- 浏览: 1397035 次
- 性别:
- 来自: 北京
文章分类
- 全部博客 (328)
- JSF (27)
- 生活 (12)
- Ajax (26)
- Maven (6)
- CSS (1)
- Shale (3)
- SiteMesh (1)
- Ext (15)
- JMX (2)
- Windows技巧 (7)
- 工作感悟 (18)
- SVN (2)
- SVG (0)
- GoogleGear (0)
- RAP (2)
- SOA与WebService (3)
- 笔记本技术研究 (1)
- Microsoft (2)
- 英语学习 (3)
- PHP (7)
- web 2.0 (6)
- 语义Web (1)
- IT史话 (3)
- iText (3)
- JVM (1)
- PropertiesEditor (1)
- J2SE (33)
- Spring (2)
- Java Batch (1)
- log (2)
- Struts2 (2)
- DWR (0)
- JAAS (3)
- EJB3 (4)
- Flex (8)
- JFreeChart (1)
- WAS (0)
- 数据库 (2)
- 摄影 (0)
- SQL (1)
- Google App Engine (1)
- linux (5)
- Eclipse plugin (10)
- Testing (0)
- Portal (0)
- 移动互联网 (0)
- SWTBot (1)
最新评论
-
江奇缘:
不错!!!!!!
web.xml里<filter-mapping>中的<dispatcher>作用 -
yy8093:
commonj 第三步,那个调用的方法要在哪里调?servle ...
JAVA中多种计时器的比较与分析 -
di1984HIT:
学习了,不错~
web.xml里<filter-mapping>中的<dispatcher>作用 -
penkee:
com.lowagie.text.DocumentExcept ...
iText中输出 中文 -
氵壞男亼乀:
我想请问下 你哪个html里面引入的几个js文件没看懂!你 ...
DWR入门教程之HelloWorld
Keystores and Truststores
A keystore is a database of key material. Key material is used for a variety of purposes, including authentication and data integrity. There are various types of keystores available, including "PKCS12" and Sun's "JKS."
Generally speaking, keystore information can be grouped into two different categories: key entries and trusted certificate entries. A key entry consists of an entity's identity and its private key, and can be used for a variety of cryptographic purposes. In contrast, a trusted certificate entry only contains a public key in addition to the entity's identity. Thus, a trusted certificate entry can not be used where a private key is required, such as in a
javax.net.ssl.KeyManager
. In the JDK implementation of "JKS", a keystore may contain both key entries and trusted certificate entries.
A truststore is a keystore which is used when making decisions about what to trust. If you receive some data from an entity that you already trust, and if you can verify that the entity is the one it claims to be, then you can assume that the data really came from that entity.
An entry should only be added to a truststore if the user makes a decision to trust that entity. By either generating a keypair or by importing a certificate, the user has given trust to that entry, and thus any entry in the keystore is considered a trusted entry.
It may be useful to have two different keystore files: one containing just your key entries, and the other containing your trusted certificate entries, including Certification Authority (CA) certificates. The former contains private information, while the latter does not. Using two different files instead of a single keystore file provides for a cleaner separation of the logical distinction between your own certificates (and corresponding private keys) and others' certificates. You could provide more protection for your private keys if you store them in a keystore with restricted access, while providing the trusted certificates in a more publicly accessible keystore if needed.
Creating a Simple Keystore and Truststore
This is the keystore that the server will use.
% keytool -genkey -alias duke -keyalg RSA \
-validity 7 -keystore keystore
Enter keystore password: password
What is your first and last name?
[Unknown]: Duke
What is the name of your organizational unit?
[Unknown]: Java Software
What is the name of your organization?
[Unknown]: Sun Microsystems, Inc.
What is the name of your City or Locality?
[Unknown]: Palo Alto
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.",
L=Palo Alto, ST=CA, C=US correct?
[no]: yes
Enter key password for <duke>
(RETURN if same as keystore password): <CR>
keyEntry
which means that this entry has a private key associated with it (shown in red).
% keytool -list -v -keystore keystore
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: duke
Creation date: Dec 20, 2001
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.",
L=Palo Alto, ST=CA, C=US
Issuer: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.", L=Palo Alto, ST=CA, C=US
Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1:5B:9B:A1:F7:16:CF:25:CF:F4:FF:35:3F:4C:9C:F0
SHA1: B2:00:50:DD:B6:CC:35:66:21:45:0F:96:AA:AF:6A:3D:E4:03:7C:74
Alternatively, you could generate Certificate Signing Request (CSR) with % keytool -export -alias duke -keystore keystore -rfc \
-file duke.cer
Enter keystore password: password
Certificate stored in file <duke.cer>
% cat duke.cer
-----BEGIN CERTIFICATE-----
MIICXjCCAccCBDwircEwDQYJKoZIhvcNAQEEBQAwdjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB
MRIwEAYDVQQHEwlQYWxvIEFsdG8xHzAdBgNVBAoTFlN1biBNaWNyb3N5c3RlbXMsIEluYy4xFjAU
BgNVBAsTDUphdmEgU29mdHdhcmUxDTALBgNVBAMTBER1a2UwHhcNMDExMjIxMDMzNDI1WhcNMDEx
MjI4MDMzNDI1WjB2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0
bzEfMB0GA1UEChMWU3VuIE1pY3Jvc3lzdGVtcywgSW5jLjEWMBQGA1UECxMNSmF2YSBTb2Z0d2Fy
ZTENMAsGA1UEAxMERHVrZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1loObJzNXsi5aSr8
N4XzDksD6GjTHFeqG9DUFXKEOQetfYXvA8F9uWtz8WInrqskLTNzwXgmNeWkoM7mrPpK6Rf5M3G1
NXtYzvxyi473Gh1h9k7tjJvqSVKO7E1oFkQYeUPYifxmjbSMVirWZgvo2UmA1c76oNK+NhoHJ4qj
eCUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQCRPoQYw9rWWvfLPQuPXowvFmuebsTc28qI7iFWm6BJ
TT/qdmzti7B5MHOt9BeVEft3mMeBU0CS2guaBjDpGlf+zsK/UUi1w9C4mnwGDZzqY/NKKWtLxabZ
5M+4MAKLZ92ePPKGpobM2CPLfM8ap4IgAzCbBKd8+CMp8yFmifze9Q==
-----END CERTIFICATE-----
-certreq
and send that to a Certificate Authority (CA) for signing, but again, that's beyond the scope of this example.
% keytool -import -alias dukecert -file duke.cer \
-keystore truststore
Enter keystore password: trustword
Owner: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.", L=Palo Alto, ST=CA, C=US
Issuer: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.", L=Palo Alto, ST=CA, C=US
Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1:5B:9B:A1:F7:16:CF:25:CF:F4:FF:35:3F:4C:9C:F0
SHA1: B2:00:50:DD:B6:CC:35:66:21:45:0F:96:AA:AF:6A:3D:E4:03:7C:74
Trust this certificate? [no]: yes
Certificate was added to keystore
trustedCertEntry
, which means that a private key is not available for this entry (shown in red). It also means that this file is not suitable as a KeyManager
's keystore.
Now run your applications with the appropriate key stores. This example assumes the default % keytool -list -v -keystore truststore
Enter keystore password: trustword
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: dukecert
Creation date: Dec 20, 2001
Entry type: trustedCertEntry
Owner: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.", L=Palo Alto, ST=CA, C=US
Issuer: CN=Duke, OU=Java Software, O="Sun Microsystems, Inc.", L=Palo Alto, ST=CA, C=US
Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
MD5: F1:5B:9B:A1:F7:16:CF:25:CF:F4:FF:35:3F:4C:9C:F0
SHA1: B2:00:50:DD:B6:CC:35:66:21:45:0F:96:AA:AF:6A:3D:E4:03:7C:74
X509KeyManager
and X509TrustManager
are used, thus we will select the keystores using the system properties described in Customization.
% java -Djavax.net.ssl.keyStore=keystore \
-Djavax.net.ssl.keyStorePassword=password Server
% java -Djavax.net.ssl.trustStore=truststore \
-Djavax.net.ssl.trustStorePassword=trustword Client
发表评论
-
百万级访问量网站的技术准备工作
2010-12-29 19:35 1468当今从纯网站技术上来说,因为开源模式的发展,现在建一个小 ... -
Java EE Productivity Report 2011
2010-12-21 17:02 1640What happens when over 1000 J ... -
java.util.prefs.Preferences 简介
2010-04-23 14:07 4479Version 0.2 Cop ... -
An Introduction to LDAP
2010-04-13 16:24 1051An Introduction to LDAP Mich ... -
Java Interface 是常量存放的最佳地点吗?
2009-08-21 18:21 1265由于java interface中声明 ... -
Java的内存泄漏
2009-08-20 22:50 1297Java是如何管理内存 为了判断Java中是否有内 ... -
Transform XML into HTML using XSLT
2009-08-20 12:14 1836[howto.xml] <?xml versio ... -
eclipse 无法启动 JVM terminated. Exit code=-1
2009-08-09 13:52 2472eclipse 无法启动 JVM terminated. ... -
SDO ,WorkMananger,CommonJ overview
2009-07-06 10:51 1310Service Data Objects (SDO) -- P ... -
JAVA中多种计时器的比较与分析
2009-07-06 10:34 24100介绍 计时器可以提供运行基于时间的工作任务的功能,在计时器的管 ... -
Apache common io overview
2009-07-05 20:28 3881Apache 里面包含了太多有用的项目,值得我们仔细研究。恰当 ... -
Hashtable和HashMap的区别 Vector、ArrayList和List的异同(笔记)
2009-07-04 08:10 1909Hashtable和HashMap的区别:1.Hashtabl ... -
Java: System Properties
2009-05-25 11:10 2051From System Properties you ca ... -
SSL证书转换
2009-05-18 17:33 8522PKCS 全称是 Public-Key Cryptogra ... -
google app engine 是什么?
2009-04-08 18:50 3248Google是个真正能不断的 ... -
如何输入版权符号 copyright
2009-04-08 13:21 12295Unicode Character 'COPYRIGH ... -
深入浅出URL编码
2009-04-05 13:31 1126版权声明:如有转载请 ... -
Java IO一览
2009-04-04 12:23 1683对于我们常用的GBK中,英文是占用1个字节,中文是2个 对于 ... -
字节流与字符流的区别
2009-04-04 12:13 15104最近在项目中遇到一个encoding的问题,记录一下。 ... -
深入了解Unicode
2009-04-02 00:31 1715Unicode (统一码 、万国 ...
相关推荐
1. **KeyStores和TrustStores**:JSSE使用KeyStore存储私钥和证书,用于身份验证;TrustStore则存储信任的CA证书或服务器证书,用于验证对方的身份。开发者可以通过系统属性`javax.net.ssl.keyStore`和`javax.net....
Downloading and running Apache Geronimo 12 Geronimo Administration Console 14 Information portlet 15 Java System Info portlet 15 Server Logs portlet 15 Web Server portlet 16 JMS Server portlet ...
Note Some keystores are public for the sake of automatic builds and consistent signing across devices. This means that others can build apps with the same signature. The only valid download sources ...
在“安全”->“Keystores and Certificates”中配置密钥库信息,导入CA签发的证书。 5.5 配置密钥库信息 在管理控制台中,配置SSL监听端口(如7443),选择刚才创建的密钥库和私钥别名,启用SSL。 5.6 测试 配置...
在 Environment -> Services -> AdminServer (admin) 下,你会看到 KeyStores 和 SSL 卡片。KeyStores 存储了服务器的私钥和证书,而 SSL 卡片则用于配置 SSL 安全套接层,确保通信的安全性。在这里,你可以配置 ...
- 在弹出的对话框中选择`Custom Identity and Custom Trust`。 - 输入keystore路径、类型以及密码。 - 输入私钥的别名和keystore的密码。 - 根据需要配置其他高级选项,然后点击【Apply】按钮完成设置。 ##### 3. ...
ansible-tls-klusters 用法 依存关系 在每个库存文件夹中列出了依赖关系 安装依赖项: pip install -r < my> /requirements/python_...ansible-playbook -i inventories/test/docker playbooks/tls/keystores.yml
5. **密钥和证书管理**:对于加密和数字签名,项目可能会包含如何管理和使用密钥库(Keystores)和信任库(Truststores)的示例。 通过分析和学习"java_sec_demo"中的代码和文档,开发者可以深入理解Java安全模型的...
Solidhabits应用程序。... 并将两个密钥库都放在app/keystores/目录下: playstore.keystore stage.keystore 构建变体 使用Android Studio Build Variants按钮在生产和过渡版本以及调试和发行版本类型之间进行
通过浏览到React Native项目的android文件夹在Android Studio中打开您的应用程序转到Build>生成签名的包/ APK选择APK,然后单击下一步在密钥库路径下,单击创建新的选择一个路径,例如/ home / karl / keystores / ...
- 打开WebLogic管理控制台,登录后选择“Security” > “Realms” > 你的realm名 > "Providers" > "KeyStores"。 - 添加一个新的KeyStore,输入keystore的文件路径和密码。 - 在“SSL”部分,配置SSL端口(默认为...
1. **创建和管理Keystores**:你可以通过Portecle创建新的keystore文件,设置keystore的密码,以及管理keystore中的条目。这对于在HTTPS服务器配置、SSL/TLS连接以及代码签名等领域非常有用。 2. **生成和导入密钥...
错误: Key was created with errors: Warning: JKS 密钥库使用专用格式。建议使用 “keytool -importkeystore -srckeystore E:\androidstudio\androidstudio_work\CommonDemo\app\fast_keystore.jks -destkeystore E...
- 标识和信任位置【Identity and Trust Locations】:选择“密钥库”【keystores】 - 私有密钥别名【Private Key Alias】:`app_server` - 私有密钥密码短语【Private Key Passphrase】:`boncme` - 确认私有密钥...
2. Certificates和KeyStores:用于管理数字证书,存储公钥和私钥,支持X.509标准。 3. Permissions和Policy:表示代码执行的权限,并定义安全策略。`java.security.Permission`类是所有权限的基类,而`java....
1. **配置Keystores**:为服务器和客户端创建keystore文件,存储各自的私钥和证书。可以使用Keytool工具来生成这些文件。 2. **设置CXF配置**:在CXF的配置文件(如cxf.xml或Spring配置文件)中,指定keystore和...
- **Multiple keystores**:如果你有多个应用,或者需要在不同环境中发布应用(如测试和生产),可能需要生成多个keystore文件。 - **Key recovery**:如果丢失了keystore或密码,你将无法更新应用,因此最好备份...