@torresdyl 2016-09-22T22:20:20.000000Z 字数 3202 阅读 1573

Certificate location

java certificate linux

Java Certificates location in Window 7

http://certificate.fyicenter.com/125_Java_VM_System_and_User_Level_Keystore_Files_on_Windows_7.html

Where is the user-level Java trusted keystore file on Windows? I know the system-level java trusted keystore file is at "\Program Files\java\jre7\lib\security\cacerts".

When Java SE 7 is installed on a Windows system, it maintains 3 trusted certificate keystore files:

1. System-Level Signer CA Keystore:

Location:: "C:\Program Files\java\jre\lib\security\cacerts"
Password:: changeit
Contents:: All signer CA certificates known at the time of Java release

2. System-Level Secure Site CA Keystore:

(on Windows 10 x64 I cannot find jssecacerts. )
Location:: "C:\Program Files\Java\jre\lib\security\jssecacerts"
Password:: changeit
Contents:: Empty by default.

3. User-Level Certificate Keystore

Location:: "C:\Users\yourname\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs"
Password:: Empty by default
Contents:: Empty by default

And, in Java Configuration and tab Security you can check all certificates. These are the same as you can see in these three keystores. You can also import certificates here.

Linux SSL certificates location

http://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates#answer-97249

Most distros put their certificates soft-link in system-wide location
at
/etc/ssl/certs
Key files goes into
/etc/ssl/private
System-provided actual files are located at
/usr/share/ca-certificates
custom certificates goes into
/usr/local/share/ca-certificates
Whenever you put certificate in above mentioned path, run
update-ca-certificate to update /etc/ssl/certs lists.

Instalation of CA in Linux

http://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu#answer-719047

Installing a CA

Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.
Then run
sudo update-ca-certificates
Caveats: This installation only affects products that use this certificate store. Some products may use other certificate stores; if you use those products, you'll need to add this CA certificate to those other certificate stores, too. (Firefox Instructions, Chrome Instructions, Java Instructions )

Testing The CA

You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA's concatenated together).
You can also use OpenSSL's s_client by trying to connect to a server that you know is using a certificate signed by the CA that you just installed.
$ openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003) depth=1 C = US, ST = Virginia, O = "Whatever, Inc.", CN = whatever.com, emailAddress = admin@whatever.com verify return:1 depth=0 C = US, ST = Virginia, L = Arlington, O = "Whatever, Inc.", CN = foo.whatever.com verify return:1
--- Certificate chain  0 s:/C=US/ST=Virginia/L=Arlington/O=Whatever, Inc./CN=foo.whatever.com    i:/C=US/ST=Virginia/O=Whatever,
Inc./CN=whatever.com/emailAddress=admin@whatever.com
... snip lots of output ...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1392837700
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
The first thing to look for is the certificate chain near the top of the output. This should show the CA as the issuer (next to i:). This tells you that the server is resenting a certificate signed by the CA you're installing.
Second, look for the verify return code at the end to be set to 0 (ok).