Christian-health
commented
5 years ago Open Christian-health opened 5 years ago
Christian-health
commented
5 years ago Christian-health
commented
5 years ago 上面的这些命令都是在这篇博客里面找到的。
把上面的命令敲击一遍就明白了。
https://www.jianshu.com/p/1b1c9cfa17a4
Christian-health
commented
5 years ago Christian-health
commented
5 years ago Christian-health
commented
5 years ago https://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html
trustStore and keyStore are used in context of setting up SSL connection in Java application between client and server. TrustStore and keyStore are very much similar in terms of construct and structure as both are managed by keytool command , represented by KeyStore programatically ,but they often confused by Java programmer both beginners and intermediate alike.
trustStore和keyStore用于在客户端和服务器之间的Java应用程序中设置SSL连接的上下文。 TrustStore和keyStore在构造和结构方面非常相似,因为它们都是由keytool命令管理的,以编程方式由KeyStore表示,但它们经常被Java程序员混淆,无论是初学者还是有一定经验的开发人员。
Only difference between trustStore and keyStore is what they store and there purpose.
trustStore和keyStore之间的区别仅在于它们存储的内容和用途。
In SSL handshake purpose of trustStore is to verify credentials and purpose of keyStore is to provide credential.
在SSL握手中,trustStore的目的是验证凭证和keyStore的目的是提供凭证。
TrustStore stores certificates from third party, your Java application communicate or certificates signed by CA(certificate authorities like Verisign, Thawte, Geotrust or GoDaddy) which can be used to identify third party.
TrustStore存储来自第三方的证书,您的Java应用程序通信或由CA签署的证书(证书颁发机构,如Verisign,Thawte,Geotrust或GoDaddy),可用于识别第三方。
keyStore in Java stores private key and certificates corresponding to there public keys and require if you are SSL Server or SSL requires client authentication.
keyStore在java中用来存储私钥,根据公钥生成的证书。如果您是一个SSL的服务器,或者是一个需要认证的SSL
This is second article on setting up SSL on Java program, In last post we have seen How to import SSL certificates into trustStore and keyStore and In this Java article we will some differences between keystore and truststore in Java, which will help to understand this concept better.
这是关于在Java程序上设置SSL的第二篇文章,在上一篇文章中我们已经看到如何将SSL证书导入到trustStore和keyStore中。在这篇Java文章中,我们将在Java中的keystore和truststore之间存在一些差异,这将有助于理解这个概念 更好。
(1) First and major difference between trustStore and keyStore is that trustStore is used by TrustManager and keyStore is used by KeyManager class in Java.
trustStore和keyStore之间的第一个主要区别是,Java中的TrustManager类使用trustStore,而KeyManager类使用keyStore。
KeyManager and TrustManager performs different job in Java, TrustManager determines whether remote connection should be trusted or not i.e. whether remote party is who it claims to and KeyManager decides which authentication credentials should be sent to the remote host for authentication during SSL handshake.
KeyManager和TrustManager在Java中执行不同的工作,TrustManager确定是否应该信任远程连接,即远程方是否是它声称的人,而KeyManager决定在SSL握手期间应将哪些认证凭证发送到远程主机以进行认证。
if you are an SSL Server you will use private key during[ key exchange algorithm] and send certificates corresponding to your public keys to client, this certificate is acquired from keyStore.
如果您是SSL服务器,您将在[密钥交换算法]期间使用私钥,并将与您的公钥对应的证书发送到客户端,此证书是从keyStore获取的。
On SSL client side, if its written in Java, it will use certificates stored in trustStore to verify identity of Server.
在SSL客户端,如果用Java编写,它将使用存储在trustStore中的证书(我猜想应该是CA证书)来验证Server的身份。
SSL certificates are most commonly comes as .cer file which is added into keyStore or trustStore by using any key management utility e.g. keytool. SSL证书最常见的是.cer文件,它通过使用任何密钥管理实用程序添加到keyStore或trustStore中,例如keytool工具。
See my post How to add certificates into trustStore for step by step guide on adding certificates into keyStore or trustStore in Java. 有关将证书添加到Java中的keyStore或trustStore的分步指南,请参阅我的文章如何将证书添加到trustStore。
(2)
On the other hand trustStore [stores public key] or [certificates from CA (Certificate Authorities)] which is used to trust remote party or SSL connection. 另一方面,trustStore [存储公钥]或[来自CA(证书颁发机构)的证书]用于信任远程方或SSL连接。
(3)
One more difference between trustStore vs KeyStore is that ,we use -Djavax.net.ssl.keyStore to specify path for keyStore and -Djavax.net.ssl.trustStore to specify path for trustStore in Java. trustStore和KeyStore之间的另一个区别是,在Java中我们使用-Djavax.net.ssl.keyStore指定keyStore的路径,使用-Djavax.net.ssl.trustStore指定trustStore的路径。 (4) Another difference between trustStore and keyStore is that, If you store your personal certificate along with signer certificate in trustStore, you can use same file as both trustStore and keyStore. By the way its good idea to separate personal certificate and signer certificates in keyStore and trustStore for better management. trustStore和keyStore之间的另一个区别是,如果将个人证书与签名者证书(CA证书)一起存储在trustStore中,则可以使用与trustStore和keyStore相同的文件。 顺便说一句,它的好主意是在keyStore和trustStore中分离个人证书和签名者证书,以便更好地管理。
(5) One more API level difference between keyStore and trustStore is that password of keyStore is provided using -Djavax.net.ssl.keyStorePassword and password of trustStore is provided using -Djavax.net.ssl.trustStorePassword.
keystore和truststore之间还有一个API级别的区别,即keystore的密码是使用-Djavax.net.ssl.keystore password提供的,truststore的密码是使用-Djavax.net.ssl.truststorepassword提供的。
That’s all on difference between trustStore and keyStore in Java. 这就Java中的trustStore和keyStore之间的所有区别。
Christian-health
commented
5 years ago 
https://javarevisited.blogspot.com/2012/03/add-list-certficates-java-keystore.html
How to add or list certificates from keystore or trustStore in Java - Keytool Example
如何在Java中添加或列出来自keystore或trustStore的证书 - Keytool示例
How to add certificates on keystore in Java is primary questions when you start working on SSL connection and simple answer is keytool utility in Java is used to add or list Certificates into keystore.
当您开始使用SSL连接时,如何在Java中的密钥库上添加证书是主要问题,简单的答案是使用Java中的keytool实用程序将证书添加或列入密钥库。
SSL is the industry standard for secure communication between two parties e.g. client and server.
SSL是双方之间安全通信的行业标准,例如 客户端和服务器。
SSL offers two benefits, it encrypts data transferred between client and server to make it hard for someone to access and understand in between and SSL also verify the identity of two parties in communication and certificates are used for that purpose.
SSL提供两个好处,它加密客户端和服务器之间传输的数据,使人们很难在其间访问和理解,SSL也验证通信中双方的身份,并且证书用于此目的。
==》 SSL Setup in Java comes during various process e.g. Setting up SSL on tomcat, configuring messaging over SSL or JDBC over SSL are some examples of task where you need to deal with keyStore, certificates, and trustStores.
For those who are not aware of what is a keystore in Java and what is certificates, we will see the brief introduction in next section, but for more detailed discussion you refer my next post how SSL, HTTPS, and Certificates work together in Java application. 对于那些不知道什么是Java中的密钥库以及什么是证书的人,我们将在下一节中看到简要介绍,但是对于更详细的讨论,请参阅我的下一篇文章,了解SSL,HTTPS和证书如何在Java应用程序中协同工作。
When we access a secure site which uses SSL for providing identity and encryption, it provides a certificate which was verified by a trusted third party sites like Verisign, GoDaddy or hThwate. by using certificates ,browser or java clients knows that they talking to the correct site (who it claims to be) and not on redirected proxy site.
当我们访问使用SSL提供身份和加密的安全站点时,它会提供由Verisign,GoDaddy或hThwate等受信任的第三方站点验证的证书。通过使用证书,浏览器或Java客户端知道他们正在与正确的站点(它声称是谁)进行通信,而不是在重定向的代理站点上。
This step is pretty transparent if you access websites using browser because if certificate is not on browser's trusted store it will ask you to add that certificate and it will be subsequently added,.
如果您使用浏览器访问网站,则此步骤非常透明,因为如果证书不在浏览器的受信任存储上,它将要求您添加该证书,随后将添加该证书。
But when you access a secure site using Java program, this step of certificate hand shaking is not transparent to user and certificates are verified from JRE's trustStore.
但是当您使用Java程序访问安全站点时,证书握手的这一步骤对用户来说是不透明的,并且证书是从JRE的trustStore验证的。
This trustStore is located on JDK Installation directory referred by JAVA_HOME e.g. JAVA_HOME/jre/lib/security and commonly named as "cacerts".
此trustStore位于JAVA_HOME引用的JDK安装目录中,例如 JAVA_HOME / jre / lib / security,通常命名为“cacerts”。
If certificate provided by the secure site is present on JRE's trustStore SSL connection would be established but if the certificate is not there than Java will throw an exception and to solve that you need to add that certificate into trustStore.
如果安全站点提供的证书存在于JRE的trustStore上,则会建立SSL连接,但如果证书不存在,则Java将抛出异常并解决该问题,您需要将该证书添加到trustStore。
Terms like keyStore and trustStore are often used interchangeably and the same file can act as keystore as well as trustStore , it just matter of pointing javax.net.ssl.keyStore and javax.net.ssl.trustStore properties to that file , but there is a slight difference between keystore and trustStore.
像keyStore和trustStore这样的术语通常可以互换使用,同一个文件可以作为密钥库和trustStore,只需将javax.net.ssl.keyStore和javax.net.ssl.trustStore属性指向该文件,但是有 密钥库和trustStore之间的细微差别。
A keyStore is used to store individual identity or certificate while trustStore is used to store other parties certificates signed by CA. See difference between keystore and trustStore, for more differences.
keyStore用于存储个人身份或证书,而trustStore用于存储CA签署的其他方证书。 有关更多差异,请参阅密钥库和trustStore之间的区别。
In this article, we will see how to add ,remove and list certificates from Java keystore using keytool utility. 在本文中,我们将了解如何使用keytool实用程序从Java密钥库添加,删除和列出证书。
keytool is binary located inside JAVA_HOME/jre/lib/security folder and used for adding, removing and listing certificates. keytool是二进制文件,位于JAVA_HOME/jre/lib/security文件夹中,用于添加,删除和列出 证书。
here is step by step example of adding certificates in Java: 这是在Java中添加证书的分步示例:
Before adding new certificates in keystore or trust store its good to see, count and verify already installed certificates. run following keytool command to get a list of certificates from keystore:
在密钥库或信任存储中添加新证书之前,可以查看,计算和验证已安装的证书。 运行以下keytool命令以获取密钥库中的证书列表:
You see currently keystore "cacerts" holds 76 certificates. You can also see Core Java for Impatient to learn more usages of keytool and other JDK command line tools.
您看到当前的密钥库“cacerts”拥有76个证书。 您还可以看到Core Java for Impatient(这是一本书),以了解更多关键工具和其他JDK命令行工具的用法。
Now let's see example of adding certificates into key store in Java: 现在让我们看一下在Java中将证书添加到密钥存储区的示例:
Get Certificate: easier way is to point your browser to that URL and when certificate is presented save it on your local folder or directory say in C:/certificates/test.cer 1.获取证书:更简单的方法是将浏览器指向该URL,并在证书出现时将其保存在您的身份上 本地文件夹或目录在C:/certificates/test.cer中说
Now go to Security folder of your JRE installation directory. id you have JDK installed then it would be something like C:/Program Files/Java//jdk1.6.0_20/jre/lib/security 2.现在转到JRE安装目录的Security文件夹。 如果您安装了JDK,那么它就是 类似C:/Program Files/Java//jdk1.6.0_20/jre/lib/security
3 Execute following keytool command to insert certificate into keystore 3 执行以下keytool命令将证书插入密钥库
keytool -import -keystore cacerts -file test.cer
Now this will print details about certificate and ask you for confirmation of adding certificates: 现在,这将打印有关证书的详细信息,并要求您确认添加证书:
Trust this certificate? [no]: y 相信这个证书? [不]:你 Certificate was added to keystore 证书已添加到密钥库
if you approve it by typing "y" certificate will be added into keystore. 如果您通过键入“y”批准它,证书将被添加到密钥库中。
Trust this certificate? [no]: n 相信这个证书? [不]:n Certificate was not added to keystore 证书未添加到密钥库
if you decline it by typing "n" certificate will not be added into keystore. 如果您通过键入“n”来拒绝它,则不会将证书添加到密钥库中。
if you cannot access secure URL using the browser then you can use InstallCert by which you can add certificate into keystore by the program. For detailed example see the last section of LDAP authentication with SSL in Java and Spring security. I have provided detailed steps to use InstallCert.java tool.
如果您无法使用浏览器访问安全URL,则可以使用InstallCert,您可以通过该程序将证书添加到密钥库中。 有关详细示例,请参阅Java和Spring安全性中使用SSL进行LDAP身份验证的最后一部分。 我已经提供了使用InstallCert.java工具的详细步骤。
Important point about SSL, KeyStore and keyTool in Java 关于Java中的SSL,KeyStore和keyTool的重点
Certificates are required to access secure sites using SSL protocol or making a secure connection from the client to the server. 1.使用SSL协议访问安全站点或从客户端到服务器建立安全连接需要证书。
JRE stores certificates inside keystore named as "cacerts" in folder C:/Program Files/Java//jdk1.6.0_20/jre/lib/security. 2. JRE将证书存储在文件夹C:/ Program Files / Java // jdk1.6.0_20 / jre / lib / security中名为“cacerts”的密钥库中。
Common password of keystore is "Changeit". 3.密钥库的通用密码是“Changeit”。
Keytool is used to access keystore in Java and by using keytool you can list, add certificates from keystore. 4. Keytool用于访问Java中的密钥库,使用keytool可以列出,从密钥库添加证书。
If you are implementing SSL connection on Server side say Tomcat you need both keyStore and trustStore, both can be the same file, though. keyStore will be used to store server certificate which server will present to the client on SSL connection. 5.如果您在服务器端实现SSL连接,则说Tomcat需要keyStore和trustStore,但两者都可以是同一个文件。 keyStore将用于存储服务器证书,服务器将在SSL连接上呈现给客户端。
That’s all on how to add and list certificates from keyStore or trustStore in java. The keytool utility which comes with JDK installation will help you to create alias, list certificates etc.
这就是如何在java中添加和列出来自keyStore或trustStore的证书。 JDK安装附带的keytool实用程序将帮助您创建别名,列出证书等。
Christian-health
commented
5 years ago 如何生成keystore,如何truststore,一个keysotore中有很多证书 使用哪个?
https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html
Christian-health
commented
5 years ago https://docs.oracle.com/cd/E19509-01/820-3503/ggfka/index.html
