我已经在我的应用程序中配置了 netflix-zuul 来调用其他服务,并且有必要在应用程序中包含证书。
我正在尝试与此问题中相同的操作(使用带有证书的 netflix-zuul(,但我遇到了问题。
例如,在此链接中,它指示使用了 .keystore,但我拥有的文件是.cer和 .key,并且我看不到如何使用我拥有的文件应用证书。
你能帮我把我拥有的证书与我的应用程序的 netflix-zuul 代理连接起来吗?
非常感谢大家!
编辑 ->我已经尝试了此链接的解决方案,我的代码:
@Bean
public CloseableHttpClient httpClient() throws Throwable {
InputStream is = new FileInputStream(KEYSTOREPATH);
//KEYSTOREPATH = String KEYSTOREPATH = "E:/ARC/myapp/src/main/java/com/myapp/services/myapp/myapp.cer";
// You could get a resource as a stream instead.
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate caCert = (X509Certificate)cf.generateCertificate(is);
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null); // You don't need the KeyStore instance to come from a file.
ks.setCertificateEntry("caCert", caCert);
tmf.init(ks);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
return HttpClients.custom().setSSLContext(sslContext).build();
}
执行在 netflix-zuul 中配置的路径时,出现此错误:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
... 105 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 111 common frames omitted
您可以尝试构建 SSLContext 并信任来自 .cer 文件的证书,如下所述: 使用仅具有 CA 证书而不带密钥库的 SSLContext
Javier,我能够构建SSLContext,如下所示。你还有问题吗?
@Test
public void sslContext() {
Class demoClass = Demo.class;
InputStream is = demoClass.getResourceAsStream("/test.cert");
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate caCert = (X509Certificate) cf.generateCertificate(is);
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null); // You don't need the KeyStore instance to come from a file.
ks.setCertificateEntry("caCert", caCert);
tmf.init(ks);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
} catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException | KeyManagementException e) {
e.printStackTrace();
}
}