无法使用密钥、证书和 CA 为 Tomcat 创建密钥库 证书链长度:1 [英] Can't create keystore for Tomcat with key, cert and CAs Certificate chain length: 1
问题描述
我无法从 RapidSSL 购买的证书在 Tomcat 上运行,但在 Apache 上运行.
I can't get my certificate bought from RapidSSL working on Tomcat but on Apache.
RapidSSL 要求您安装 2 个中间 ca 文件.
RapidSSL requires that you install 2 intermediate ca files.
当我从私钥、证书和中间 CA 创建密钥库时:我可以看到
When I create a keystore from the private key, certificate and the intermediary CA:s I can see
Entry type: PrivateKeyEntry
Certificate chain length: 1
这两个中间证书好像没有捡到什么的.
The two intermediate certificates does not seem to be picked up or something like that.
我有
- 私钥
- 证书
- 来自 RapidSSL 的主要和次要 CA:s(作为 pem、pkcs7 和单独的 .crt)https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548
我可以通过以下设置使其在 apache 服务器上运行:
I can get it working on an apache server with the following settings:
SSLCertificateFile /root/ssl_certs/rapidssl.crt
SSLCertificateKeyFile /root/ssl_certs/privatekey.key
SSLCACertificateFile /root/ssl_certs/intermediate.crt
我听说过一种叫做根证书的东西,但我不知道那是什么.那是我需要的东西吗?
I have heard of something called a root certificate, and I don't know what that is. Is that something that I need?
我听说 Tomcat 应该能够使用 PKCS12,所以我这样做是为了尝试创建一个 pkcs12 文件:
I have heard that Tomcat should e able to use PKCS12 so I did this to try to create a pkcs12 file:
openssl pkcs12 -export -in rapidssl.crt -inkey privatekey.key -out mycert.p12 -name tomcat -CAfile intermediate.crt -caname root -chain
但我得到了错误
Error unable to get local issuer certificate getting chain.
intermediate.crt 中包含主要和次要 CA:s.
The intermediate.crt has the primary and secondary CA:s in it.
推荐答案
尝试使用 Portecle 导入你所有的东西.我自己没有使用过它,但是如果您使用像 Portecle 这样的工具,Java Keystores 的混乱显然会更易于管理.
Try using Portecle to import all your stuff. I haven't used it myself, but the complete mess that is Java Keystores is evidently a lot more manageable if you use a tool like Portecle.
如果您想从 Tomcat 中获得更好的性能,并且不想将您的密钥、证书等合并到一个二进制文件中,请考虑使用 Tomcat 的 APR 连接器.您可以使用与 Apache httpd 相同的证书和密钥文件,并且您将获得更好的加密性能.
If you want to get better performance out of Tomcat and not bother merging your keys, certs, etc. into a single binary ball, consider using Tomcat's APR connector. You can use the same cert and key files you already use with Apache httpd, and you'll get better crypto performance.
这篇关于无法使用密钥、证书和 CA 为 Tomcat 创建密钥库 证书链长度:1的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
