通过查看文件java.security
我的JRE
,我看到,默认使用的密钥库类型设置为JKS
。 在这里 ,有可以使用的密钥库类型的列表。
有没有推荐的密钥库类型? 有哪些不同的密钥库类型的优点/缺点?
通过查看文件java.security
我的JRE
,我看到,默认使用的密钥库类型设置为JKS
。 在这里 ,有可以使用的密钥库类型的列表。
有没有推荐的密钥库类型? 有哪些不同的密钥库类型的优点/缺点?
There are a few more types than what's listed in the standard name list you've linked to. You can find more in the cryptographic providers documentation. The most common are certainly JKS
(the default) and PKCS12
(for PKCS#12 files, often with extension .p12
or sometimes .pfx
).
JKS is the most common if you stay within the Java world. PKCS#12 isn't Java-specific, it's particularly convenient to use certificates (with private keys) backed up from a browser or coming from OpenSSL-based tools (keytool
wasn't able to convert a keystore and import its private keys before Java 6, so you had to use other tools).
If you already have a PKCS#12 file, it's often easier to use the PKCS12
type directly. It's possible to convert formats, but it's rarely necessary if you can choose the keystore type directly.
In Java 7, PKCS12
was mainly useful as a keystore but less for a truststore (see the difference between a keystore and a truststore), because you couldn't store certificate entries without a private key. In contrast, JKS
doesn't require each entry to be a private key entry, so you can have entries that contain only certificates, which is useful for trust stores, where you store the list of certificates you trust (but you don't have the private key for them).
This has changed in Java 8, so you can now have certificate-only entries in PKCS12
stores too. (More details about these changes and further plans can be found in JEP 229: Create PKCS12 Keystores by Default.)
There are a few other keystore types, perhaps less frequently used (depending on the context), those include:
PKCS11
, for PKCS#11 libraries, typically for accessing hardware cryptographic tokens, but the Sun provider implementation also supports NSS stores (from Mozilla) through this.BKS
, using the BouncyCastle provider (commonly used for Android).Windows-MY
/Windows-ROOT
, if you want to access the Windows certificate store directly.KeychainStore
, if you want to use the OSX keychain directly.这里是介绍了不同类型的Java密钥库和不同类型的密钥库之间的差异后。 http://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview
下面是从岗位不同密钥库的描述:
JKS,Java的密钥存储区。 你可以找到在sun.security.provider.JavaKeyStore此文件。 此密钥库是特定于Java,它通常具有JKS的延伸。 这种类型的密钥库可以包含私钥和证书,但它不能被用来存储密钥。 因为它是一个特定于Java的密钥库,所以不能在其他编程语言中使用。
JCEKS,JCE密钥存储。 你可以找到在com.sun.crypto.provider.JceKeyStore此文件。 此密钥库JCEKS的延伸。 它可以放置在JCEKS密钥库中的条目是私有密钥,密钥和证书。
PKCS12,这是可以在Java等语言中使用的标准密钥库类型。 你可以找到在这个sun.security.pkcs12.PKCS12KeyStore密钥仓库实现。 它通常有P12或PFX的延伸。 你可以存储在这种类型的私有密钥,密钥和证书。
PKCS11,这是一个硬件密钥库类型。 它的服务器的Java库的接口与硬件密钥存储设备,如月神,nCipher的连接。 你可以找到在这个sun.security.pkcs11.P11KeyStore实施。 当加载密钥库,你就没必要创建具有特定配置的特定供应商。 此密钥库可以存储私钥,密钥和cetrificates。 当加载密钥库,条目将从密钥库中检索和然后转化成软件项。