Can I create self-signed certificate in Java which

2019-06-22 07:18发布

问题:

I've generated a self-signed certificate for my Java app using keytool. However, when I go to the site in a browser it always pops up with a warning - saying this site does not own the certificate - is there a way to self-sign/doctor a certificate so I won't get these warnings in a browser? Both server and browser are located on the same host and I navigate to the site using "http://localhost/". I do not want to add an exception to the browser because I have tests which run on a big build farm so it is excessive to add an exception to all browsers on all build machines.

回答1:

You could also setup a self-signed Certificate Authority (CA) using OpenSSL or possibly your Java tool. You can then use that CA to sign a number of server certs.

You are still going to need to manually trust your self-signed CA on all clients that access your test servers, but at least you only have to trust one root CA, rather than a bunch of individual self-signed server certs.

Another option is to check out CAcert.



回答2:

No, you can't. You might as well ask "How can I make a fake certificate for hsbc.com?"

There are two ways to get a browser to accept a certificate:

  • Buy a certificate for a domain from a trusted authority (which means proving to that authority that you own that domain) and then use that domain as the name of your test servers
  • Install your signing certificate into the browsers, so that you effectively become a trusted authority for that browser.

Without touching the browsers, there's no other way to do it - how could there be, if the internet is to remain secure?



回答3:

Is the certificate you created for localhost or for test.textbox.com? If you create a certificate for the FQDN test.textbox.com, that's how you need to be reaching the server to not get those errors, as long as the certificate is properly signed. You can't generate a certificate for the FQDN and then use an IP or an alias (localhost) to access it without being warned that things aren't matching up properly. Or am I misunderstanding your problem?



回答4:

Make the certificate for "localhost" instead. It needs to match the hostname you have in the URL.

You will still be bothered as the certificate is not trusted, but that is another issue.