将中间证书添加到pkcs12文件 [英] Adding an intermediate certificates to a pkcs12 file

问题描述

我有一个具有以下证书链的证书: 委托->我的CA->我的签发CA->我的JBoss证书.现在，如果我在JBoss实例上安装证书，则我在该实例上访问的任何页面都将显示为不可信，因为我的浏览器无法识别我的颁发CA".我知道我的计算机具有Entrust签名授权机构的公钥.如何安装证书，以便任何浏览器都能看到整个证书链?

I have a certificate that has the following chain of certification: Entrust->My CA->My Issuing CA->My JBoss Certificate. Now, if I install my certificate on my JBoss instance, any page I access running on this instance will appear untrusted as My Issuing CA is not recognized by my browser. I know that my computer has the public key for the Entrust signing authority. How can I install my certificate so that any browser can see the entire certificate chain?

我认为所有证书都可以使用一个.pem文件.它没有.谁能解释我在做错什么，即使这是可能的?

I made a single .pem file of all of the certificates thinking that would work. It did not. Can anyone explain what I am doing wrong or even if this is possible?

推荐答案

将中间证书添加到pkcs12文件中...

Adding an intermediate certificates to a pkcs12 file ...

这是我在网络和邮件服务器上执行的操作.

Here's how I do it on my web and mail servers.

首先，www-example-com.crt是Startcom签名的Web服务器证书. Startcom提供了大多数浏览器和移动设备都信任的免费1类证书，因此我使用它们.证书采用PEM格式(----- BEGIN CERT -----和----- END CERT -----).

First, www-example-com.crt is the web server cert signed by Startcom. Startcom offers free Class 1 certificates trusted my most browsers and mobile devices, so I use them. The certificate is in PEM format (----- BEGIN CERT ----- and ----- END CERT -----).

其次，我打开www-example-com.crt并附加Startcom的Class 1 Intermediate.我是从Startcom的/certs的索引中获得的.现在，我的www-example-com.crt中有两个PEM编码的编码证书.

Second, I open www-example-com.crt and append Startcom's Class 1 Intermediate. I get the intermediate from Startcom's Index of /certs. Now my www-example-com.crt has two PEM encoded encoded certs in it.

第三，我执行以下操作来创建PKCS12/PFX文件以在IIS中使用.

Third, I perform the following to create a PKCS12/PFX file for use in IIS.

openssl pkcs12 -export -in www-example-com.crt -inkey www.example.key -out www-example-com.p12

---

在您的情况下，您的www-example-com.crt中将至少包含三个PEM编码的证书:

---

In your case, your www-example-com.crt will have at least three PEM encoded certificates in it:

----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----

----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----

----- BEGIN CERT -----
< My CA >
----- END CERT -----

链中的第三个证书-My CA-是可选的.如果您的客户使用My CA作为信任锚，则不需要它.如果您的客户使用Entrust作为信任锚，则需要将其包括在内.

The third cert in the chain - My CA - is optional. You don't need it if your clients use My CA as a trust anchor. If you're clients use Entrust as a trust anchor, then you will need to include it.

如果您cat您的www-example-com.crt并且 NOT 没有多个证书，则不要继续.在服务器证书具有验证链所需的所有必需的中间证书之前，请勿执行openssl pkcs12.

If you cat your www-example-com.crt and it does NOT have multiple certificates, then do not continue. Don't perform openssl pkcs12 until your server cert has all the required intermediate certificates required to verify the chain.

不包括Entrust CA证书.

Do not include the Entrust CA certificate.

我怀疑Entrust直接与其CA签署.他们可能也使用中间体.因此，您的证书链可能应该像这样:

I doubt Entrust signs with their CA directly. They probably use an intermediate, too. So your cert chain should probably look like:

----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----

----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----

----- BEGIN CERT -----
< My CA >
----- END CERT -----

----- BEGIN CERT -----
< Entrust Intermediate >
----- END CERT -----

委托在委托根证书中提供其CA和中间证书.我无法告诉您您需要哪一个，因为您不会提供网址，也不会向我们显示您拥有的链条.但是我猜测它将会是以下一项或多项:

Entrusts provides their CA and Intermediate certificates at Entrust Root Certificates. I can't tell you which one you need because you won't provide a URL or show us the chain you have. But I'm guessing its going to be one or more of:

• 委托L1E链证书
• 委托L1C链证书
• 委托L1E链证书(SHA2)
• 委托L1C链证书(SHA2)

您可以使用OpenSSL的`s_client测试链.这次，您将使用Entrust的证书:

You can test your chain with OpenSSL's `s_client. This time, you will use Entrust's certifcate:

echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect myserver:8443 \
                                       -CAfile entrust-ca.pem

您可以从委托根证书中获取entrust-ca.pem.运行它，告诉我们您遇到什么错误.或更妙的是，将URL发布到您的服务器，以便我们了解发生了什么.

You can get entrust-ca.pem from Entrust Root Certificates. Run it and tell us what errors you get. Or better, post the URL to your server so we can see what's going on.

这篇关于将中间证书添加到pkcs12文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！