英文:
Should I use either cacerts or local trustore but not both?
问题
我们有一个用于我们的应用程序的本地 truststore.jks。我们使用类似以下方式通过 VM 选项传递它给应用程序:
-Djavax.net.ssl.trustStore=<<truststore.jks 的路径>>
如果我们已经在使用这个 truststore.jks,是否有任何充分的理由将证书导入到我们 JDK 的 cacerts 文件中呢?
难道我们不能将这些证书直接导入到我们现有的 truststore.jks 中吗?
英文:
We have a local truststore.jks we use for our app. We pass this to the app using VM Options like so:
-Djavax.net.ssl.trustStore=<<PATH TO TRUSTSOTRE.JKS>>
If we are already using this truststore.jks is there any good reason to import certificates into the cacerts file of our jdk?
Couldn't we just import these certs into out existing truststore.jks?
答案1
得分: 2
这里没有对错之分,决策取决于您的应用程序操作和安全设置管理方法。
就个人而言,我总是更喜欢使用自定义的信任存储(就像您已经在做的那样),仅包含所需用于您的应用程序的端点的信任路径。
这样,您只需要维护您正在使用的端点的信任。
然而,如果应用程序连接到许多使用不同CA提供商证书的TLS端点,基于cacerts的信任存储可能会使维护更容易,即使/当端点更改发行者。
在这种情况下,我建议不要更改JRE中的cacerts文件,而是基于cacerts文件为应用程序创建一个自定义信任存储文件。
英文:
There is no right or wrong here, and the decision depend on your application the operation and approach to managing security setup.
Personally I would always prefer to use a custom trust store (as you are already doing), only containing the trust path for the endpoints that are required for your app.
This way you would only have to maintain trust for the endpoint(s) you are using.
However, if the app connects to many TLS endpoints using certificates from different CA providers, a trust store based on cacerts could make maintenance easier if/when endpoints changes issuer.
In that case I would advise to not change the cacerts file in the JRE, but base a custom trust store file on the cacerts file for use by the application.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论