问题描述
我正在尝试建立SSL套接字连接(并在客户端上执行以下操作)
I am trying to setup a SSL Socket connection (and am doing the following on the client)
-
我生成证书签名请求以获取已签名的客户端证书
I generate a Certificte Signing Request to obtain a signed client certificate
现在我有一个私钥(在CSR期间使用),一个签名的客户端证书和根证书(带外获得).
Now I have a private key (used during the CSR), a signed client certificate and root certificate (obtained out of band).
我将私钥和签名的客户端证书添加到证书链中,并将其添加到密钥管理器中.并将根证书提供给信任管理器.但是我收到了错误的证书错误.
I add the private key and signed client certificate to a cert chain and add that to the key manager. and the root cert to the trust manager.But I get a bad certificate error.
我很确定我使用的是正确的证书.我是否也应该将签名的客户端证书添加到信任管理器?试过了,还是没有运气.
I am pretty sure I am using the right certs. Should I add the signed client cert to the trust manager as well? Tried that, no luck still.
//I add the private key and the client cert to KeyStore ks
FileInputStream certificateStream = new FileInputStream(clientCertFile);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
java.security.cert.Certificate[] chain = {};
chain = certificateFactory.generateCertificates(certificateStream).toArray(chain);
certificateStream.close();
String privateKeyEntryPassword = "123";
ks.setEntry("abc", new KeyStore.PrivateKeyEntry(privateKey, chain),
new KeyStore.PasswordProtection(privateKeyEntryPassword.toCharArray()));
//Add the root certificate to keystore jks
FileInputStream is = new FileInputStream(new File(filename));
CertificateFactory cf = CertificateFactory.getInstance("X.509");
java.security.cert.X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
System.out.println("Certificate Information: ");
System.out.println(cert.getSubjectDN().toString());
jks.setCertificateEntry(cert.getSubjectDN().toString(), cert);
//Initialize the keymanager and trustmanager and add them to the SSL context
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "123".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(jks);
我需要在此处创建某种证书链吗?
我也有一个包含这些组件的p12,并且使用了非常相似的代码,将私钥添加到密钥管理器中,并将根证书从p12添加到了信任管理器中,我可以使它工作.但是现在我需要使它在没有p12的情况下工作.
Is there some sort of certificate chain that I need to create here?
I had a p12 with these components as well and upon using pretty similar code, adding the private key to the keymanager and the root cert from p12 to the trust manager I could make it work. But now I need to make it work without the p12.
已请求堆栈跟踪.希望这足够了.(注意:我屏蔽了文件名)
Stack trace was requested. Hope this should suffice. (NOTE: I masked the filenames)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at client.abc2.openSocketConnection(abc2.java:33)
at client.abc1.runClient(abc1.java:63)
at screens.app.abc.validateLogin(abc.java:197)
... 32 more
推荐答案
您还需要将根证书添加到密钥库中.
You need to add the root cert to the keystore as well.
这篇关于收到致命警报:bad_certificate的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!