基于 https 的 Java Web 服务 - 如何将自签名证书添加到客户端 api 中?
我有一个使用 axis2 创建的“Hello World”网络服务。我想编写一个客户端 api,它可以使用自签名证书通过 https 使用此服务。我有一个自签名证书 myCertificate.cer 和一个包含它的 keystore。
这是我的客户端 API:
public class MyApi{
public Object callMyService(){
Axis2TestStub stub = new Axis2TestStub(
"https://localhost:8443/axis2/services/Axis2Test");
System.setProperty("javax.net.ssl.trustStore",
"src/main/resources/myKeystore.jks")
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Hello request = new Hello();
request.setMot("World");
HelloResponse response = stub.hello(request);
Object mot = response.get_return();
return mot;
它可以工作,但我想使用 myCertificate.cer 而不是包含它的 keystore。有人知道该怎么做吗?我尝试覆盖 https 协议但没有成功:
HttpSecureProtocol myHttpsProtocol = new HttpSecureProtocol();
myHttpsProtocol .setCheckHostname(false);
myHttpsProtocol .addTrustMaterial(new TrustMaterial("myCertificate.cer"));
Protocol customHttps = new Protocol("https",
(ProtocolSocketFactory) myHttpsProtocol , 8443);
Protocol.registerProtocol("https", customHttps);
I have a "Hello World" web service created with axis2. I would like to write a client api which could use this service over https with a self-signed certificate. I have a self-signed certificate myCertificate.cer and a keystore containing it.
Here is my client API :
public class MyApi{
public Object callMyService(){
Axis2TestStub stub = new Axis2TestStub(
"https://localhost:8443/axis2/services/Axis2Test");
System.setProperty("javax.net.ssl.trustStore",
"src/main/resources/myKeystore.jks")
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Hello request = new Hello();
request.setMot("World");
HelloResponse response = stub.hello(request);
Object mot = response.get_return();
return mot;
It works but I would like to use myCertificate.cer and not a keystore containing it. Does someone know how to do that? I tried to override https protocol with no success :
HttpSecureProtocol myHttpsProtocol = new HttpSecureProtocol();
myHttpsProtocol .setCheckHostname(false);
myHttpsProtocol .addTrustMaterial(new TrustMaterial("myCertificate.cer"));
Protocol customHttps = new Protocol("https",
(ProtocolSocketFactory) myHttpsProtocol , 8443);
Protocol.registerProtocol("https", customHttps);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
服务器密钥存储确实包含服务器的自签名证书和私钥,服务器使用它来签署消息并向客户端返回凭据。
在客户端,您需要将服务器证书导入客户端信任存储(通常,您不希望客户端信任存储中存在私钥,因此您提取独立证书文件 ie 没有私钥,然后将该服务器证书导入信任存储区)。
它不是密钥存储,而是信任存储,并且需要将证书添加到客户端信任存储,因为自签名证书不是由根 CA 签名的,并且默认情况下不受信任。因此,您需要创建一条信任链。
现在,您可以在客户端 API 的 JAR 中分发信任存储。 此线程中讨论了这种方法(最大的问题是当服务器证书过期时,您必须重新分发 JAR)。就我个人而言,我不太喜欢这个解决方案。
恕我直言,如果您想跳过信任存储区的内容,最好的解决方案是从众所周知的证书供应商那里购买真正的证书,您已经在信任存储区中拥有根 CA 证书(例如 Verisign、Thawte)。
The server key store do contain the server's self-signed certificate and private key and is used by the server to sign messages and to return credentials to the client.
On the client-side, you need to import the server certificate into the client trust store (and generally, you don't want the private key in the client trust store so you extract a stand-alone certificate file i.e. without the private key and then you import that server certificate in the trust store).
It's not a key store but a trust store and adding the certificate to the client trust store is required because self-signed certificates are not signed by a root CA and are not trusted by default. So you need to create a chain of trust.
Now, you can maybe distribute the trust store in the JAR of the client API. This approach is discussed in this thread (the biggest problem being that you'll have to redistribute the JAR when the server certificate expires). Personally, I don't really like this solution.
IMHO, the good solution if you want to skip the trust store stuff would be to buy a real certificate from a widely-known certificate vendor for which you already have root CA certificates in the trust store (like Verisign, Thawte).
我只需将证书添加到运行应用程序的 JDK 的 cacerts 文件中。如果你这样做了,那么你就不需要做任何其他事情了。您上面的代码不是必需的。您可以通过运行类似于以下的命令将证书添加到密钥库:
I would just add the certificate to the cacerts file of the JDK running your app. If you do this then you won't have to do anything else. The code you have above wouldn't be required. You add the certificate to the keystore by running a command similar to below: