[关闭]
@torresdyl 2016-09-22T22:20:20.000000Z 字数 3202 阅读 1593

Certificate location

java certificate linux


Java Certificates location in Window 7

http://certificate.fyicenter.com/125_Java_VM_System_and_User_Level_Keystore_Files_on_Windows_7.html


Where is the user-level Java trusted keystore file on Windows? I know the system-level java trusted keystore file is at "\Program Files\java\jre7\lib\security\cacerts".


When Java SE 7 is installed on a Windows system, it maintains 3 trusted certificate keystore files:

1. System-Level Signer CA Keystore:

Location:
"C:\Program Files\java\jre\lib\security\cacerts"
Password:
changeit
Contents:
All signer CA certificates known at the time of Java release

2. System-Level Secure Site CA Keystore:

(on Windows 10 x64 I cannot find jssecacerts. )
Location:
"C:\Program Files\Java\jre\lib\security\jssecacerts"
Password:
changeit
Contents:
Empty by default.

3. User-Level Certificate Keystore

Location:
"C:\Users\yourname\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs"
Password:
Empty by default
Contents:
Empty by default

And, in Java Configuration and tab Security you can check all certificates. These are the same as you can see in these three keystores. You can also import certificates here.

Linux SSL certificates location

http://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates#answer-97249

Most distros put their certificates soft-link in system-wide location
at

/etc/ssl/certs

Key files goes into

/etc/ssl/private

System-provided actual files are located at

/usr/share/ca-certificates

custom certificates goes into

/usr/local/share/ca-certificates

Whenever you put certificate in above mentioned path, run
update-ca-certificate to update /etc/ssl/certs lists.

Instalation of CA in Linux

http://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu#answer-719047

Installing a CA

Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.
Then run

  1. sudo update-ca-certificates

Caveats: This installation only affects products that use this certificate store. Some products may use other certificate stores; if you use those products, you'll need to add this CA certificate to those other certificate stores, too. (Firefox Instructions, Chrome Instructions, Java Instructions )

Testing The CA

You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA's concatenated together).
You can also use OpenSSL's s_client by trying to connect to a server that you know is using a certificate signed by the CA that you just installed.

  1. $ openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs
  2. CONNECTED(00000003) depth=1 C = US, ST = Virginia, O = "Whatever, Inc.", CN = whatever.com, emailAddress = admin@whatever.com verify return:1 depth=0 C = US, ST = Virginia, L = Arlington, O = "Whatever, Inc.", CN = foo.whatever.com verify return:1
  3. --- Certificate chain 0 s:/C=US/ST=Virginia/L=Arlington/O=Whatever, Inc./CN=foo.whatever.com i:/C=US/ST=Virginia/O=Whatever,
  4. Inc./CN=whatever.com/emailAddress=admin@whatever.com
  5. ... snip lots of output ...
  6. Key-Arg : None
  7. PSK identity: None
  8. PSK identity hint: None
  9. SRP username: None
  10. Start Time: 1392837700
  11. Timeout : 300 (sec)
  12. Verify return code: 0 (ok)

The first thing to look for is the certificate chain near the top of the output. This should show the CA as the issuer (next to i:). This tells you that the server is resenting a certificate signed by the CA you're installing.
Second, look for the verify return code at the end to be set to 0 (ok).

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注