我正在尝试连接到启用了相互 TLS 身份验证设置的第三方 API。因此,我应该将客户端证书安装在密钥存储中,并在 TLS 握手过程中发送它。我现在已经完成了认证安装,服务器证书请求如下
我的证书属性是这样的
当我尝试连接时,我在 Schannel 上收到类似这样的错误
远程服务器已请求 TLS 客户端身份验证,但找不到合适的客户端证书。将尝试匿名连接。此 TLS 连接请求可能会成功或失败,具体取决于服务器的策略设置。
所以我的猜测是请求和可用的证书不匹配。有人能指出证书上的哪个属性与请求不匹配吗?
CertUtility 提供了这个结果,当我针对 pfx 文件运行它时,我有
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: xxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
NotBefore: 12-02-2014 05:30
NotAfter: 12-02-2029 05:29
Subject: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Non-root Certificate
Cert Hash(sha1): xxxxxxxxxxxxxxxxxxxxxxxxx
---------------- End Nesting Level 1 ----------------
No key provider information
Cannot find the certificate and private key for decryption.
================ Certificate 1 ================
================ Begin Nesting Level 1 ================
Element 1:
Serial Number: xxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
NotBefore: 16-02-2018 05:30
NotAfter: 12-12-2018 05:29
Subject: CN=www.domain.com, OU=PositiveSSL, OU=Domain Control Validated
Non-root Certificate
Cert Hash(sha1): xxxxxxxxxxxxxxxxxxxxxxxxxx
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -dump command completed successfully.
注意:这个 PFX 里面有两个证书,第一个是中间证书,第二个是实际证书。