为什么在SSL握手期间没有发送客户端证书? [英] why doesn't java send the client certificate during SSL handshake?
问题描述
我尝试连接到安全的网络服务。
I'm trying to connect to a secure webservice.
即使我的密钥库和信任库设置正确,我也遇到了握手失败。
I was getting a handshake failure even though my keystore and truststore have been set correctly.
经过几天的挫折,无休止的googling和问大家,我发现唯一的问题是,java选择不发送客户端证书到服务器握手期间。
After several days of frustration, endless googling and asking everyone around I found out that the only problem was that java chose not to send the client certificate to the server during the handshake.
具体来说:
- 服务器请求客户端证书(CN = RootCA)我有一个由根CA签名的证书
- Java调查密钥库,只找到了由SubCA签发的客户端证书,后者又由 RootCA。它没有打扰信任库深入研究...我猜想
- 很遗憾,当我试图添加SubCA证书到密钥库,这根本没有帮助。我没有检查证书是否加载到密钥库。他们这样做,但是KeyManager忽略了除客户端之外的所有证书。
- 以上所有都导致了java决定它没有满足服务器请求的任何证书,并发送没有... tadaaa握手失败: - (
- Server requested a client certificate (CN=RootCA) - i.e. "give me a cert that is signed by the root CA"
- Java looked into the keystore and only found my client certificate which is signed by the "SubCA", which in turn is issued by the "RootCA". It didn't bother to look into the truststore...duh OK I guess
- Sadly when I tried to add the "SubCA" certificate to the keystore, that didn't help at all. I did check if the certificates get loaded into the keystore. They do, but the KeyManager ignores all certificates except the client one.
- All of the above leads to the fact that java decides it doesn't have any certificates that satisfy the server's request and sends nothing...tadaaa handshake failure :-(
我的问题:
- 我可能以破坏证书链或某种方式将SubCA证书添加到密钥库中,以便KeyManager只加载客户端证书并忽略其余的证书(Chrome)请注意,SubCA证书总是作为可信任的权威单独提供,因此Chrome在握手期间显然正确地将其与客户端证书一起打包)
- 这是服务器端的一个正式的配置问题?服务器是第三方。我希望服务器请求由SubCA权威机构签署的证书,因为这是他们提供给我们的。我怀疑这个在Chrome和openssl中的工作原因是因为它们限制性较小,而Java只是按照书进行处理并失败。
我做了一个肮脏的解决方法为这个,但我不是很高兴,所以我很高兴,如果任何人可以澄清这一个为我。
I did manage to put together a dirty workaround for this, but I'm not very happy about it so I'll be glad if anyone can clarify this one for me.
推荐答案
有可能您已将中间CA证书导入密钥库,而无需将其与具有客户端证书及其私钥的条目关联。您应该可以使用 keytool -v -list -keystore store.jks 查看此内容。如果每个别名条目只有一个证书,则它们不在一起。
It's possible that you may have imported the intermediate CA certificate into the keystore without associating it with the entry where you have your client certificate and its private key. You should be able to see this using keytool -v -list -keystore store.jks. If you only get one certificate per alias entry, they're not together.
您需要将证书及其链接导入具有私有密钥的密钥库别名
You would need to import your certificate and its chain together into the keystore alias that has your private key.
要确定哪个密钥库别名具有私钥,请使用 keytool -list -keystore store.jks (我假设JKS商店类型在这里)。这将告诉你这样的:
To find out which keystore alias has the private key, use keytool -list -keystore store.jks (I'm assuming JKS store type here). This will tell you something like this:
Your keystore contains 1 entry
myalias, Feb 15, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): xxxxxxxx
code> myalias 。如果除了使用 -v ,您应该看到别名:myalias 。
Here, the alias is myalias. If you use -v in addition to this, you should see Alias Name: myalias.
如果您还没有单独存在,请从密钥库导出您的客户端证书:
If you don't have it separately already, export your client certificate from the keystore:
keytool -exportcert -rfc -file clientcert.pem -keystore store.jks -alias myalias
使用文本编辑器(或 cat ),准备文件(让我们称之为 bundle.pem )与客户端证书和中间CA证书(如果需要可能还有根CA证书本身),以便客户端证书在开始和其
Using a text editor (or cat), prepare file (let's call it bundle.pem) with that client certificate and the intermediate CA certificate (and possibly the root CA certificate itself if you want), so that the client-certificate is at the beginning and its issuer cert is just under.
这应该是:
-----BEGIN CERTIFICATE-----
MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV
....
-----END CERTIFICATE-----
现在,将此包导入到您的私钥为的别名中:
Now, import this bundle back together into the alias where your private key is:
keytool -importcert -keystore store.jks -alias myalias -file bundle.pem
这篇关于为什么在SSL握手期间没有发送客户端证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
