客户端SSL验证导致从IIS 403.7错误 [英] Client SSL authentication causing 403.7 error from IIS

问题描述

我试图连接到Web服务（不是我的控制之下）配置通过SSL客户端证书来验证用户身份。我有包含客户端证书和相关的私钥PKCS12格式的有效证书。该证书是由Web服务提供者所接受的CA颁发。

I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.

安装证书并试图访问在各种浏览器的限制区域提供了以下的结果：

Installing the certificate and trying to access the restricted area in various browsers gives the following results:

• IE6 - 工作正常，我可以检索WSDL

• IE6 - Works fine and I can retrieve the WSDL

IE7 - 提示证书但随后失败，从服务器403.7

IE7 - Prompts for the certificate but then fails with a 403.7 from the server

Firefox3的 - 设置为问，但没有任何提示和失败403.7

Firefox3 - Set to ask, but no prompt and fails with a 403.7

的Safari 4 - 证书安装在钥匙扣，但没有任何提示和403.7

Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7

此外，尝试访问Web服务编程（Java）的失败，同样的错误403.7 code。

Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.

奇怪的是，这部作品在IE6，但没有其他的浏览器，我缺少什么？我需要包括在PKCS12文件的完整CA证书链？

Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?

任何帮助将大大AP preciated。

Any help would be greatly appreciated.

推荐答案

好吧，得到了这个工作。答案是肯定的，我也需要包括在PKCS12文件中的所有中间CA证书。我串接所有的中间CA证书以及在文件中的根CA证书chain.pem，然后执行以下命令：

Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:

openssl pkcs12 -export -chain -CAfile chain.pem -in cert.pem -inkey key.pem -out cert.p12

这篇关于客户端SSL验证导致从IIS 403.7错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！