证服务器的身份。 SSL 证书通常以 .cer 文件形式出现,通过使用任何密钥管理实用程序(例如 keytool)将其添加到 keyStore 或 trustStore 中。

来源: http://javarevisited.blogspot .ch

In a SSL handshake the purpose of trustStore is to verify credentials and the purpose of keyStore is to provide credential.

keyStore

keyStore in Java stores private key and certificates corresponding to their public keys and require if you are SSL Server or SSL requires client authentication.

TrustStore

TrustStore stores certificates from third party, your Java application communicate or certificates signed by CA(certificate authorities like Verisign, Thawte, Geotrust or GoDaddy) which can be used to identify third party.

TrustManager

TrustManager determines whether remote connection should be trusted or not i.e. whether remote party is who it claims to and KeyManager decides which authentication credentials should be sent to the remote host for authentication during SSL handshake.

If you are an SSL Server you will use private key during key exchange algorithm and send certificates corresponding to your public keys to client, this certificate is acquired from keyStore. On SSL client side, if its written in Java, it will use certificates stored in trustStore to verify identity of Server. SSL certificates are most commonly comes as .cer file which is added into keyStore or trustStore by using any key management utility e.g. keytool.

Source: http://javarevisited.blogspot.ch

浅忆流年 2024-07-15 18:45:41

您可能还对 Sun 的文章感兴趣,作为标准 JSSE 文档的一部分:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Stores

通常,信任存储仅用于存储公钥,用于验证目的,例如 X.509 身份验证。 出于可管理性的目的,管理员或开发人员简单地将两者合并到一个商店中是很常见的。

You may also be interested in the write-up from Sun, as part of the standard JSSE documentation:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Stores

Typically, the trust store is used to store only public keys, for verification purposes, such as with X.509 authentication. For manageability purposes, it's quite common for admins or developers to simply conflate the two into a single store.

许你一世情深 2024-07-15 18:45:41

在 Java 中,密钥库和信任库有什么区别?

以下是 Java 文档的描述:Java 安全套接字扩展 (JSSE) 参考指南< /a>. 我认为它告诉你的与其他人所说的没有什么不同。 但它确实提供了官方参考。

密钥库/信任库

密钥库是密钥材料的数据库。 密钥材料用于多种目的,包括身份验证和数据完整性。
提供各种类型的密钥库,包括 PKCS12 和
Oracle 的 JKS。

一般来说,密钥库信息可以分为两类:密钥条目和受信任的证书条目。 一键输入
由实体的身份及其私钥组成,可以使用
用于各种加密目的。 相比之下,一个值得信赖的
证书条目除了包含公钥之外,还只包含一个公钥
实体的身份。 因此,无法使用受信任的证书条目
需要私钥的地方,例如在
javax.net.ssl.KeyManager。 在 JKS 的 JDK 实现中,有一个密钥库
可能包含密钥条目和受信任的证书条目。

信任库是在决定信任什么时使用的密钥库。 如果您从某个实体收到数据
已经信任,并且如果您可以验证该实体是
它声称是,那么你可以假设数据确实来自
该实体。

只有当用户信任该实体时,才应将条目添加到信任库中。 通过生成密钥对或导入
证书,用户信任该条目。 中的任何条目
truststore 被视为可信条目。

拥有两个不同的密钥库文件可能会很有用:一个仅包含您的密钥条目,另一个包含您的密钥条目
受信任的证书条目,包括 CA 证书。 前者
包含私人信息,而后者则不包含。 使用两个
文件而不是单个密钥库文件提供了更清晰的分离
您自己的证书之间的逻辑区别(和
相应的私钥)和其他人的证书。 为了提供更多
保护您的私钥,将它们存储在密钥库中
限制访问,并以更安全的方式提供受信任的证书
如果需要,可以公开访问密钥库。

In Java, what's the difference between a keystore and a truststore?

Here's the description from the Java docs at Java Secure Socket Extension (JSSE) Reference Guide. I don't think it tells you anything different from what others have said. But it does provide the official reference.

keystore/truststore

A keystore is a database of key material. Key material is used for a variety of purposes, including authentication and data integrity.
Various types of keystores are available, including PKCS12 and
Oracle's JKS.

Generally speaking, keystore information can be grouped into two categories: key entries and trusted certificate entries. A key entry
consists of an entity's identity and its private key, and can be used
for a variety of cryptographic purposes. In contrast, a trusted
certificate entry contains only a public key in addition to the
entity's identity. Thus, a trusted certificate entry cannot be used
where a private key is required, such as in a
javax.net.ssl.KeyManager. In the JDK implementation of JKS, a keystore
may contain both key entries and trusted certificate entries.

A truststore is a keystore that is used when making decisions about what to trust. If you receive data from an entity that you
already trust, and if you can verify that the entity is the one that
it claims to be, then you can assume that the data really came from
that entity.

An entry should only be added to a truststore if the user trusts that entity. By either generating a key pair or by importing a
certificate, the user gives trust to that entry. Any entry in the
truststore is considered a trusted entry.

It may be useful to have two different keystore files: one containing just your key entries, and the other containing your
trusted certificate entries, including CA certificates. The former
contains private information, whereas the latter does not. Using two
files instead of a single keystore file provides a cleaner separation
of the logical distinction between your own certificates (and
corresponding private keys) and others' certificates. To provide more
protection for your private keys, store them in a keystore with
restricted access, and provide the trusted certificates in a more
publicly accessible keystore if needed.

無處可尋 2024-07-15 18:45:41
  1. trustStore 和 keyStore 之间的第一个也是主要区别是,TrustManager 使用 trustStore 来确定是否应信任远程连接,KeyManager 使用 keyStore 来决定在 SSL 握手期间应将哪些身份验证凭据发送到远程主机进行身份验证。< /p>

  2. 另一个区别是 keyStore 理论上包含仅当您在 SSL 连接中运行服务器或在服务器端启用了客户端身份验证时才需要的私钥,而另一方面 trustStore 存储来自 CA(证书颁发机构)的公钥或证书用于信任远程方或 SSL 连接。

    事实上,您可以将私钥和公钥存储在同一个文件中,
    鉴于管理这些文件的工具是相同的(keytool),
    所以你可以使用一个文件来达到这两个目的,但是你
    可能不应该

  3. 至少在我的 Mac OSX 上,默认 keyStore 是 ${user.home}/.keystore,默认 trustStore 是 /System/Library/Java/Support/CoreDeploy.bundle /Contents/Home/lib/security/cacerts

    如果你想覆盖它们,你应该添加 JVM 参数
    -Djavax.net.ssl.keyStore /path/to/keyStore
    -Djavax.net.ssl.trustStore /path/to/trustStore。 你也可能
    需要设置keyStore密码的情况
    java.security.UnrecoverableKeyException:密码不能是
    null,使用参数
    -Djavax.net.ssl.trustStorePassword=password-Djavax.net.ssl.trustStorePassword=password

主要来源:

http:// javarevisited.blogspot.co.uk/2012/09/difference- Between-truststore-vs-keyStore-Java-SSL.html

  1. First and major difference between trustStore and keyStore is that trustStore is used by TrustManager to determine whether remote connection should be trusted, keyStore is used from KeyManager deciding which authentication credentials should be sent to the remote host for authentication during SSL handshake.

  2. Another difference is that keyStore theoretically contains private keys required only if you are running a Server in SSL connection or you have enabled client authentication on server side and on the other hand trustStore stores public key or certificates from CA (Certificate Authorities) which are used to trust remote party or SSL connection.

    In fact you can store in the same file both private and public keys,
    given that the the tool to manage those file is the same (keytool),
    so you could use a single file for both the purposes, but you
    probably should not.

  3. At least on my Mac OSX the default keyStore is ${user.home}/.keystore, and the default trustStore is /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts.

    If you want to override them you should add the JVM parameters
    -Djavax.net.ssl.keyStore /path/to/keyStore or
    -Djavax.net.ssl.trustStore /path/to/trustStore. You might also
    need to set the keyStore password in case of
    java.security.UnrecoverableKeyException: Password must not be
    null
    , using the parameter
    -Djavax.net.ssl.trustStorePassword=password or -Djavax.net.ssl.trustStorePassword=password

Main Source:

http://javarevisited.blogspot.co.uk/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html

白馒头 2024-07-15 18:45:41

密钥库用于存储特定程序应向双方(服务器或客户端)进行验证的私钥和身份证书。

信任库用于存储来自认证机构 (CA) 的证书,该机构验证 SSL 连接中服务器提供的证书。

本文供参考 https://www.educative.io/edpresso/keystore-vs-信任库

Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification.

Truststore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.

This article for reference https://www.educative.io/edpresso/keystore-vs-truststore

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文