Chrome 和 IE 不接受客户端证书

Chrome 和 IE 不接受客户端证书

我有两个网站位于不同的主机上,受同一个 SSL 证书保护,一个是 Apache2,一个是 JBOSS。

我的过程:

  1. 创建了一个私人 CA。
  2. 创建了一个新证书并用 CA 对其进行了签名。
  3. 将证书转换为 PKCS12 格式。
  4. 将 PKCS12 证书导入 JKS(因为这是 JBOSS 喜欢的)。

我已经在所有浏览器上安装了客户端证书和 CA 证书。(安装 CA 证书不是必需的,但可以消除 URL 中的红色/危险图标。)

Ubuntu 14.04

  • Firefox 允许我使用客户端证书访问这两个网站。
  • Chrome 允许我访问 Apache2 网站,但在 JBOSS 网站上却出现错误:ERR_BAD_SSL_CLIENT_AUTH_CERT

Windows 7的

Chrome、Firefox 和 IE 都允许我访问 Apache2 网站,但却不允许我访问 JBOSS 网站。

  • 火狐浏览器:ssl_error_bad_cert_alert
  • 铬合金:ERR_BAD_SSL_CLIENT_AUTH_CERT
  • IE:This page can't be displayed

证书和根证书都是当前的,只是无法验证。

有人有理论/解决方案吗?

一些编辑过的 openssl 命令行输出,希望有帮助:

$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected]
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
--- 
Certificate chain
 0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
   i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected]
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
--- 
Certificate chain
 0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
   i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
issuer=/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
---
Acceptable client certificate CA names
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected]
---
SSL handshake has read 2028 bytes and written 2356 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
    Session-ID-ctx:
    Master-Key: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1429133346
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

相关内容