Tomcat SSL:找不到受信任的证书
我使用 keytool 创建了一个证书:
keytool -genkey -alias tomcat -keyalg RSA
将其导出并导入到我的密钥库中:
keytool -export -alias tomcat name.crt
keytool -import -file name.crt
当我执行 keytool -list 时,我有 2 个条目:
tomcat, Sept 15, 2010, keyEntry,
Certificate fingerprint (MD5): ...
mykey, Sept 17, 2010, trustedCertEntry
Certificate fingerprint (MD5):...
请注意,两个条目的指纹是相同的。
我将 server.xml 配置为指向我的 .keystore 文件,
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
但是在我的 tomcat 日志中,当我在 Java 应用程序中执行操作时,我看到:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
...
sun.security.validator.ValidatorException: No trusted certificate found
是否还需要完成任何其他配置?
I created a certificate using keytool:
keytool -genkey -alias tomcat -keyalg RSA
Exported and imported it into my keystore:
keytool -export -alias tomcat name.crt
keytool -import -file name.crt
When I do keytool -list I have 2 entries:
tomcat, Sept 15, 2010, keyEntry,
Certificate fingerprint (MD5): ...
mykey, Sept 17, 2010, trustedCertEntry
Certificate fingerprint (MD5):...
Note that the fingerprints for both entries are the same.
I configured my server.xml to point to my .keystore file
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
But in my tomcat logs I see when I perform an action in my Java app:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
...
sun.security.validator.ValidatorException: No trusted certificate found
Is there any other configuration that needs to be done?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您需要客户端(即浏览器)信任您的服务器证书。
为此,您可以将浏览器中的服务器证书作为可信证书导入,该证书仅在您控制浏览器时才有效。或者您让受信任的机构签署您的证书,这需要花钱。
以不同的名称导出和重新导入没有任何意义。
更新:
我想我开始理解你想要做什么。您希望 Java 客户端通过 https 访问 Web 应用程序。是的?
在这种情况下,您需要提供一个“信任库”,即包含受信任证书的密钥库。您需要将系统属性 javax.net.ssl.trustStore 设置为要使用的信任库的名称。
您可能还可以使用手工制作的 TrustManager。该网站似乎提供了相关信息: http ://download.oracle.com/javase/1.4.2/docs/guide/security/jsse/JSSERefGuide.html
这个简单的示例也可能有所帮助:http://stilius.net/java/java_ssl.php
You need the client (i.e. the browser) to trust your servers certificates.
For this you either import the certificate of the server in the browser as a trusted certificate, which only works when you have the browser under your control. Or you get your certificate signed by a trusted authority, which costs money.
exporting and reimporting under a different name doesn't make any sense.
Update:
I think I start to understand what you are trying to do. You want a java client access a webapp via https. yes?
In this case you need to provide a 'truststore' i.e. a keystore containing the trusted certificates. You'll want to set the system Property javax.net.ssl.trustStore to the name of the truststore to use.
You'll probably can use a handcrafted TrustManager as well. This site seems to give information about that: http://download.oracle.com/javase/1.4.2/docs/guide/security/jsse/JSSERefGuide.html
This simple example might help as well: http://stilius.net/java/java_ssl.php