如何在 IE 受信任的根证书颁发机构存储中自动安装自签名证书
我创建了一个自签名证书,但浏览器告诉我“此 CA 根证书不受信任。要启用信任,请在受信任的根证书颁发机构存储中安装此证书”。
我通过进入 IE -->互联网选项 -->内容-->证书-->等等...我实际上必须导出自签名证书,然后将其导入受信任的根证书。仅当证书位于用户计算机的 ROOT 存储下后,IE 才不会显示任何警告。
这将部署在生产环境中,因此让用户手动执行上述步骤是不可接受的。
我怎样才能自动执行此操作?我只是希望他们接受并且不要出现“证书错误”并将 IE 中的 URL 栏变成“红色”。
我正在使用 Tomcat 5.5。我还按照 Tomcat SSL 如何教程 http:// /tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
提前致谢。
I created a self signed certificate but the browser tells me "This CA Root Certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store".
I did by going into IE --> Internet Options --> Content --> Certificates --> ect... I actually had to export the self signed certificate and then import it into the Trusted Root Certification. Only after the certificate was located under the ROOT store in the users machine that IE did not display any WARNINGS.
This will be deployed in a production environment, so having the users manually do the above steps is unacceptable.
How can I automatically do this? I just want them to accept and not have that "Certificate Error" and have the URL bar turned "RED" in IE.
I'm using Tomcat 5.5. I also followed the same steps as in the Tomcat SSL How To Tutorial http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
Java 6 提供了一个名为 SunMSCAPI 的加密提供程序来访问 Windows 加密库 API。该提供程序实现了包含所有信任锚证书的密钥库“Windows-Root”。
可以在此密钥库中插入证书。
将提示用户是否确认。如果用户取消该操作,则会引发 KeyStoreException。
有关提供程序的一些技术说明可以在这里找到: http ://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunMSCAPI
Java 6 provides a cryptographic provider named SunMSCAPI to access the windows cryptography libraries API. This provider implements a keystore "Windows-Root" containing all Trust Anchors certificates.
It is possible to insert a certificate in this keystore.
The user will be prompted if for confirmation. If the operation is canceled by the user then a KeyStoreException is thrown.
Some technotes about the provider can be found here: http://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunMSCAPI
想一想。如果这是可能的,那么什么可以阻止任何欺诈网站做同样的事情并使他们的网站看起来像是受信任的呢?重点是用户必须确定证书安装。
Think about it. If this were possible, what would stop any fraudulent site from doing the same thing and making it look like their site was trusted? The whole point is that the user HAS to OK the certificate installation.
首先,这样做的可能性会损害用户的安全,因此这将是一个安全漏洞,所以不,没有简单的方法可以做到这一点。
其次,不同的软件有不同的证书存储。 Microsoft 和 Chrome 浏览器使用 CryptoAPI 商店,Firefox 有自己的商店(Chrome 也可以使用 Firefox 的一个 AFAIK)。 Adobe 的软件有自己的商店(除了 CryptoAPI 商店)。
First of all, possibility to do this would compromise user's security, so it would be a security hole, so no, there's no easy way to do this.
Next, different software has different certificate stores. Microsoft and Chrome browser use CryptoAPI stores, Firefox has it's own store (Chrome can also use firefox's one AFAIK). Adobe's software has it's own store (in addition to CryptoAPI one).