centos – 将根证书颁发机构添加到Java应用程序教程

2019-08-14由程序员日记发表于系统教程 浏览4次

我在CentOS7上安装了Jenkins,在尝试更新/安装插件时遇到了SSL错误.经过一番调查,结果发现我在Java CA商店中缺少根CA证书.

我使用keytool实用程序将缺少的CA证书添加到Java CA存储中并且它工作正常.但是我发现不得不篡改它很烦人.

难道没有办法让Java继承系统信任的根CA证书吗?如果有,怎么样?

解决方法:

只需将证书文件复制到CentOS 7.x上的此目录:

$sudo cp <cert file> /etc/pki/ca-trust/source/anchors/

将证书文件放入此目录后,运行此命令以使用此新添加的证书更新系统:

$sudo update-ca-trust

Java怎么样?

如果您查看update-ca-trust的手册页,您将看到以下部分:

$man update-ca-trust

/etc/pki/java/cacerts

Classic filename, file contains a list of CA certificates trusted
for TLS server authentication usage, in the Java keystore file
format, without distrust information. This file is a
symbolic link that refers to the consolidated output created by the
update-ca-trust command.

如果查看该文件,您可以看到它如何插入/ etc / pki目录结构的其余部分:

$ll /etc/pki/java/cacerts
lrwxrwxrwx. 1 root root 40 May  2 10:41 /etc/pki/java/cacerts -> /etc/pki/ca-trust/extracted/java/cacerts

如果我们对它运行Java keytool:

$keytool -list -keystore /etc/pki/java/cacerts -storepass changeit |& head
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 155 entries

hellenicacademicandresearchinstitutionsrootca2011, May 2, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D
taiwangrca, May 2, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9
teliasonerarootcav1, May 2, 2018, trustedCertEntry,

您可以看到上面已经获得了所有可用的证书,它们会自动合并到这个Java JKS文件中.该文件可供系统上运行的任何Java应用程序使用.

参考

How to add Certificate Authority in centos7?
How to reset the list of trusted CA certificates in RHEL 6 & RHEL 7