我使用openssl可執行文件在控制檯上創建了一個密鑰和一個csr。 然後我將csr發送給CA並拿回了證書。現在我想將它導入到tomcat中。tomcat不提供中間證書(https)
所以我創建了一個PKCS#12文件了我的鑰匙,我的證書:
openssl pkcs12 -export -in mycert.cert -inkey mykey.pem -out key_and_cert.p12
,然後創建一個包含它的密鑰庫:
keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]
然後我導入中級證書鏈。 CRT:
keytool -import -trustcacerts -alias root -file chain.crt -keystore keystore.jks
這裏的 「密鑰工具-keystore keystore.jks -list」 的輸出:
Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 2 Einträge.
root, 14.11.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): [fingerprint]
1, 14.11.2011, PrivateKeyEntry,
Zertifikatsfingerabdruck (MD5): [fingerprint]
將tomcat的server.xml包含:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" URIEncoding="UTF-8" compression="on"
sslProtocol="TLS"
keystoreFile="/[absolute-path]/keystore.jks"
keystorePass="[password]" />
當我重新啓動Tomcat,它記錄在catalina.out中沒有錯誤,一切都似乎是確定。 但是,當我使用Firefox,它報告
[domain] uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
運行 「的OpenSSL的s_client.First -connect [域]:443個-showcerts」 返回
CONNECTED(00000003)
depth=0 C = DE, OU = Domain Control Validated, CN = [domain]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, OU = Domain Control Validated, CN = [domain]
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, OU = Domain Control Validated, CN = [domain]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/OU=Domain Control Validated/CN=[domain]
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
-----BEGIN CERTIFICATE-----
[certificate from mycert.cert]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/OU=Domain Control Validated/CN=[domain]
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 1777 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: [session-id]
Session-ID-ctx:
Master-Key: [master-key]
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1321268519
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
我認爲Tomcat不提供雖然中間證書知道它。我能做些什麼來讓tomcat提供它?
附加信息: 導入pkcs12證書時,沒有證書鏈錯誤,因爲-importkeystore命令不檢查鏈。我也嘗試先導入中間證書,然後調用-importkeystore。我得到了同樣的結果。
編輯:
$ openssl pkcs12 -export -CAfile chain.pem -in mycert.cert -inkey mykey.pem -out key_and_cert.p12 -name tomcat -chain
Error unable to get issuer certificate getting chain.
但鏈證書是確定的: 我只是在PKCS#12證書直接插入鏈,並得到以下錯誤嘗試另一種方式
$ openssl verify chain.pem
chain.pem: OK
您是否在您的連鎖PEM中擁有根CA? – njzk2
什麼讓你「openssl驗證-CAfile chain.pem mycert.cert」? – njzk2