在Java环境中,当使用SSL通信且无法使用权威证书机构(CA)时,会遇到SunCertPathBuilderException。为了解决这个问题,可以创建一个信任所有证书的X509TrustManager,但作者希望在首次握手时提示用户是否添加无效证书到他们的证书存储。文章探讨了如何实现这一功能,包括如何程序化地向用户显示提示并动态添加证书,类似于浏览器处理无效证书的方式。虽然找到的代码示例涉及导入密钥,但理论上可以简化以适应仅导入证书的情况。Java的安全文档,尤其是KeyStore的JavaDoc,提供了相关帮助。
I use SSL to communicate between two components written in Java. I can't use a CA, so I have to self-sign everything. Unfortunately, this means that when I try to handshake, I get a SunCertPathBuilderException. I can create my own X509TrustManager that just trusts everything, but that sort of defeats the purpose of having a signed cert.
I would like, when first making the connection, to prompt the user with "SSL handshake with invalid cert. Add cert to store?" or something so they could have it added for them to their certificate store, like web browsers do at sites with invalid certs. I can find plenty of examples online of adding a cert to the store through the commandline, but I can't figure out how to do it programmatically. Is there a way to do this?
解决方案
Yes it is possible.
There is some code here that I've used before. I had to modify it to do what I wanted and I suspect that you will too but this should get you close - you aren't trying to import a key so theoretically you should be able to simplify things. In any case you can get an idea of what you'll need.
The JDK JavaDoc for java.security.KeyStore is pretty useful too.
扫一扫
1284
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
