java SSL Certificate & CA

您是正确的-如果服务器提供的证书没有由公认的CA签署，那么签署所提供证书的证书需要添加到CACERTS中。我所说的可识别CA是指默认Java安装的CACERTS。

严格来说，这有点复杂。如果一个证书的签名路径(signed-by, signed-by…)可以在服务器提供的证书链中追溯到CACERTS中的一个，那么该证书就是可信的。

公钥是证书的一部分。如果您想查看CACERTS中的所有公钥，请在JAVA_HOME中运行以下命令，并将bin放在路径上:

keytool -list -rfc -keystore jre/lib/security/cacerts

password is changeit

这将为您提供大量包含实际证书的输出，例如:

-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIQZ8jh6OO+HL38kTuOpiOHSTANBgkqhkiG9w0BAQUFADCB
izELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxML
RHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUVGhhd3RlIENl
cnRpZmljYXRpb24xHzAdBgNVBAMTFlRoYXd0ZSBUaW1lc3RhbXBpbmcgQ0EwHhcN
OTcwMTAxMDAwMDAwWhcNMjEwMTAxMjM1OTU5WjCBizELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNV
BAoTBlRoYXd0ZTEdMBsGA1UECxMUVGhhd3RlIENlcnRpZmljYXRpb24xHzAdBgNV
BAMTFlRoYXd0ZSBUaW1lc3RhbXBpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANYrWHhhRYZT6jR7UZztsOYuGA7+4F+oJ9O0yeB8WU4WDnNUYMF/9p8u
6TqFJBU820cEY8OexJQaWt9MevPZQx08EHp5JduQ/vBR5zDWQQD9nyjfeb6Uu522
FOMjhdepQeBMpHmwKxqL8vg7ij5FrHGSALSQQZj7X+36ty6K+Ig3AgMBAAGjEzAR
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAS+mqF4EF+3kKMZ/F
QfRWVKvpwuWXjhj+kckMPiZkyaFMJ2SnvQGTVXFuF0853BvcSTUQOSP/ypvIz2Y/
3Ewa1IEGQlIf4SaxFhe65nByMUToTo1b5NP50OOPJWQx5yr4GIg2GlLFDUE1G2m3
JvUXzMEZXkt8XOKDgJH6L/uatxY=
-----END CERTIFICATE-----

然后使用像这样的站点来检查公钥-它在'RAW OUTPUT">

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d6:2b:58:78:61:45:86:53:ea:34:7b:51:9c:ed:
b0:e6:2e:18:0e:fe:e0:5f:a8:27:d3:b4:c9:e0:7c:
59:4e:16:0e:73:54:60:c1:7f:f6:9f:2e:e9:3a:85:
24:15:3c:db:47:04:63:c3:9e:c4:94:1a:5a:df:4c:
7a:f3:d9:43:1d:3c:10:7a:79:25:db:90:fe:f0:51:
e7:30:d6:41:00:fd:9f:28:df:79:be:94:bb:9d:b6:
14:e3:23:85:d7:a9:41:e0:4c:a4:79:b0:2b:1a:8b:
f2:f8:3b:8a:3e:45:ac:71:92:00:b4:90:41:98:fb:
5f:ed:fa:b7:2e:8a:f8:88:37
Exponent: 65537 (0x10001)