tomcat不提供中间证书(https)

我使用openssl可执行文件在控制台上创建了一个密钥和一个csr。然后,我将csr发送到CA并获得了证书。现在,我想将其导入到tomcat中。

因此,我根据密钥和证书创建了PKCS#12文件:

openssl pkcs12 -export -in mycert.cert -inkey mykey.pem -out key_and_cert.p12

然后创建一个包含它的密钥库:

keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]

然后,导入中间证书chain.crt:

keytool -import -trustcacerts -alias root -file chain.crt -keystore keystore.jks

这里是“ keytool -keystore keystore.jks -list”的输出:

Keystore-Typ: JKS

Keystore-Provider: SUN

Ihr Keystore enthält 2 Einträge.

root, 14.11.2011, trustedCertEntry,

Zertifikatsfingerabdruck (MD5): [fingerprint]

1, 14.11.2011, PrivateKeyEntry,

Zertifikatsfingerabdruck (MD5): [fingerprint]

tomcat server.xml包含:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true"

clientAuth="false" URIEncoding="UTF-8" compression="on"

sslProtocol="TLS"

keystoreFile="/[absolute-path]/keystore.jks"

keystorePass="[password]" />

当我重新启动tomcat时,它在catalina.out中未记录任何错误,一切似乎都正常。但是当我运行Firefox时,它报告

[domain] uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

运行“ openssl s_client -connect [domain]:443 -showcerts”返回

CONNECTED(00000003)

depth=0 C = DE, OU = Domain Control Validated, CN = [domain]

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = DE, OU = Domain Control Validated, CN = [domain]

verify error:num=27:certificate not trusted

verify return:1

depth=0 C = DE, OU = Domain Control Validated, CN = [domain]

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/C=DE/OU=Domain Control Validated/CN=[domain]

i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2

-----BEGIN CERTIFICATE-----

[certificate from mycert.cert]

-----END CERTIFICATE-----

---

Server certificate

subject=/C=DE/OU=Domain Control Validated/CN=[domain]

issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2

---

No client certificate CA names sent

---

SSL handshake has read 1777 bytes and written 289 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : SSLv3

Cipher : ECDHE-RSA-AES256-SHA

Session-ID: [session-id]

Session-ID-ctx:

Master-Key: [master-key]

Key-Arg : None

PSK identity: None

PSK identity hint: None

Start Time: 1321268519

Timeout : 7200 (sec)

Verify return code: 21 (unable to verify the first certificate)

---

我认为tomcat不会提供中间证书,尽管它知道。我该怎么做才能使tomcat交付它?

附加信息:导入pkcs12证书时,没有证书链错误,因为-importkeystore命令不检查链。我也尝试过先导入中间证书,然后再调用-

importkeystore。我得到了相同的结果。

编辑:我只是通过将链直接插入PKCS#12证书中尝试了另一种方法,并得到以下错误:

$ openssl pkcs12 -export -CAfile chain.pem -in mycert.cert -inkey mykey.pem -out key_and_cert.p12 -name tomcat -chain

Error unable to get issuer certificate getting chain.

但是连锁证书还可以:

$ openssl verify chain.pem

chain.pem: OK

回答:

终于,我开始工作了。这不是一个干净的解决方案,但它可以工作。我将中间证书添加到本地/ etc / ssl / certs中,然后调用

openssl pkcs12 -export -in cert.pem -inkey key.key -out key_and_cert.p12 -chain

我通过以下方式将生成的pkcs12证书转换为jks

keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]

这个生成的文件现在似乎可以正常工作了,tomcat还将证书链也提供给/ etc / ssl /

certs目录中没有中间证书的客户端。但是我认为也必须有一种不更改/ etc / ssl / certs的方法。

以上是 tomcat不提供中间证书(https) 的全部内容, 来源链接: utcz.com/qa/407324.html

回到顶部