在Java密钥库中，应该链接密钥和证书的别名。基本上，私钥条目是私钥+证书链。所以证书应该始终来自密钥库。如果证书来自实际令牌，那么当然是关键存储的实现。检查它们是否实际来自令牌的唯一方法是使用不同的方法检索它们（例如，直接从令牌读取证书的字节）。没有链接返回存储设备以获取证书，如果这是您所追求的。

In Java key stores, the alias of the key and certificate should be linked. Basically, a private key entry is a private key + certificate chain. So the certificate should always have come from the key store. If the certificate came from the actual token is up to the implementation of the key store of course. The only way of checking if they were actually from the token is to retrieve them using a different method (e.g. reading the bytes of the certificate directly from the token). There is no link back to the storage device for certificates, if that is what you are after.

当然，检查完整的证书链是否合理到根证书。如果根证书不经常更改，您可以考虑将证书或哈希值存储在随应用程序提供的资源中的根证书上，或者将其分发到标准Java密钥库中。

Of course, it does make sense to check the full chain of certificates up to the root certificate. If the root certificate does not change often, you might consider storing the certificate or a hash over the root certificate in a resource delivered with your application, or distributing it in the standard Java key store.