连锁客户证书 [英] Chained Client Certificates

问题描述

我想使用SSL客户端证书来验证连接到tomcat6/7的用户.我已经正确配置了tomcat，并且我在给tomcat的信任库中使用证书签名的证书正在通过IE和Firefox成功进行身份验证.

I would like to use SSL client certificates to authenticate users connecting to tomcat6/7. I’ve got tomcat configured correctly, and certificates I sign with the cert in the truststore I gave to tomcat are authenticating successfully from both IE and Firefox.

我还想链接客户证书，因为我想赋予客户管理自己用户的能力.我可以通过向客户颁发中级管理CA证书来完成此任务，他们将使用该证书来签署其他用户证书.我需要用户的浏览器发送与管理CA(由我的根证书签名)链接的用户证书进行身份验证.

I would also like to chain client certificates, because I want to give customers the ability to manage their own users. I could accomplish this by issuing a customer an itermediate management CA certificate that they would use to sign additional user certs. I would need the user’s browser to send the user certificate, chained with the management CA (signed by my root certificate) to authenticate.

我正在使用openssl，并且创建了根CA和中间CA，并且已经使用中间CA签署了叶子证书.我将所有三个证书都转换为pkcs12和pem，并使用keytool将根证书导入到tomcat的信任库中. openssl –verify将根据中间证书验证叶子pkcs12(并且根据根证书验证中间节点).但是我无法获取叶证书(pkcs12)来对照根证书(pkcs12)进行验证.我也无法让IE或Firefox使用叶证书进行身份验证. IE会提示我输入证书，但无法通过身份验证(tomcat日志中没有提及连接或失败). Firefox不提示输入叶子证书.它只是无法通过身份验证.

I am using openssl, and I have created a root CA and an intermediate CA, and I have used the intermediate CA to sign a leaf certificate. I have converted all three certificates to pkcs12 and pem, and used keytool to import the root certificate into a truststore for tomcat. openssl –verify will verify the leaf pkcs12 against the intermediate certificate (and intermediate verifies against root). But I cannot get the leaf certificate (pkcs12) to verify against the root certificate (pkcs12). I also cannot get either IE or Firefox to authenticate using the leaf certificate. IE will prompt me for the certificate, but fails to authenticate (there is no mention of the connection or failure in tomcat’s log). Firefox does not prompt for the leaf certificate; it simply fails to authenticate.

这是我尝试使用openssl对照根验证叶的方法:

Here is how I try to verify the leaf against the root using openssl:

openssl verify -CAfile ..\root\Root.pem Leaf.pem

以下是我用来生成三个证书的脚本:
root.bat:

Here are the scripts I am using to generate the three certificates:
root.bat:

set name=Root
set keyPassword=dummypassword
set trustPassword=dummypassword
openssl genrsa -des3 -passout pass:%keyPassword% -out %name%.key 4096
openssl req -new -key %name%.key -passin pass:%keyPassword% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -signkey %name%.key -passin pass:%keyPassword% -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%keyPassword% -passout pass:%keyPassword% -out %name%.pkcs12
keytool -noprompt -import -file %name%.crt -alias %name% -keystore %name%.truststore -deststorepass %trustPassword%
keytool -list -v -keystore %name%.truststore -storepass %trustPassword% > %name%.truststore.dump.txt
keytool -exportcert -alias %name% -keystore %name%.truststore -storetype jks -storepass %trustPassword% -rfc -file %name%.truststore.pem
openssl pkcs12 -in %name%.pkcs12     -out %name%.pem     -nodes -passin pass:%keyPassword%

intermediate.bat:

intermediate.bat:

set name=Intermediate
set password=dummypassword
set caDir=../root
set caName=Root
set caPassword=dummypassword
openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048
openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.crt -out %name%.pkcs12
openssl pkcs12 -in %name%.pkcs12     -out %name%.pem     -nodes -passin pass:%password%

leaf.bat:

set name=Leaf
set password=dummypassword
set caDir=../intermediate
set caName=Intermediate
set caPassword=dummypassword
openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048
openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.pem -out %name%.pkcs12
openssl pkcs12 -in %name%.pkcs12     -out %name%.pem     -nodes -passin pass:%password%

GenerateCertificate.cfg:

GenerateCertificate.cfg:

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true,pathlen:3

推荐答案

问题是根证书和中间证书没有创建为CA证书.

The problem was that the root and intermediate certificates were not created as CA certificates.

要创建它们作为CA证书，我添加了

To create them as CA certificates, I added

-extfile GenerateCertificate.cfg -extensions v3_ca

添加到他们的创建脚本中，然后将GenerateCertificate.cfg文件添加到我的工作目录(其中包含证书创建批处理文件).

to their creation scripts, and added the GenerateCertificate.cfg file to my working directories (which contained the cert creation batch files).

我已经编辑了原始帖子以反映这些更改.

I have editted my original post to reflect these changes.

这篇关于连锁客户证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！