在文件系统上直接使用PEM编码CA证书进行HTTPS请求？

本文介绍了在文件系统上直接使用PEM编码CA证书进行HTTPS请求？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

这类似于将PEM导入Java密钥库。但问题的答案是使用OpenSSL进行转换和工具将它们导入文件系统的密钥存储区。

This is similar to Import PEM into Java Key Store. But the question's answers use OpenSSL for conversions and tools to import them into key stores on the file system.

我正在尝试使用格式良好的X509证书作为信任anchor：

I'm trying to use a well formed X509 certificate as a trust anchor:

static String CA_FILE = "ca-rsa-cert.pem"; public static void main(String[] args) throws Exception { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(CA_FILE), null); TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); // Redirected through hosts file URL url = new URL("example:8443"); HttpsURLConnection connection = (HttpsURLConnection) url .openConnection(); connection.setSSLSocketFactory(context.getSocketFactory()); ... }

当我试图跑步时该程序，我收到一个错误：

When I attempt to run the program, I get an error:

$ java TestCert Exception in thread "main" java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1214) at TestCert.main(TestCert.java:30)

我也试过 KeyStore ks = KeyStore.getInstance（PEM）; 和 getInstance（X509 ）; ，但它们也不起作用。

I also tried KeyStore ks = KeyStore.getInstance("PEM"); and getInstance("X509");, but they did not work either.

我知道Java支持PEM和DER编码证书，因为这是Web服务器发送到的一个客户。但没有一个 KeyStoreType 似乎符合我的需求，所以我怀疑我没有使用正确的API。

I know Java supports PEM and DER encoded certificates because that's what a web server sends to a client. But none of the KeyStoreType's seem to match my needs, so I suspect I'm not using the right APIs for this.

我想直接使用它们并且不将它们导入长寿 KeyStore 的原因是：

The reasons I want to use them directly and not import them into a long-lived KeyStore are:

有数百个要测试的PEM证书

证书在我的文件系统上

使用来自的证书文件系统与我的工作流程相匹配

我不想使用 openssl 或 keytool

我不想进行密钥存储维护

There are hundreds of PEM certs to test

The certs are on my filesystem

Using certs from the filesystem matches my workflow

I don't want to to use openssl or keytool

I don't want to perform key store maintenance

如何进行在文件系统上采用格式良好的PEM编码证书并直接使用它？

How does on take a well formed PEM encoded certificate on the filesystem and use it directly?

推荐答案

我在尝试另外做的时候找到了答案方式为KeyStore.TrustedCertificateEntry设置证书？。它基于Vit Hnilica在从密钥库加载证书的答案。由于大多数Stack Overflow的答案都以使用 openssl 转换开头，然后使用 keytool ...。

I found the answer while trying to do this another way at Set certificate for KeyStore.TrustedCertificateEntry?. Its based on Vit Hnilica's answer at loading a certificate from keystore. I"m going to leave the question with this answer since most Stack Overflow answers start with "convert with openssl, then use keytool ...".

String CA_FILE = ...; FileInputStream fis = new FileInputStream(CA_FILE); X509Certificate ca = (X509Certificate) CertificateFactory.getInstance( "X.509").generateCertificate(new BufferedInputStream(fis)); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null, null); ks.setCertificateEntry(Integer.toString(1), ca); TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); ...