tomcat 将证书添加到信任存储库

huangapple go评论68阅读模式
英文:

tomcat add certificate to truststore

问题

我在Kubernetes集群上部署了一个Java Web应用程序,运行在Tomcat(版本为tomcat:9.0.37)容器中。我的应用程序连接到ABC API,在连接到ABC API时,我需要在信任存储中拥有ABC API的证书。
对于我的本地测试,我能够使用keytool命令将证书添加到我的JRE证书中,命令如下:
keytool -importcert -alias startssl -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file ABC.cert
但我想知道这是添加证书到信任存储的唯一方法吗?还是还有其他方法可以将证书添加到信任存储中?

英文:

I have java web application deployed on kuberneties cluster and runs on tomcat (tomcat:9.0.37) container. my application connect with ABC API and in order to connect to ABC API i need to have ABC API certificate in my trust store.
for my local testing i am able to use keytool command to add the certificate to my JRE cecart like below command
keytool -importcert -alias startssl -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -storepass changeit -file ABC.cert
but i want to know is this the only way to add cert to trust store or some other way i can add cert in trust store.

答案1

得分: 2

首先,如果您想要为 SSL/TLS 使用不同于其他目的的默认信任存储库,但仍在整个 JRE 范围内生效,您可以使用 (JRE)/lib/security/jssecacerts 替代 (JRE)/lib/security/cacerts。与 cacerts 不同,cacerts 是由 JRE 软件包或平台填充的,其中包含了许多常见的 CA 证书,而 jssecacerts 最初是空的;如果您想使用任何常见的 CA 证书,必须显式地添加它们,可以选择逐个从 cacerts 复制,或者直接复制整个 cacerts 文件。我不确定您是否会将这视为“其他”。

其次,您可以通过系统属性 javax.net.ssl.trustStore* 来更改 JVM 实例 的默认信任存储库;请参阅 文档(在第二个表格的几页中,第 8-3 表)和更具体地说是 这个从属章节

第三,对于 JVM 内的特定连接(或有时是连接组),您可以在创建连接的代码中指定不同的信任存储库;方法因不同的连接创建方式而异,您没有提到。直接使用 SSLSocketSSLEngine 是一种方式;java.net.UrlConnectionjava.net.http.HttpClient(在 j11+ 版本中)是不同的;诸如 Apache 等中间件又有所不同。与其花费数小时来尝试编写所有可能的选项,其中大部分可能是浪费的,我会让您再次提问,如果您需要这方面的信息。用 StackOverflow 的口头禅来说,“展示您的代码”。

英文:

First, if you want to have a different default truststore for SSL/TLS than for other purposes, but still JRE-wide, you can use (JRE)/lib/security/jssecacerts instead of (JRE)/lib/security/cacerts. Unlike cacerts which is filled by the JRE package or platform with numerous common CAs, jssecacerts starts out empty; if you want any of the common CAs, you must add them explicitly, optionally by copying from cacerts one-by-one or just copying the whole cacerts file. I don't know if you will count this as 'other' or not.

Second, you can change the default truststore for a JVM instance with system properties javax.net.ssl.trustStore*; see the documentation (a few pages into the second table, Table 8-3) and more specifically this subordinate section.

Third, for a specific connection (or sometimes groups of connections) within the JVM, you can specify a different truststore in the code that creates the connection; the method varies with different means of creating the connection, which you didn't identify. Using SSLSocket or SSLEngine directly is one thing; java.net.UrlConnection and java.net.http.HttpClient (in j11+) are different; middleware like Apache or many others are different again. Rather than spend hours trying to write all possible options, most of which would be wasted, I'll let you ask again if you want this. In the StackOverflow mantra, "show your code".

huangapple
  • 本文由 发表于 2020年9月15日 03:35:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/63890811.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定