更新Unix上Java信任证书存储,来自PKI源锚点。

huangapple go评论88阅读模式
英文:

Update Java trust certificate store from PKI source anchors on Unix

问题

我手动添加了一些新的证书到/etc/pki/ca-trust/extracted/java/cacerts,这使得Java信任这些证书,因为Java被配置为使用这个证书位置。然而,根据我所阅读的,要正确地执行并确保这个更改在未来的证书系统更新中生效,应该按照以下方式进行:

  • 添加到/etc/pki/ca-trust/source/anchors
  • 运行update-trust-ca

然而,这并不起作用,即源锚点中的证书没有被传输到Java的cacerts中。

一个在这里讨论的建议解决方案是首先运行“trust anchor /etc/pki/ca-trust/source/anchors/*.cer”,但是我遇到了“p11-kit: couldn't create object: The field is read-only”的错误。
如何修复这个错误?该如何继续进行?

系统信息:

cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

Java信息:

java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
英文:

I manually added some new certificates to /etc/pki/ca-trust/extracted/java/cacerts and it makes Java trust these certificates as Java is configured to use this certificate location. However, from what I'm reading to do it properly and and make sure this change survives future cert system updates it should be done so:

  • add to /etc/pki/ca-trust/source/anchors
  • run update-trust-ca

However, this doesn't work, i.e. certificates from source anchors are not transferred to Java cacerts.

A proposed solution discussed here https://access.redhat.com/discussions/3018271 is to first run "trust anchor /etc/pki/ca-trust/source/anchors/*.cer" but then I'm getting "p11-kit: couldn't create object: The field is read-only".
How can this error be fixed? How to proceed with it?

System:

cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

Java:

java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)

答案1

得分: 1

我正在为相同的问题苦苦挣扎。

  1. 我将两个证书放入 /etc/pki/ca-trust/source/anchors 目录下,并运行 update-ca-trust 命令。但只有一个证书被放入 /etc/pki/ca-trust/extracted/java/cacerts 目录下,用于 CA 的证书被忽略了。
    当我在 update-ca-trust 的最后一行添加选项 -v 后,我得到以下输出:
(p11-kit:21017) extract_certificate: skipping certificate that doesn't match trust flags

使用 trust anchor cert.pem 时,我遇到了相同的情况。

  1. 我将这两个证书放入 /etc/pki/tls/certs 目录中,并运行命令 trust anchor cert.pem。然后我得到了文件:/etc/pki/ca-trust/source/domain(from CN).p11-kit。我根据这个链接中的内容 https://access.redhat.com/discussions/3018271 修改了这个文件。之后再次运行 update-ca-trust 命令。在此之后,我也可以在 /etc/pki/ca-trust/extracted/java/cacerts 目录下找到我的证书。

为了实验,我取消了 update-ca-trust 文件中的以下行的注释:

#set -vx

当你运行命令 trust anchor cert.pem 时,update-ca-trust 命令会在最后被调用。

我不知道为什么我无法将这些文件保留在 /etc/pki/ca-trust/source/anchors 目录下,为什么 update-ca-trust 忽略了 certificate category: other-entry

英文:

I am struggling with the same problem.

  1. I put 2 certificates into /etc/pki/ca-trust/source/anchors and run update-ca-trust. Only one goes to /etc/pki/ca-trust/extracted/java/cacerts, CA. The certificate for a server is ignored.
    When I add option -v to the update-ca-trust for the last line I get:
(p11-kit:21017) extract_certificate: skipping certificate that doesn't match trust flags

With trust anchor cert.pem I have the same situation.

  1. I put those 2 certificates in /etc/pki/tls/certs and run the command trust anchor cert.pem. The I get the file: /etc/pki/ca-trust/source/domain(from CN).p11-kit. I am modifying this file according to this https://access.redhat.com/discussions/3018271. I run again update-ca-trust.
    After this I can found my certificate also in /etc/pki/ca-trust/extracted/java/cacerts.

For the experiment I've uncommented the line:

#set -vx

from update-ca-trust. When you run the command trust anchor cert.pem then command update-ca-trust is invoked at the end.

I don't know why I cannot keep those files at /etc/pki/ca-trust/source/anchors, why update-ca-trust ignore certificate category: other-entry.

答案2

得分: 0

你是在导入根证书还是中间证书?我遇到了这个问题,因为我尝试添加根证书,但实际上我需要添加通配符证书的中间证书。

英文:

Are you importing the CA root or an Intermediate? I faced this issue because I was trying to add a root CA, when I really needed to add the intermediate CA for my wildcard cert.

huangapple
  • 本文由 发表于 2020年4月8日 19:27:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/61099586.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定