SSL intermediate certificates

混江龙づ霸主 提交于 2019-12-06 15:03:09

问题


We are having a lot of trouble getting our SSL certificates to work properly.

We have generated our keystores (using multiple sources) from an existing key and certificate by first creating a pkcs12 file and exporting it to a java keystore.

Now, Thawte requires that you install 2 intermediate ca files. If I inspect our keystore, all three (the 2 intermediates and our own) are present. Tomcat starts up properly, but on visiting the site (and using the verisign ssl checker), the two intermediate certificates are not picked up.

If anyone has more experience with installing certificates from Thawte, any input would be appreciated. We have the following files at our disposal. Unfortunately we do not have the original keystore used to create the CSR, but we do have the private key.

  1. CSR file
  2. Private key (.key file)
  3. Our .crt file
  4. The primary and secondary intermediate files from Thawte (as seperate and a bundled .p7b files)

Also, we are using tomcat 7.0.27 without apache.

Thanks!


回答1:


I answered to your another question, snippets from there should help with this problem too.

One caveat, to add full certificate chain to PKCS#12 keystore you must concatenate all intermediate PEM files like this:

cat specific_ca.pem general_ca.pem root_ca.pem > ca_chain.pem

And specify -CAfile ca_chain.pem and specify -caname multiple time - once for every cert in chain in order they appeared in ca_chain.pem file.

DER to PEM convertation just in case:

openssl x509 -in cert.der -inform der -outform pem -out cert.pem



回答2:


Just to clarify, since I was not sure how to deal with it after reading those hints - I have put all certificates and private key into PKCS12 keystore and then configured Tomcat to use that keystore instead default JKS. It didn't worked for me with JKS - keytool was importing only private key and my site certificate from PKCS12 file, but intermediate certificate was missing.

Command I have used:

openssl pkcs12 -export -in mycert.crt -inkey my-key.key -out server.p12 -name site.com -caname intermediate -chain -CAfile intermediate.crt

And in server.xml file I have added

keystoreType="PKCS12"

in connector definition.

And now I have Tomcat 7 serving content over https using previously generated key, certificate and intermediate certificate. In my case it was only one intermediate certificate from RapidSSL.




回答3:


Seems the only way we got it working properly was by revoking the old certificate and renewing it with a new CSR.




回答4:


I had the same problem with "Certificate chain length" coming up as "1", I was just beginning to loose all hope having tried many methods, but managed to solve by installing and using APR:

https://stackoverflow.com/a/22391211/2802916

Now the connector in server.xml looks like this:

<Connector port="443"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    clientAuth="false"
    SSLCertificateFile="thecertificate.cer"
    SSLCertificateKeyFile="privatekey.key"
    SSLCACertificateFile="intermediate.crt"
    SSLPassword="thePassForPrivateKey"
/>


来源:https://stackoverflow.com/questions/10090263/ssl-intermediate-certificates

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!