如何在Java中获取受信任的根证书列表？

有一个示例显示了如何获取一组根证书并迭代它们，称为在密钥库中列出最受信任的证书颁发机构（CA） 。 这是一个略微修改的版本，打印出每个证书（在Windows Vista上测试）。

import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.security.InvalidAlgorithmParameterException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.security.cert.PKIXParameters; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.util.Iterator; public class Main { public static void main(String[] args) { try { // Load the JDK's cacerts keystore file String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar); FileInputStream is = new FileInputStream(filename); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); String password = "changeit"; keystore.load(is, password.toCharArray()); // This class retrieves the most-trusted CAs from the keystore PKIXParameters params = new PKIXParameters(keystore); // Get the set of trust anchors, which contain the most-trusted CA certificates Iterator it = params.getTrustAnchors().iterator(); while( it.hasNext() ) { TrustAnchor ta = (TrustAnchor)it.next(); // Get certificate X509Certificate cert = ta.getTrustedCert(); System.out.println(cert); } } catch (CertificateException e) { } catch (KeyStoreException e) { } catch (NoSuchAlgorithmException e) { } catch (InvalidAlgorithmParameterException e) { } catch (IOException e) { } } } 

这应该更灵活，使用系统中的默认信任库来获取所有证书：

 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); List x509Certificates = new ArrayList<>(); trustManagerFactory.init((KeyStore)null); Arrays.asList(trustManagerFactory.getTrustManagers()).stream().forEach(t -> { x509Certificates.addAll(Arrays.asList(((X509TrustManager)t).getAcceptedIssuers())); }); 

“`