我被要求为“Oracle Application Server 11g”获取 SSL 证书,但该证书即将过期。尽管 10g 似乎是最新版本,但我还是从 InCommon 获得了证书,通常我都顺利获得证书(只是这是我第一次在 CSR 表单上提供 Oracle Application Server 11g 作为软件类型)。在包含证书下载链接的电子邮件中,它提到:
证书详细信息:
SSL 类型 : InCommon SSL
服务器:其他
我将电子邮件转发给负责安装的人,并收到回复,说服务器类型必须是 Oracle 应用服务器,证书才能工作(CN 与以前相同)。他们无法安装此证书(没有向我提供详细信息),并提到他们之前与 Thawte 合作时遇到过这个问题,当时他们没有提供 Oracle 应用服务器作为服务器类型。我看不出当前安装的证书(工作)和我刚刚通过 InCommon 签名的新证书(不工作)之间有什么显著差异。
$ openssl x509 -in sso-current.cer -text
显示,省略了不相关的信息。
Data:
Version: 3 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/[email protected]
Validity
Not Before: Oct 1 00:00:00 2009 GMT
Not After : Nov 28 23:59:59 2012 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.thawte.com/ThawteServerPremiumCA.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
Signature Algorithm: sha1WithRSAEncryption
和
$ openssl x509 -in sso-new.cer -text
节目
Data:
Version: 3 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Internet2, OU=InCommon, CN=InCommon Server CA
Validity
Not Before: Nov 8 00:00:00 2012 GMT
Not After : Nov 8 23:59:59 2014 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:48:4F:5A:FA:2F:4A:9A:5E:E0:50:F3:6B:7B:55:A5:DE:F5:BE:34:5D
X509v3 Subject Key Identifier:
18:8D:F6:F5:87:4D:C4:08:7B:2B:3F:02:A1:C7:AC:6D:A7:90:93:02
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.5923.1.4.3.1.1
CPS: https://www.incommon.org/cert/repository/cps_ssl.pdf
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.incommon.org/InCommonServerCA.crl
Authority Information Access:
CA Issuers - URI:http://cert.incommon.org/InCommonServerCA.crt
OCSP - URI:http://ocsp.incommon.org
我没有发现什么导致协议无法生效的原因,因此我对签名者在重新签名时应该做什么没有特别的要求。
答案1
尝试这个:
openssl x509 -in sso-current.cer -outform DER -out sso-fixed.cer
您在文件中有一个 PEM 格式的证书.cer
。
并重命名sso-current.cer
为sso-current.pem
。