Java certificate: HTTPS and SSL application notes test

Source: Internet
Author: User
Tags ssl connection

When a connection is obtained, like a normal browser, the server certificate is still verified to be trusted (issued by an authority or signed by an authority). If the server certificate is untrusted, the default implementation will be problematic. Generally, errors are often reported when java accesses the ssl link:

Javax.net. ssl. SSLHandshakeException: sun. security. validator. ValidatorException: PKIX path building failed: sun. security. provider. certpath. failed: unable to find valid certification path to requested target
At com.sun.net. ssl. internal. ssl. Alerts. getSSLException (Alerts. java: 174)
At com.sun.net. ssl. internal. ssl. SSLSocketImpl. fatal (SSLSocketImpl. java: 1591)
At com.sun.net. ssl. internal. ssl. Handshaker. fatalSE (Handshaker. java: 187)
At com.sun.net. ssl. internal. ssl. Handshaker. fatalSE (Handshaker. java: 181)
At com.sun.net. ssl. internal. ssl. ClientHandshaker. serverCertificate (ClientHandshaker. java: 975)
At com.sun.net. ssl. internal. ssl. ClientHandshaker. processMessage (ClientHandshaker. java: 123)
At com.sun.net. ssl. internal. ssl. Handshaker. processLoop (Handshaker. java: 516)
At com.sun.net. ssl. internal. ssl. Handshaker. process_record (Handshaker. java: 454)
At com.sun.net. ssl. internal. ssl. SSLSocketImpl. readRecord (SSLSocketImpl. java: 884)
At com.sun.net. ssl. internal. ssl. SSLSocketImpl. Unzip minitialhandshake (SSLSocketImpl. java: 1096)
At com.sun.net. ssl. internal. ssl. SSLSocketImpl. startHandshake (SSLSocketImpl. java: 1123)
At com.sun.net. ssl. internal. ssl. SSLSocketImpl. startHandshake (SSLSocketImpl. java: 1107)
At sun.net. www. protocol. https. HttpsClient. afterConnect (HttpsClient. java: 405)
At sun.net. www. protocol. https. AbstractDelegateHttpsURLConnection. connect (AbstractDelegateHttpsURLConnection. java: 166)
At sun.net. www. protocol. https. HttpsURLConnectionImpl. connect (HttpsURLConnectionImpl. java: 133)
At com. wenhq. http. TestSSL. testAig (TestSSL. java: 21)
At com. wenhq. http. TestSSL. main (TestSSL. java: 13)
Caused by: sun. security. validator. ValidatorException: PKIX path building failed: sun. security. provider. certpath. SunCertPathBuilderException: unable to find valid certification path to requested target
At sun. security. validator. PKIXValidator. doBuild (PKIXValidator. java: 285)
At sun. security. validator. PKIXValidator. engineValidate (PKIXValidator. java: 191)
At sun. security. validator. Validator. validate (Validator. java: 218)
At com.sun.net. ssl. internal. ssl. X509TrustManagerImpl. validate (X509TrustManagerImpl. java: 126)
At com.sun.net. ssl. internal. ssl. X509TrustManagerImpl. checkServerTrusted (X509TrustManagerImpl. java: 209)
At com.sun.net. ssl. internal. ssl. X509TrustManagerImpl. checkServerTrusted (X509TrustManagerImpl. java: 249)
At com.sun.net. ssl. internal. ssl. ClientHandshaker. serverCertificate (ClientHandshaker. java: 954)
... 12 more
Caused by: sun. security. provider. certpath. SunCertPathBuilderException: unable to find valid certification path to requested target
At sun. security. provider. certpath. SunCertPathBuilder. engineBuild (SunCertPathBuilder. java: 174)
At java. security. cert. CertPathBuilder. build (CertPathBuilder. java: 238)
At sun. security. validator. PKIXValidator. doBuild (PKIXValidator. java: 280)

The reason is the exception in the absence of a trusted security certificate.

When the client performs an SSL connection, JSSE determines whether to trust the server certificate based on the certificate in this file. In SunJSSE, a trust manager class determines whether to trust a remote certificate. This class has the following processing rules:
1) If the system attribute javax.net. sll. trustStore specifies the TrustStore file, the trust manager searches for and uses the file in the lib/security/directory under the jre installation path to check the certificate.
2) if the system property does not specify the TrustStore file, it will go to the jre installation path to find the default TrustStore file. The relative path of this file is lib/security/jssecacerts.
3) If jssecacerts does not exist but cacerts exists (it is released along with J2SDK and contains a limited number of trusted basic certificates), the default TrustStore file is lib/security/cacerts.

You can use the following method to add a trust certificate to java:
1. Export the cer format file of the certificate from the chrome browser;



2. Import the cer certificate to the java certificate Trust Library
D: Program FilesJavajdk1.6.0 _ 07bin> keytool-import-keystore jssecacerts-file purchase. cer-alias purchase

Enter the keystore password: changeit
Enter the new password changeit again.

3. Place the generated jssecacerts file in the $ Javahomejdk1.6.0 _ 07jrelibsecurity directory.

Summary on keytool usage

SUN provides the certificate-making tool keytool, which is included in JDK 1.4 and later versions. Its location is <JAVA_HOME> binkeytool.exe.

Keytool.
1. Create a certificate
2. View the certificate Library
3. Export the certificate file
4. Import certificate information
5. View certificate information
6. Delete entries in the keystore
7. Modify the password of the certificate entry

1. Create a certificate
Keytool-genkeypair-alias "test1 & Prime;-keyalg" RSA "-keystore" test. keystore"

Note:
The KeyStore password is testtest.
The password for the certificate entry is testtest1. If the alias is test2, the password is testtest2.
This is not messy.
Function:
Create a certificate entry named test1, which is stored in the keystore named test. keystore. If the test. keystore does not exist, it is created.
Parameter description:
-Genkeypair: generates an asymmetric key pair;
-Alias: specifies the alias of the key pair, which is public;
-Keyalg: specifies the encryption algorithm. In this example, the general RAS encryption algorithm is used;
-Keystore: the path and name of the keystore. If this parameter is not specified, a ". keystore" file is generated in the user directory of the operating system by default.

2. View the certificate Library
Keytool-list-keystore test. keystore

3. Export to certificate file
Keytool-export-alias test1-file test. crt-keystore test. keystore
Export the certificate entry test1 in the certificate Library named test. keystore to the certificate file test. crt.

4. Import certificate information
Keytool-import-keystore test_cacerts-file test. crt

5. View certificate information
Keytool-printcert-file "test. crt"

6. Delete entries in the keystore
Delete the certificate entry with the alias test2 in the key Library test. keystore
Keytool-delete-keystore test. keystore-alias test2

7. Modify the password of the certificate entry
Keytool-keypasswd-alias test1-keypass testtest1-new testtesttest1-storepass testtest-keystore test. keystore
Function:
Change the password of the certificate entry alias test1 in the key Library test. keystore to testtesttest1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.