该证书具有无效的颁发者钥匙串 [英] This certificate has an invalid issuer keychain
问题描述
我确实有由DigiCert签名的私钥(my_ca.key)和公钥(my_cert.crt).现在,我想生成SSL证书(版本3)并用我的私钥对其进行签名.这是我尝试这样做的方法.但是当我导出到钥匙串(Mac OS X)中时.我遇到了这样的错误:"此证书具有无效的颁发者钥匙串".不知道如何解决这个问题.在这里,my_cert.crt是从DigiCert High Assurance CA-3扩展而来的,而后者是从DigiCert High Assurance EV Root CA扩展而来的.还在钥匙串中添加了DigiCert High Assurance CA-3,DigiCert High Assurance EV RootCA.它显示my_cert.crt是有效的.怎么会出现这种错误.
I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. Now I want to generate the SSL certificate (version 3) and sign it by my private key . Here is the way I tried to do that. But when I export into keychain (Mac OS X). I have been getting error like this "This certificate has an invalid issuer keychain". No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root CA. Also added DigiCert High Assurance CA-3, DigiCert High Assurance EV Root CA into keychain. It shows my_cert.crt is valid. How would be getting this kind of error.
######### Initialization
SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=wso2/OU=laptop/CN=mdm.go.com"
########SSL Certificate
echo "\nGenerating SSL Certificate >>>>>> START"
openssl genrsa -out ia.key 4096
openssl req -new -key ia.key -out ia.csr -subj "$SSL_SUBJ"
openssl x509 -req -days 365 -in ia.csr -CA my_cert.pem -CAkey my_ca.pem -set_serial 765644787 -out ia.crt -extensions v3_ca -extfile ./openssl.cnf
echo "\nGenerating SSL Certificate >>>>>> END \n"
openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -CAfile my_cert.pem -name sslcert -passout pass:password
注意:在/etc/hosts中添加了将IP地址映射到SSL证书CN的自定义条目,并用于测试服务器和客户端是否在同一台计算机上.
Note: added custom entry in /etc/hosts mapping IP address to SSL certificate CN and for testing server and client are in the same machine.
推荐答案
通常,证书链中除最后一个证书外的所有X.509证书都是CA证书.链中的第一个证书称为根CA(在您的情况下为DigiCert High Assurance EV Root CA),然后颁发者链中的其他CA证书(如果有)是中间CA,最后一个是最终实体(不是CA).我认为您不能发行由非CA证书发行的新SSL证书.因此,可以将DigiCert签名的my_cert.crt用作SSL证书,但不能使用my_ca.key颁发自己的证书.
Normally all X.509 certificates in certificate chain except the last one are CA certificates. The first certificate in chain is called root CA (in your case DigiCert High Assurance EV Root CA), then other CA certificates in issuer chain (if any) are intermediate CAs and the last one is End Entity (not CA). I don't think you can issue new SSL certificate issued by non-CA certificate. So you can use my_cert.crt signed by DigiCert as SSL certificate but you cannot issue your own using my_ca.key.
这篇关于该证书具有无效的颁发者钥匙串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
