我尝试连接到安全的网络服务。
I'm trying to connect to a secure webservice.
即使我的密钥库和信任库设置正确,我也遇到了握手失败。
I was getting a handshake failure even though my keystore and truststore have been set correctly.
经过几天的挫折,无休止的googling和问大家,我发现唯一的问题是,java选择不发送客户端证书到服务器握手期间。
After several days of frustration, endless googling and asking everyone around I found out that the only problem was that java chose not to send the client certificate to the server during the handshake.
具体来说:
我的问题:
我做了一个肮脏的解决方法为这个,但我不是很高兴,所以我很高兴,如果任何人可以澄清这一个为我。
I did manage to put together a dirty workaround for this, but I'm not very happy about it so I'll be glad if anyone can clarify this one for me.
推荐答案有可能您已将中间CA证书导入密钥库,而无需将其与具有客户端证书及其私钥的条目关联。您应该可以使用 keytool -v -list -keystore store.jks 查看此内容。如果每个别名条目只有一个证书,则它们不在一起。
It's possible that you may have imported the intermediate CA certificate into the keystore without associating it with the entry where you have your client certificate and its private key. You should be able to see this using keytool -v -list -keystore store.jks. If you only get one certificate per alias entry, they're not together.
您需要将证书及其链接导入具有私有密钥的密钥库别名
You would need to import your certificate and its chain together into the keystore alias that has your private key.
要确定哪个密钥库别名具有私钥,请使用 keytool -list -keystore store.jks (我假设JKS商店类型在这里)。这将告诉你这样的:
To find out which keystore alias has the private key, use keytool -list -keystore store.jks (I'm assuming JKS store type here). This will tell you something like this:
Your keystore contains 1 entry myalias, Feb 15, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): xxxxxxxxcode> myalias 。如果除了使用 -v ,您应该看到别名:myalias 。
Here, the alias is myalias. If you use -v in addition to this, you should see Alias Name: myalias.
如果您还没有单独存在,请从密钥库导出您的客户端证书:
If you don't have it separately already, export your client certificate from the keystore:
keytool -exportcert -rfc -file clientcert.pem -keystore store.jks -alias myalias
使用文本编辑器(或 cat ),准备文件(让我们称之为 bundle.pem )与客户端证书和中间CA证书(如果需要可能还有根CA证书本身),以便客户端证书在开始和其
Using a text editor (or cat), prepare file (let's call it bundle.pem) with that client certificate and the intermediate CA certificate (and possibly the root CA certificate itself if you want), so that the client-certificate is at the beginning and its issuer cert is just under.
这应该是:
-----BEGIN CERTIFICATE----- MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa .... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV .... -----END CERTIFICATE-----现在,将此包导入到您的私钥为的别名中:
Now, import this bundle back together into the alias where your private key is:
keytool -importcert -keystore store.jks -alias myalias -file bundle.pem更多推荐
为什么在SSL握手期间没有发送客户端证书?
发布评论