tomcat 不提供中间证书(https) [英] tomcat doesn't deliver intermediate certificate (https)
问题描述
我使用 openssl 可执行文件在控制台上创建了一个密钥和一个 csr.然后我将 csr 发送到 CA 并取回证书.现在我想把它导入到tomcat中.
I created a key and a csr on console, using the openssl executable. Then I sent the csr to a CA and got the certificate back. Now I want to import it into tomcat.
所以我用我的密钥和证书创建了一个 PKCS#12 文件:
So I created a PKCS#12 file out of my key and my certificate:
openssl pkcs12 -export -in mycert.cert -inkey mykey.pem -out key_and_cert.p12
然后创建一个包含它的密钥库:
and then created a keystore containing it:
keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]
然后我导入中间证书chain.crt:
Then I import the intermediate certificate chain.crt:
keytool -import -trustcacerts -alias root -file chain.crt -keystore keystore.jks
这里是keytool -keystore keystore.jks -list"的输出:
Here the output of "keytool -keystore keystore.jks -list":
Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 2 Einträge.
root, 14.11.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): [fingerprint]
1, 14.11.2011, PrivateKeyEntry,
Zertifikatsfingerabdruck (MD5): [fingerprint]
tomcat server.xml 包含:
The tomcat server.xml contains:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" URIEncoding="UTF-8" compression="on"
sslProtocol="TLS"
keystoreFile="/[absolute-path]/keystore.jks"
keystorePass="[password]" />
当我重新启动 tomcat 时,它在 catalina.out 中没有记录任何错误,一切似乎都很好.但是当我运行Firefox时,它会报告
When I restart tomcat, it logs no errors in catalina.out, everything seems to be ok. But when I run firefox, it reports
[domain] uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
运行openssl s_client -connect [domain]:443 -showcerts"返回
Running "openssl s_client -connect [domain]:443 -showcerts" returns
CONNECTED(00000003)
depth=0 C = DE, OU = Domain Control Validated, CN = [domain]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, OU = Domain Control Validated, CN = [domain]
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, OU = Domain Control Validated, CN = [domain]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/OU=Domain Control Validated/CN=[domain]
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
-----BEGIN CERTIFICATE-----
[certificate from mycert.cert]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/OU=Domain Control Validated/CN=[domain]
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 1777 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: [session-id]
Session-ID-ctx:
Master-Key: [master-key]
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1321268519
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
我认为虽然tomcat知道中间证书,但它不会提供中间证书.怎么做才能让tomcat投递呢?
I think tomcat doesn't deliver the intermediate certificate although it knows it. What can I do to make tomcat deliver it?
附加信息:导入 pkcs12 证书时,没有证书链错误,因为 -importkeystore 命令不检查链.我也试过先导入中间证书,然后调用-importkeystore.我得到了同样的结果.
Additional information: When importing the pkcs12 certificate, there is no certificate chain error, because the -importkeystore command doesn't checks the chain. I also tried to import the intermediate certificate first and then call -importkeystore. I got the same results.
我刚刚尝试了另一种方式,将链直接插入到 PKCS#12 证书中,并得到以下错误:
edit: I just tried another way by inserting the chain directly in the PKCS#12 certificate and get the following error:
$ openssl pkcs12 -export -CAfile chain.pem -in mycert.cert -inkey mykey.pem -out key_and_cert.p12 -name tomcat -chain
Error unable to get issuer certificate getting chain.
但是链证还可以:
$ openssl verify chain.pem
chain.pem: OK
推荐答案
终于搞定了.这不是一个干净的解决方案,但它有效.我将中间证书添加到我的本地/etc/ssl/certs 然后调用
Finally I got it working. It's not a clean solution, but it works. I added the intermediate certificate to my local /etc/ssl/certs and then called
openssl pkcs12 -export -in cert.pem -inkey key.key -out key_and_cert.p12 -chain
生成的 pkcs12 证书我通过以下方式转换为 jks
The resulting pkcs12 certificate I converted to jks via
keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]
这个生成的文件现在似乎可以工作了,tomcat 也将证书链传递给在/etc/ssl/certs 目录中没有中间证书的客户端.但我认为也必须有一种不改变/etc/ssl/certs 的方法.
This resulting file seems to work now, tomcat delivers the certificate chain also to clients that don't have the intermediate certificate in their /etc/ssl/certs directory. But I think there must also be a way without changing /etc/ssl/certs.
这篇关于tomcat 不提供中间证书(https)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!