Apache HttpClient and PEM certificate files

前端 未结 2 859
-上瘾入骨i
-上瘾入骨i 2021-02-06 08:30

I\'d like to programmatically access a site that requires Client certificates, which I have in PEM files. In this application I don\'t want to add them to my keystore, use keyt

相关标签:
2条回答
  • 2021-02-06 09:16

    You can create a KeyStore from .pem files like so:

    private KeyStore getTrustStore(final InputStream pathToPemFile) throws IOException, KeyStoreException,
            NoSuchAlgorithmException, CertificateException {
        final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null);
    
        // load all certs
        for (Certificate cert : CertificateFactory.getInstance("X509")
                .generateCertificates(pathToPemFile)) {
            final X509Certificate crt = (X509Certificate) cert;
    
            try {
                final String alias = crt.getSubjectX500Principal().getName();
                ks.setCertificateEntry(alias, crt);
                LOG.info("Added alias " + alias + " to TrustStore");
            } catch (KeyStoreException exp) {
                LOG.error(exp.getMessage());
            }
        }
    
        return ks;
    }
    
    0 讨论(0)
  • 2021-02-06 09:24

    Easiest may well be to use the .p12 format (though the others work fine too - just be careful with extra lines outside the base64 blocks) and add something like:

    // systems I trust
    System.setProperty("javax.net.ssl.trustStore", "foo");
    System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
    
    // my credentials
    System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
    System.setProperty("javax.net.ssl.keyStore", "cert.p12");
    System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
    

    Or alternatively - use things like

        KeyStore ks = KeyStore.getInstance( "pkcs12" );
        ks.load( new FileInputStream( ....), "mypassword".toCharArray() );
    
        KeyStore jks = KeyStore.getInstance( "JKS" );
        ks.load(...
    

    to create above on the fly instead. And rather than rely on the system property - use somethng like:

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(aboveKeyStore, "changeme".toCharArray());
        sslContext = SSLContext.getInstance("SSLv3");
        sslContext.init(kmf.getKeyManagers(), null, null);
    

    which keeps it separate from keystore.

    DW.

    0 讨论(0)
提交回复
热议问题