@torresdyl
2016-09-22T22:20:20.000000Z
字数 3202
阅读 1593
java
certificate
linux
http://certificate.fyicenter.com/125_Java_VM_System_and_User_Level_Keystore_Files_on_Windows_7.html
Where is the user-level Java trusted keystore file on Windows? I know the system-level java trusted keystore file is at "\Program Files\java\jre7\lib\security\cacerts".
When Java SE 7 is installed on a Windows system, it maintains 3 trusted certificate keystore files:
jssecacerts
. )And, in Java Configuration and tab Security you can check all certificates. These are the same as you can see in these three keystores. You can also import certificates here.
http://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates#answer-97249
Most distros put their certificates soft-link in system-wide location
at/etc/ssl/certs
Key files goes into
/etc/ssl/private
System-provided actual files are located at
/usr/share/ca-certificates
custom certificates goes into
/usr/local/share/ca-certificates
Whenever you put certificate in above mentioned path, run
update-ca-certificate
to update/etc/ssl/certs
lists.
Installing a CA
Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into
/usr/local/share/ca-certificates
and name it with a.crt
file extension.
Then run
sudo update-ca-certificates
Caveats: This installation only affects products that use this certificate store. Some products may use other certificate stores; if you use those products, you'll need to add this CA certificate to those other certificate stores, too. (Firefox Instructions, Chrome Instructions, Java Instructions )
Testing The CA
You can verify if this worked by looking for the certificate that you just added in
/etc/ssl/certs/ca-certificates.crt
(which is just a long list of all of your trusted CA's concatenated together).
You can also use OpenSSL'ss_client
by trying to connect to a server that you know is using a certificate signed by the CA that you just installed.
$ openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003) depth=1 C = US, ST = Virginia, O = "Whatever, Inc.", CN = whatever.com, emailAddress = admin@whatever.com verify return:1 depth=0 C = US, ST = Virginia, L = Arlington, O = "Whatever, Inc.", CN = foo.whatever.com verify return:1
--- Certificate chain 0 s:/C=US/ST=Virginia/L=Arlington/O=Whatever, Inc./CN=foo.whatever.com i:/C=US/ST=Virginia/O=Whatever,
Inc./CN=whatever.com/emailAddress=admin@whatever.com
... snip lots of output ...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1392837700
Timeout : 300 (sec)
Verify return code: 0 (ok)
The first thing to look for is the certificate chain near the top of the output. This should show the CA as the issuer (next to
i:
). This tells you that the server is resenting a certificate signed by the CA you're installing.
Second, look for the verify return code at the end to be set to0 (ok)
.