`keytool -printcert -sslserver'的输出
我使用Apache HTTP组件库:
有Java SE Desktop(Console)应用程序<dependency org="org.apache.httpcomponents" name="httpcore" rev="4.4.5"/>
在最低层,我只是在做:
CloseableHttpClient httpClient = HttpClients.custom().setDefaultHeaders(headers).build();
CloseableHttpResponse response = httpClient.execute(request);
我然后使用此控制台应用程序访问通过SSL提供的Web服务以及使用以下证书配置服务器的地方:
Common Name (CN) InCommon RSA Server CA
Organization (O) Internet2
Organizational Unit (OU) InCommon
我期望我的客户失败。这是因为当我查看与Java捆绑在一起的证书时,与" Internet2"或" Inc"一无所有:
:$ keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list | grep -i 'internet2|inc'
Enter keystore password:
<no output>
$
为什么我的客户不失败?我尚未将其配置为接受所有证书。过去(当服务器完全没有证明证书时)代码确实失败了,但我期望有了新证书,情况将保持不变,因为在Java的cacerts文件中未列出Incommon CA。/p>
使用keytool -printcert -sslserver hostname[:port]的建议非常有用。
我仍然不太清楚如何解读keytool -printcert -sslserver的输出以及如何将其与keytool -printcert的输出"连接"。以下(脆性)咒语确实找到了一些匹配:
for x in $(keytool -printcert -sslserver example.com:443 -v | grep ^Issuer | awk '{print $2}' | cut -c4- | sort | uniq); do keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list | grep -i $x; done
&hellip;但是,匹配是不敏感的,仅在前缀上。
尤其是keytool -printcert -sslserver的输出具有字符串" UserTrust",但keytool -keystore的输出最接近的是:" usertrusteccca"one_answers" userTroustrustrSaca"。
`keytool -printcert -sslserver'的输出 $ keytool -printcert -sslserver example.com:443 -v | grep -i usertrust
accessLocation: URIName: http://crt.usertrust.com/InCommonRSAServerCA_2.crt
accessLocation: URIName: http://ocsp.usertrust.com
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
accessLocation: URIName: http://ocsp.usertrust.com
[URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
accessLocation: URIName: http://ocsp.usertrust.com
[URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
`keytool -keystore`的输出 $ keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list | grep -i usertrust
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
usertrusteccca, May 11, 2015, trustedCertEntry,
usertrustrsaca, May 11, 2015, trustedCertEntry,
$ keytool -printcert -sslserver example.com:443 -v | grep -i usertrust
accessLocation: URIName: http://crt.usertrust.com/InCommonRSAServerCA_2.crt
accessLocation: URIName: http://ocsp.usertrust.com
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
accessLocation: URIName: http://ocsp.usertrust.com
[URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
accessLocation: URIName: http://ocsp.usertrust.com
[URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
$ keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list | grep -i usertrust
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
usertrusteccca, May 11, 2015, trustedCertEntry,
usertrustrsaca, May 11, 2015, trustedCertEntry,