一、生成PEM文件

这里以邮件发送接口为例https://api.mailgun.net/v3/，首先运行以下命令：

openssl s_client -host api.mailgun.net -port 443 -prexit -showcerts

执行结果如下：

CONNECTED(00000003)depth=1 C = US, O = "thawte, Inc.", CN = thawte SHA256 SSL CAverify error:num=20:unable to get local issuer certificate---Certificate chain 0 s:/C=US/ST=Texas/L=San Antonio/O=Rackspace US, Inc/OU=Mailgun/CN=*.mailgun.com   i:/C=US/O=thawte, Inc./CN=thawte SHA256 SSL CA-----BEGIN CERTIFICATE-----MIIGRjCCBS6gAwIBAgIQcPBE+lQWtps2UTd0ornMgjANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR0wGwYDVQQDExR0aGF3dGUgU0hBMjU2IFNTTCBDQTAeFw0xNjAyMDkwMDAwMDBaFw0xODA0MDgyMzU5NTlaMHkxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEUMBIGA1UEBxQLU2FuIEFudG9uaW8xGjAYBgNVBAoUEVJhY2tzcGFjZSBVUywgSW5jMRAwDgYDVQQLFAdNYWlsZ3VuMRYwFAYDVQQDFA0qLm1haWxndW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyzQJUmOuQsksJ+ypj6ndmfkmFa39aXZKxIsvVSSmGSqUupFO3awNDo4aaGnjjN8OFwHQozthBfNz04RDKgV0E22gyrrOOpCd88mHokJKeV04TVc93/MQYAVQQ3Ou7b/GafuFcDu1Z5s+YgN1iMEXR4iMczlFsS1SzWZ03WOFeEGnxR31n6wLoOwcBEvD58v4zANntM9Ajwv0UHpd72nzBpwVFQYwY3vQrfK/5E5nbWJfcixs85Ube9L5ID71d49f9XRctPLvAINkktjvAu627WGg9Vs2KmzfXd+xJTcjZdpHWcW/PohxCZfyIaVP2tf5b7JwJFYp4ZkKt8KH8CR/5QIDAQABo4IC/jCCAvowJQYDVR0RBB4wHIINKi5tYWlsZ3VuLmNvbYILbWFpbGd1bi5jb20wCQYDVR0TBAIwADBuBgNVHSAEZzBlMGMGBmeBDAECAjBZMCYGCCsGAQUFBwIBFhpodHRwczovL3d3dy50aGF3dGUuY29tL2NwczAvBggrBgEFBQcCAjAjDCFodHRwczovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaAFCuaNa4BGDgw4XB6BeARdqPOvZAUMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly90Zy5zeW1jYi5jb20vdGcuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly90Zy5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly90Zy5zeW1jYi5jb20vdGcuY3J0MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVLIMQUYAAAEAwBHMEUCIQDw4Wpn51ujDWjQefvSO+c+nyE3RqkV6dw6XFENeA8pugIgIxMLVoe+r1/MvLT4j3A9n7VexNSTQi1av1iMMGhnh5IAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAVLIMQVLAAAEAwBHMEUCIQCBXz+esY2e3s4yN4gMKxHyg5aeB+5l8CN4/EG9PRDPIwIgb4nJn6xUKjEgLkSOOrfjejS+HbAHHOZrWs7cAgc774gAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVLIMQVHAAAEAwBHMEUCIH5+Rt1+ohQPjiGesEqJomZv8/LnuFE7RCTi1daiXk8sAiEAqycC8AGehR5pBhWUpGlx3IOXzA2EKda90FLF2Koq9D0wDQYJKoZIhvcNAQELBQADggEBACPqESoobL82TMXdGGbGQoTu03Bk+9lL0uxOSzGP+TJnjrb4b7p4SvaM/z8XIKmgT3z3BP/wjyTN71BLVbamdLjcfHnNA6AYHE/sv91enmmCExsSN5YdJWttWO8kk7pa944dOJ1vhPBmd3uGyTX1LuFTPe0++yUJvfv0dwvL/f7VFqM8ZYTObf9BwQf7OedInr5qQaGHGenOFJStiNalotvmivBnzkrFT8xkK4f3tq73v5iT+CylMMLNho6OlLp4YNeUgglcmv2xv+HynkeWZeiIDtLsHceEdiOEP1FlkXT+BWJID2v4M4CQfAVIzBQ/iNo+Dm9SHcae02JwWSGxeSM=-----END CERTIFICATE----- 1 s:/C=US/O=thawte, Inc./CN=thawte SHA256 SSL CA   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3-----BEGIN CERTIFICATE-----MIIEwjCCA6qgAwIBAgIQNjSeGMmcJmm2Vi5s5a1xMjANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0xMzA1MjMwMDAwMDBaFw0yMzA1MjIyMzU5NTlaMEMxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xHTAbBgNVBAMTFHRoYXd0ZSBTSEEyNTYgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo2Mr1LpdOK6wz7lMON8gffErR3Edi2jzVvmc2qrlhCbepXEwvPMxI53oO4DIZld1tlcO25P1Jo5wumRSZooqiFxEGE2oony9VmEykBL5NYdIYLBukGdEAY3nyQ1jaHJyq2M8hrgffa2IJadqiCn7WcZ4cV8suonm04D9V+y5UV9DMy5+JTukBNFgjLNEM5MMrSq2RKIZO6/EkG97BYeGmyxqnStsd8kAn8nPrO0+G/fD89n4bNSgV8T7KDKqM/Dmupjf5cJOnHS/ikjC8hvwd0BBBwSyOtVMxCmpEUA/AkbwkdXSgYOGE7Mx7UarqId2qZl9vM0xUPSltdylMrOLiwIDAQABo4IBRDCCAUAwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwQQYDVR0gBDowODA2BgpghkgBhvhFAQc2MCgwJgYIKwYBBQUHAgEWGmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQQ0EtRzMuY3JsMA4GA1UdDwEB/wQEAwIBBjAqBgNVHREEIzAhpB8wHTEbMBkGA1UEAxMSVmVyaVNpZ25NUEtJLTItNDE1MB0GA1UdDgQWBBQrmjWuARg4MOFwegXgEXajzr2QFDAfBgNVHSMEGDAWgBStbKqUYJzt5P/6Pgp0K2MD97ZZvzANBgkqhkiG9w0BAQsFAAOCAQEAdKZW6K+Tlhn7JvkNsESlzel6SAN0AWwTcbfggpCZYiPj1pmv8McenqgYIdu0lD80VhuZVS+O8EUzMrdywRNbNNP1YOUuGNFcxWrBqodQDBydZCv/G9zVLmEL57m2kVOG2QMq0T17StorB74p8mBCqZEaDi480X2lExQC+u6LjbbIuD5WgVchJD9lw7TJzlyNRqxT8/lVdMgr/dJ4cPX4EeX0p60g9Z3x7HD2E6zmjI3bP8byeQ6rUvLMG3knzxaz1vPGNoBD7MWU8N2QjfjGUkZW63RHvqbzGa5xTMDh59TP7dQGKCoRPLrZQW4A54E3k+TaYsYdZ29jtBSG2aZi8A==-----END CERTIFICATE--------Server certificatesubject=/C=US/ST=Texas/L=San Antonio/O=Rackspace US, Inc/OU=Mailgun/CN=*.mailgun.comissuer=/C=US/O=thawte, Inc./CN=thawte SHA256 SSL CA---No client certificate CA names sentPeer signing digest: SHA512Server Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 3342 bytes and written 434 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES128-GCM-SHA256    Session-ID: E279B2FA33421D0A68D77E6405256671A7E0438D8F61C9A85FB67ABE40B07437    Session-ID-ctx:    Master-Key: 9A46CDBA8230B31F0AD744A49AEB97D44346DD26687689C5BF52A1F93BC4F0EFC4A8DFCD1F38DE35FF6007E4823ED0C7    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    Start Time: 1493541740    Timeout   : 300 (sec)    Verify return code: 20 (unable to get local issuer certificate)---

 将输出内容保存为pem文件，这里我保存为名为mailgun.pem的文件。

 

二、将证书导入truststore文件

cp $JAVA_HOME/jre/lib/security/cacerts  trustore

本质上keyStore和strustStore文件格式上是一回事，keyStore存的一般是私钥，trustStore存放的是公钥。

 

导入证书（初始密码是changeit）：

keytool -import -alias gca -file mailgun.pem -keystore truststore

 导入成功会有提示。GOOD LUCK

 

三、参考

等