CA 和 Self-signed Certificate 客户端 如何验证其合法性？

• CA

         了解 CA 签发的的过程，以及他的合法性

                          http://www.texnet.com.cn/help/cklc/618.html

 

         CA 是如何 工作的?

 

                          http://technet.microsoft.com/en-us/library/cc737264.aspx

• Self-Signed

          必须将 Self-Signed 的证书 加载 到 Trust Store 里面去

http://publib.boulder.ibm.com/infocenter/itshelp/v2r0/index.jsp?topic=/com.ibm.its.help.doc/t_adding_certificate_to_cacerts.html

 

How the Self-Signed Cert be verified?

 

1. When you connect to a SSL server, java application asks the server to send its certificate

2. Client checks if the certificate is valid (like signature, validity date etc)

3. If step 2 validates successfully, java client validate if the issuer of the certificate can be trusted. This is where the trust store comes into picture. Java, by default, goes to <jre>/lib/security/cacerts file to see if the issuer can be accepted. If the (last) issuer is not found in that trust store, it throws exception.
As I did the step as the bold words said with FTPS and it's really not throw out the exception if I didn't import the certificate into the truststore, And we need to create a TrustManager by the self-signed certificate then hande shake with the server to verfify if the server is legal or fake.

4. In theory, to test your ssl application in test mode, you can add the server certificate (given by your admin) to the default cacerts (which is very very bad approach) or create a new trust store with that certificate and use that in your application (this is preferred approach)

5. Refer to http://exampledepot.com/egs/javax.net.ssl/Client.html which explains how to use your own keystore as TrustStore.

You can use keytool -import command to create a new keystore, by importing the certificate. Check out http://exampledepot.com/egs/java.security.cert/ImportCert.html