如何使用CA签名证书正确配置Jetty中的SSL? [英] How to configure SSL in Jetty with CA signed certificate properly?
问题描述
我正在尝试保护我的eXist-db应用程序,这意味着我要保持打开状态的唯一端口应该是8443(用于使用WebDAV和管理应用程序).这是自安装以来eXist-db已打开的基本安全端口.它使用自签名证书.我可以用新证书替换默认证书没有问题,但是问题是我无法使用CA签名证书来做到这一点.
I am trying to secure my eXist-db app, which means the only port I want to leave open should be 8443 (for using WebDAV and admin app). This is the basic secure port eXist-db have open since the installation. It uses self-signed certificate. I have no problem with replacing default certificate with a new one but the problem is I am not able to do that with CA signed certificate.
我尝试过:
-
sudo rm eXist-db/tools/jetty/etc/keystore
-
cat ServerCertificate.crt Alpiro-TrustProvider-IntermediateCA.crt Root.cer>cert-chain.txt
- 我清理了线路的不良末端,并确认每个证书都从新的一行开始.
-
openssl pkcs12 -export -inkey my-app.key -in cert-chain.txt -out my-app.pkcs12
-
keytool -importkeystore -srckeystore my-app.pkcs12 -srcstoretype PKCS12 -destkeystore eXist-db/tools/jetty/etc/keystore
重新启动后,我使用以下代码检查了连接: openssl s_client -connect xx.xx.xxx.xxx:8443
,一切似乎都很好.我可以看到有我的受信任证书,并且连接(握手
)很简单.但是,浏览器仍然声称它不是受信任的连接.
After restart, I checked the connection with: openssl s_client -connect xx.xx.xxx.xxx:8443
and everything seems fine. I can see there is my trusted certificate and the connection (handshake
) simply works. However, browsers still claim it is not a trusted connection.
当我尝试通过XQuery通过https检查某些内容时,它会抛出:
When I try to check something over https via XQuery, it throws:
java.security.cert.CertificateException: No subject alternative names matching IP address xx.xx.xxx.xxx found …
推荐答案
该解决方案非常简单.问题是我一直试图通过IP而不是完全限定的域名访问该站点.证书与域名而不是IP相关!
The solution is quite trivial. The problem was I had been trying to access the site via IP, not via fully qualified domain name. Certificates are associated with domain names, not IPs!
这篇关于如何使用CA签名证书正确配置Jetty中的SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!