将中间证书添加到 pkcs12 文件 [英] Adding an intermediate certificates to a pkcs12 file
问题描述
我的证书具有以下认证链:委托->我的CA->我的颁发CA->我的JBoss证书.现在,如果我在 JBoss 实例上安装我的证书,我访问的在此实例上运行的任何页面都将显示为不受信任,因为我的浏览器无法识别我的颁发 CA.我知道我的电脑有 Entrust 签名机构的公钥.如何安装我的证书以便任何浏览器都可以看到整个证书链?
我制作了一个包含所有认为可行的证书的 .pem 文件.它没.谁能解释我做错了什么,或者即使这是可能的?
将中间证书添加到 pkcs12 文件...
以下是我在网络和邮件服务器上的做法.
首先,www-example-com.crt 是由 Startcom 签署的 Web 服务器证书.Startcom 提供免费的 1 类证书,我信任我的大多数浏览器和移动设备,所以我使用它们.证书为 PEM 格式(----- BEGIN CERT ----- 和 ----- END CERT -----).
其次,我打开 www-example-com.crt 并附加 Startcom 的 Class 1 Intermediate.我从 Startcom 的 /certs 的索引 中获得中间体.现在我的 www-example-com.crt 中有两个 PEM 编码的编码证书.
第三,我执行以下操作来创建一个 PKCS12/PFX 文件以在 IIS 中使用.
openssl pkcs12 -export -in www-example-com.crt -inkey www.example.key -out www-example-com.p12<小时>
在您的情况下,您的 www-example-com.crt 将至少包含三个 PEM 编码的证书:
----- BEGIN CERT -----<我的 JBoss 证书 >----- 结束证书 ---------- 开始证书 -----<我的颁发 CA >----- 结束证书 ---------- 开始证书 -----<我的 CA >----- 结束证书 -----链中的第三个证书 - My CA - 是可选的.如果您的客户使用 My CA 作为信任锚,则不需要它.如果您的客户使用 Entrust 作为信任锚,那么您需要包含它.
如果你cat你的www-example-com.crt并且它没有有多个证书,那么不要继续.在您的服务器证书具有验证链所需的所有中间证书之前,不要执行 openssl pkcs12.
不要包含 Entrust CA 证书.
<小时>我怀疑 Entrust 直接与他们的 CA 签署.他们可能也使用中间体.所以你的证书链应该看起来像:
----- BEGIN CERT -----<我的 JBoss 证书 >----- 结束证书 ---------- 开始证书 -----<我的颁发 CA >----- 结束证书 ---------- 开始证书 -----<我的 CA >----- 结束证书 ---------- 开始证书 -----<委托中级 >----- 结束证书 -----Entrusts 在Entrust Root Certificates 提供他们的 CA 和中间证书.我无法告诉您需要哪一个,因为您不会提供 URL 或向我们展示您拥有的链.但我猜它会是以下一种或多种:
- 委托L1E链证书
- 委托L1C链证书
- 委托 L1E 链证书 (SHA2)
- 委托 L1C 链证书 (SHA2)
您可以使用 OpenSSL 的 `s_client 测试您的链.这一次,您将使用 Entrust 的证书:
echo -e "GET/HTTP/1.0
" |openssl s_client -connect myserver:8443 -CAfile entrust-ca.pem您可以从委托根证书获取entrust-ca.pem.运行它并告诉我们你得到了什么错误.或者更好的是,将 URL 发布到您的服务器,以便我们了解发生了什么.
I have a certificate that has the following chain of certification: Entrust->My CA->My Issuing CA->My JBoss Certificate. Now, if I install my certificate on my JBoss instance, any page I access running on this instance will appear untrusted as My Issuing CA is not recognized by my browser. I know that my computer has the public key for the Entrust signing authority. How can I install my certificate so that any browser can see the entire certificate chain?
I made a single .pem file of all of the certificates thinking that would work. It did not. Can anyone explain what I am doing wrong or even if this is possible?
Adding an intermediate certificates to a pkcs12 file ...
Here's how I do it on my web and mail servers.
First, www-example-com.crt is the web server cert signed by Startcom. Startcom offers free Class 1 certificates trusted my most browsers and mobile devices, so I use them. The certificate is in PEM format (----- BEGIN CERT ----- and ----- END CERT -----).
Second, I open www-example-com.crt and append Startcom's Class 1 Intermediate. I get the intermediate from Startcom's Index of /certs. Now my www-example-com.crt has two PEM encoded encoded certs in it.
Third, I perform the following to create a PKCS12/PFX file for use in IIS.
openssl pkcs12 -export -in www-example-com.crt -inkey www.example.key -out www-example-com.p12
In your case, your www-example-com.crt will have at least three PEM encoded certificates in it:
----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----
----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----
----- BEGIN CERT -----
< My CA >
----- END CERT -----
The third cert in the chain - My CA - is optional. You don't need it if your clients use My CA as a trust anchor. If you're clients use Entrust as a trust anchor, then you will need to include it.
If you cat your www-example-com.crt and it does NOT have multiple certificates, then do not continue. Don't perform openssl pkcs12 until your server cert has all the required intermediate certificates required to verify the chain.
Do not include the Entrust CA certificate.
I doubt Entrust signs with their CA directly. They probably use an intermediate, too. So your cert chain should probably look like:
----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----
----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----
----- BEGIN CERT -----
< My CA >
----- END CERT -----
----- BEGIN CERT -----
< Entrust Intermediate >
----- END CERT -----
Entrusts provides their CA and Intermediate certificates at Entrust Root Certificates. I can't tell you which one you need because you won't provide a URL or show us the chain you have. But I'm guessing its going to be one or more of:
- Entrust L1E Chain Certificate
- Entrust L1C Chain Certificate
- Entrust L1E Chain Certificate (SHA2)
- Entrust L1C Chain Certificate (SHA2)
You can test your chain with OpenSSL's `s_client. This time, you will use Entrust's certifcate:
echo -e "GET / HTTP/1.0
" | openssl s_client -connect myserver:8443
-CAfile entrust-ca.pem
You can get entrust-ca.pem from Entrust Root Certificates. Run it and tell us what errors you get. Or better, post the URL to your server so we can see what's going on.
这篇关于将中间证书添加到 pkcs12 文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
