如何创建从网络解决方案中级和域名证书文件的Azure网站PFX证书导出？ [英] How do I create PFX certificate export for Azure Website from Network Solutions intermediate and domain certificate files?

问题描述

我购买了从网络解决方案网站的SSL证书。我收到4 .CRT文件。我相信其中的三个中间证书，第四个是对我的网站的域名实际的证书。

I purchased an SSL certificate from Network Solutions website. I received 4 .crt files. I believe three of those are intermediate certificates and the fourth is the actual certificate for my web site domain name.

我试图导入具有DigiCert工具的实际证书。在三个中间文件，它的错误。它让我输入域名证书并导出PFX文件，但抛出在浏览器的警告 - 没有提供发行者链

I tried importing the actual certificate with DigiCert utility. It errors on the three intermediate files. It lets me import the domain certificate and export the PFX file but that throws a warning in a browser - no issuer chain provided.

我使用运行Windows Server 2008 R2导入的中级证书颁发机构在MMC的域控制器，那么IIS与域证书完成证书申请。证书的证书路径现在看起来正确的但PFX文件MMC证书导出向导选项是灰色 - 禁用

I used a domain controller running Windows Server 2008 R2 to import the Intermediate Certification Authorities in MMC, then IIS Complete Certificate Request with the domain certificate. The Certification Path of the certificate now looks proper but MMC Certificate Export Wizard option for PFX file is grayed out - disabled.

我用MMC证书模板管理单元来创建Web服务器模板的副本请求处理设置允许私钥可以导出检查。这个模板似乎并不时在IIS中完成证书申请，因为PFX出口仍然禁止使用。完成证书申请不提供选择要使用的证书模板。

I used MMC Certificate Templates snap-in to create a copy of the Web Server template with Request Handling setting Allow private key to be exported checked. This template does not seem to be used when Complete Certificate Request in IIS because PFX export is still disabled. Complete Certificate Request doesn't offer to select which certificate template to use.

我尝试使用证书的详细信息，复制到文件选择P7B与包括证书路径中的所有证书。完成向导显示导出密钥设置为否，也没有办法去改变它。保存文件，然后双击打开它允许出口，但再次PFX选项被禁用。

I tried using the certificate details, Copy To File selecting P7B with Include all certificates in the certification path. Completing the wizard shows Export Keys set to No and no way to change it. Saving file then double clicking to open it allows export but again PFX option is disabled.

什么是一块我缺少的拼图？

What is the piece of the puzzle I am missing?

推荐答案

您所遇到的问题与实际SSL证书的网络解决方案签发。我与微软合作的这一段时间，但网络解决方案拒绝相信这是一个问题。

The problem you are having is with the actual SSL Certificate that Network Solutions issued. I worked with Microsoft on this for a while, but Network Solutions refuses to believe it is a problem.

天青网站依靠AIA（授权信息访问）属性签发证书链客户端时是正确的。在网络解决方案是发行新的SHA-2证书，这是在AIA元素的值

Azure Websites rely on the AIA (Authority Info Access) attribute to be correct when issuing the certificate chain to clients. In the new SHA-2 certificates that Network Solutions is issuing, this is the value in the AIA element

[1]授权信息访问
     访问方法=证书颁发机构发行（1.3.6.1.5.5.7.48.2）
     备用名称：
          URL = http://crt.netsolssl.com/NetworkSolutionsOVServerCA2.crt
[2]授权信息访问
     访问方法=在线证书状态协议（1.3.6.1.5.5.7.48.1）
     备用名称：
          URL = HTTP：//ocsp.netsolssl.com

[1]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://crt.netsolssl.com/NetworkSolutionsOVServerCA2.crt [2]Authority Info Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http: //ocsp.netsolssl.com

如果你注意，第一个元素的URL，这应该指向你的链中第一个中间证书。但该网址将引发404与此相反，这里是从年龄较大的SHA-1证书之一的AIA值

If you note the URL for the first element, that should point to the first intermediate certificate in your chain. However that url throws a 404. In contrast, here is the AIA value from one of their older SHA-1 certificates

[1]授权信息访问
     访问方法=证书颁发机构发行（1.3.6.1.5.5.7.48.2）
     备用名称：
          URL = http://www.netsolssl.com/NetworkSolutions_CA.crt
[2]授权信息访问
     访问方法=在线证书状态协议（1.3.6.1.5.5.7.48.1）
     备用名称：
          URL = HTTP：//ocsp.netsolssl.com

[1]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://www.netsolssl.com/NetworkSolutions_CA.crt [2]Authority Info Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http: //ocsp.netsolssl.com

此URL是有效的，正因为如此，该证书链可以成功地通过客户端加载。

This URL is valid, and as such, the certificate chain can be successfully loaded by your clients.

所以，唯一的解决办法是对网络解决方案把NetworkSolutionsOVServerCA2.crt文件中其证书说这是我打开了很多技术支持的车票NetSol，并试图通过一些其他传达这个问题的位置意味着什么，但永远无法得到的人谁承认这个问题，或者愿意链踢它的人有足够的知识来解决问题。

So the only fix is for Network solution to put the NetworkSolutionsOVServerCA2.crt file in the location that their certificates say it is in. I have opened numerous tech support tickets with NetSol, and tried to convey this issue through a number of other means, but can never get to someone who acknowledges the issue, or is willing to kick it up the chain to someone with enough know-how to resolve the issue.

这篇关于如何创建从网络解决方案中级和域名证书文件的Azure网站PFX证书导出？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！