将证书链添加到p12(pfx)证书

我在java和cxf中有一个用客户端证书连接到WebServices的应用程序。

我从WebService所有者那里获得了证书

  • 证书
  • 证书
  • certificate.crt
  • Trusted_ca.cer
  • root_ca.cer

我直接将这个p12证书转换为java要求的有效jks密钥库时遇到问题。

我这样做:

keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore certificate1.jks -deststoretype JKS -storepass secret

keytool -import -alias root -file root_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret

keytool -import -alias trusted -file trusted_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret

但是此jks不起作用,使用此证书时我收到HTTP响应‘403:Forbidden’

但是,如果我将此p12(pfx)证书导入Internet

Explorer,然后将此证书从IE导出为pfx格式,请选中“在证书路径中包括所有证书”复选框,并使用:

keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore certificate2.jks -deststoretype JKS -storepass secret

keytool -import -alias root -file root_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret

keytool -import -alias trusted -file trusted_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret

然后,一切正常,我可以使用certificate2.jks连接到WebService。

我发现原始的certificate.p12(pfx)仅包含一个条目(证书链长度:1):

keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v

*******************************************

*******************************************

Alias name: alias

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=MyCompany, EMAILADDRESS=my.email@domain.com, O=bla, C=PL

Issuer: CN=Trusted CA, O=ble, C=PL

Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Valid from: ... until: ...

Certificate fingerprints:

MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Signature algorithm name: SHA1withRSA

Version: 3

Extensions:

#1: ObjectId: X.X.XX.XX Criticality=false

KeyUsage [

DigitalSignature

Key_Encipherment

]

...

*******************************************

*******************************************

从IE导出的带有“在证书路径中包括所有证书”的certificate.pfx包含带有第二个受信任CA证书的证书链(证书链长度:2):

keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v

*******************************************

*******************************************

Alias name: alias

Entry type: PrivateKeyEntry

Certificate chain length: 2

Certificate[1]:

Owner: CN=MyCompany, EMAILADDRESS=my.email@domain.com, O=bla, C=PL

Issuer: CN=Trusted CA, O=ble, C=PL

Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Valid from: ... until: ...

Certificate fingerprints:

MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Signature algorithm name: SHA1withRSA

Version: 3

Extensions:

#1: ObjectId: X.X.XX.XX Criticality=false

KeyUsage [

DigitalSignature

Key_Encipherment

]

...

Certificate[2]:

Owner: CN=Trusted CA, O=ble ble ble, C=PL

Issuer: CN=ROOT CA, O=ble ble ble, C=PL

Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Valid from: ... until: ...

Certificate fingerprints:

MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Signature algorithm name: SHA1withRSA

Version: 3

Extensions:

*******************************************

*******************************************

因此,要解决我的问题,我需要拥有带有可信任CA证书链的p12证书。我可以通过将p12导入IE,然后通过“在证书路径中包括所有证书”将其导出回来来实现。

不使用IE使用keytool或其他工具怎么办?

巴里

回答:

自己回答。

我想出了如何使用OpenSSL做到这一点:

openssl pkcs12 -in certificate.p12 -out clientcert.pem -nodes -clcerts

openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem

openssl x509 -in root_ca.cer -inform DER -out root_ca.pem

cat clientcert.pem trusted_ca.pem root_ca.pem >> clientcertchain.pem

openssl pkcs12 -export -in clientcertchain.pem -out clientcertchain.pfx

以上是 将证书链添加到p12(pfx)证书 的全部内容, 来源链接: utcz.com/qa/428806.html

回到顶部