JBoss/Java 和 SSL
嗨,我有点迷失了,希望你能带我离开这里。我会尽力尽可能清楚,因为我真的不理解/不知道应该如何使用证书。
我有一个应用程序应该使用 Web 服务和 SSL 与另一个应用程序进行通信。我们都要求我们的主要“证书颁发机构”获取证书。 他们向我们发送了 4 个文件和 .P12 文件的密码: .csr、.cer、.key、.P12
这是我所做的: * 配置 JBoss 在 8443 上使用 SSL 并使用 P12 文件作为密钥库 为了测试这一点,我做了一个小的 Java 类,它调用该服务器上的 Web 服务,使用:
props.setProperty("javax.net.ssl.trustStore", "/.../.../certif.p12");
props.setProperty("javax.net.ssl.trustStorePassword", "XXXXXXXXX");
props.setProperty("javax.net.ssl.trustStoreType", "PKCS12");
连接有效,但我认为我丢失了一些东西,因为我没有使用其他文件。 如果我将 .P12 文件和密码发送到应该调用我的 Web 服务的应用程序,这样就可以了吗?
编辑 : 我忘了提到我也应该在其他应用程序上调用 Web 服务,所以应该反过来,我只需要 .P12 并通过吗?
我读过很多关于公钥、私钥、keytool 的内容,但现在我的脑子里有点混乱。 感谢您提供任何信息!
Hi I'm a bit lost and hope you'll get me out of here. I'll try to be as clear as possible since I don't really understand/know how I should use certificates.
I've got an application that is supposed to communicate with another one using webservices and SSL. We both asked our main "Certificate Authority" to get certificates.
They sent us 4 files and a password for the .P12 file:
.csr, .cer, .key, .P12
Here is what I did :
* Configure JBoss to use SSL on 8443 and used the P12 file as the keystore
To test this I did a small Java class that call a webservices on this server, using :
props.setProperty("javax.net.ssl.trustStore", "/.../.../certif.p12");
props.setProperty("javax.net.ssl.trustStorePassword", "XXXXXXXXX");
props.setProperty("javax.net.ssl.trustStoreType", "PKCS12");
The connection works, but I think I'm missing something as I did not use the other files.
If I send my .P12 file and the password to the application that is supposed to call my Webservices will it be ok/enough ?
Edit :
I forgot to mention that I should call a Webservice on the other application too, so it should be the other way around, do I only need a .P12 and pass ?
I've read a lot of thing about public key, private key, keytool but it's a bit messy in my head right now.
Thanks for any information !
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
理想情况下,您应该自己生成私钥(在
.key中)和 CSR(在.csr中),并且 CA 应该返回基于 CSR 的证书(通常位于.cer中),您可以将其组装在一起以构建 PKCS#12 文件 (.p12)。在此阶段,您可以放弃 CSR。 PKCS#12 文件现在应包含私钥、其关联的证书以及可能附加的证书链。您可以稍后再次从该
.p12文件中提取.key和.cer文件。我想您之所以获得所有这些文件,是因为它们的生成方式(使用中间文件),或者是为了方便,不必自己转换它们。Java 术语并不理想,但密钥库和信任库是密钥库类型的两个实体,但用途不同。 KeyManager 和 TrustManager 之间的区别(以及 javax.net.ssl.keyStore 和 javax.net.ssl.trustStore 之间的区别)如下(引自 JSSE 参考指南):
javax.net.ssl.trustStore*属性是配置TrustManager的一种方法。javax.net.ssl.keyStore*属性是配置KeyManager的一种方法。通常,信任存储中不需要私钥材料(除非您也将其用作密钥存储)。通常最好使用单独的信任库,您可以在计算机上自由复制该信任库,而不必担心泄露私钥材料。
有意义的是使用 CA 证书(不确定是否已向您提供)构建一个新的密钥库 (JKS),将其用作信任库。
您不只通过设置信任库来进行相互身份验证(密钥库没有默认值,因此需要显式指定这些参数)。如果您想使用客户端证书连接到远程方,则需要在密钥库中设置它(例如,以相同的方式使用
javax.net.ssl.keyStore*属性你已经为信任商店做了这件事)。您可以将密钥库和信任库都指向同一个
.p12文件。副作用是您的服务与其他位置(例如https://www.google.com)建立的其他连接将不被信任,因为它不包含这些连接的 CA。这就是为什么最好为 CA 证书创建一个单独的“信任库密钥库”(JKS 可能更容易)。您可以复制默认的cacerts(位于 JRE 目录中),将 CA 的证书导入其中并使用它。Ideally, you should have generated the private key (in
.key) and CSR (in.csr) yourself and the CA should have come back with the certificate (typically in.cer) based on the CSR, which you would have assembled together to build your PKCS#12 file (.p12).At this stage, you can discard the CSR. The PKCS#12 file should now contain the private key, its associated certificate and possibly the certificate chain attached. You could extract the
.keyand.cerfiles from that.p12file later again. I guess you were given all these files because of the way they have been generated (using intermediate files), or for convenience, not to have to convert them yourself.The Java terminology isn't ideal, but keystore and truststore are two entities of type keystore, but with a different purpose. The difference between the KeyManager and TrustManager (and thus between javax.net.ssl.keyStore and javax.net.ssl.trustStore) is as follows (quoted from the JSSE ref guide):
The
javax.net.ssl.trustStore*properties are one way of configuring theTrustManager. Thejavax.net.ssl.keyStore*properties are one way of configuring theKeyManager.Typically, there is no need for private key material in a trust store (unless you also use the same as a keystore). It's often better to use a separate truststore, which you'd be able to copy freely across machine, without worrying about leaking private key material.
What would make sense would be to build a new keystore (JKS) that you would use as a truststore, using the CA certificates (not sure if you've been provided with them).
You're not doing mutual authentication by setting the truststore only (there are no default values for the keystore, so they need to specify these parameters explicitly). If you want to use your client-certificate to connect to a remote party, you need to set it in the keystore (for example, using the
javax.net.ssl.keyStore*properties in the same way you've done it for the trust store).You could point both the keystore and truststore to the same
.p12file. The side effect is that other connections made by your service to other places (e.ghttps://www.google.com) would not be trusted, since it wouldn't contain the CA for those. That's why it might be better to create a separate "truststore keystore" (JKS might be easier) for the CA certificates. You could make a copy of the defaultcacerts(in the JRE directory), import your CA's certificate into it and use that.好吧,就到这里吧。怎么沟通?我的意思是它只是服务器身份验证,即您的客户端应用程序将验证Web服务或相互身份验证,并且Web服务还将请求您的应用程序证书?
这很重要,因为您通过名称提供的文件似乎暗示了后者,即需要相互身份验证,而您显示的代码仅设置用于服务器身份验证的 SSL 库。
由于您没有在这里提供上下文,我会说:
被视为在域中受信任的签名证书,并且
可能还签署了您想要与之通信的网络服务
证书(好吧,这是一种可能性/猜测,因为你不
多说)
您在代码中所做的操作是将 p12 设置为信任库。
如果你说这有效,那么就没有相互身份验证,只有服务器端身份验证,并且你正在使用 p12 中的任何内容来验证 Web 服务。
在这种情况下,其余部分都不需要进行通信。您需要特别保留
key文件,因为这可能是您的私钥,如果您丢失/有人窃取了它那么你的私人证书就没用/被泄露了。我不确定您对安全性的要求是什么,但在我看来,您可能应该更多地研究它。
即使对于这个问题,我也只是尝试根据文件名进行有根据的猜测......
我希望这能让您进入阅读的轨道。
Ok, stop here. Communicate how? I mean is it only server authentication i.e. your client application will authenticate the web service or mutual authentication and the web service will also request your applications certificate?
This is important as the files you present by the names seem to suggest the latter i.e. that mutual authentication is expected while your code you show is only setting SSL library for server authentication.
Since you are not providing context here I would say that:
signing certificate that is considered as trusted in the domain and
has probably also signed the web service you want to communicate with
certificate (well that is a possibility/guess here since you don't
say much)
What you do in the code is setting the p12 as the truststore.
If you say this works then there is no mutual authentication only server side authentication and you are authenticating the web service using whatever is in the p12.
In this case the rest are not needed for communication.It is for you to keep especially the
keyfile since this could be your private key and if you lose/someone steals this then your private certificate is useless/compromised.I am not sure what your requirements on security are here, but it seems to me that you should probably look into it more.
Even for this question I just tried to do an educated guess based on the file names.....
I hope this puts you in some track to read.