我使用以下命令创建了自签名证书:
keytool -genkeypair -keyalg RSA -alias test-api -keystore test-api.p12 -storepass password -validity 3650 -keysize 2048 -storetype pkcs12
然后我将此密钥库导入到新的信任库中:
keytool -import -trustcacerts -alias test-api-2018 -file test.crt -keystore trusted-keystore.p12 -storetype pkcs12
在 Java 中,创建自定义 SSL 存储提供程序 (
org.springframework.boot.context.embedded.SslStoreProvidertry {
try (final InputStream keyStoreStream = new ByteArrayInputStream(Base64.decode(keyStoreEncoded))) {
keyStore = KeyStore.getInstance(KEYSTORE_TYPE_PKCS12);
LOGGER.info("Loading a KeyStore object based on the decoded value.");
keyStore.load(keyStoreStream, serverSslKeyPassword.toCharArray());
}
....
trustStore.load(trustStoreStream, serverSslTrustStorePassword.toCharArray());
}
创建了
EmbeddedServletContainerCustomizerpublic void customize(final ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
configurableEmbeddedServletContainer.setSslStoreProvider(awsSslStoreProvider);
}
应用程序因以下错误而无法启动:
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:253)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
... 19 common frames omitted
当
application.properties就我而言,我使用了
server.ssl.key-password=123456789
而不是
server.ssl.key-store-password=123456789
当使用 BouncyCastle 作为 PKCS12 密钥存储提供程序并且密钥别名使用不正确的大写字母时,也会发生这种情况。
例如(不正确):
server.ssl.key-alias=17B2E92E5694C7AE11A65C4A4EBFC75558399E05
相反(正确):
server.ssl.key-alias=17b2e92e5694c7ae11a65c4a4ebfc75558399e05
这个错误的奇怪之处在于找到了密钥,所以显然不区分大小写,但对
ks.getCertificateChain(keyAlias)