我有两个网站位于不同的主机上,受同一个 SSL 证书保护,一个是 Apache2,一个是 JBOSS。
我的过程:
- 创建了一个私人 CA。
- 创建了一个新证书并用 CA 对其进行了签名。
- 将证书转换为 PKCS12 格式。
- 将 PKCS12 证书导入 JKS(因为这是 JBOSS 喜欢的)。
我已经在所有浏览器上安装了客户端证书和 CA 证书。(安装 CA 证书不是必需的,但可以消除 URL 中的红色/危险图标。)
Ubuntu 14.04
- Firefox 允许我使用客户端证书访问这两个网站。
- Chrome 允许我访问 Apache2 网站,但在 JBOSS 网站上却出现错误:
ERR_BAD_SSL_CLIENT_AUTH_CERT
Windows 7的
Chrome、Firefox 和 IE 都允许我访问 Apache2 网站,但却不允许我访问 JBOSS 网站。
- 火狐浏览器:
ssl_error_bad_cert_alert - 铬合金:
ERR_BAD_SSL_CLIENT_AUTH_CERT - IE:
This page can't be displayed
证书和根证书都是当前的,只是无法验证。
有人有理论/解决方案吗?
一些编辑过的 openssl 命令行输出,希望有帮助:
$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected]
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected]
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
issuer=/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
---
Acceptable client certificate CA names
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected]
---
SSL handshake has read 2028 bytes and written 2356 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
Session-ID-ctx:
Master-Key: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429133346
Timeout : 300 (sec)
Verify return code: 0 (ok)
---