问题
Background:
I am having some trouble consuming a Web Service with ColdFusion 9 (peer not authenticated).
First, I'm going to try importing the cert into ColdFusion's underlying Java keystore. If that doesn't work, I'm going to try to fiddle with ColdFusion's security provider.
But my questions are more specific...
Question:
How do I export the cert (at the right level) in Chrome (or Linux CLI), and in which format?
Details
I have seen some instructions for exporting a cert from a browser, but they have been for IE (old versions, at that), and I would prefer to use Chrome, because I'm on Linux.
In order to get to the screen shot, below, I:
- Click the lock icon next to the URL
- "Connection" tab (shows "The identity of this website has been verified by Thawte SSL CA")
- Click "Certificate Information Link"
- "Details" tab
From there, I am able to export at one of four levels:
- Builtin Object Token:Thawte Premium Server CA
- thawte Primary Root CA
- Thawte SSL CA
- sb1.geolearning.com
Which one is appropriate?
Also, Adobe's documentation says "The certificate must be an X.509 certificate in Distinguished Encoding Rules (DER) format.", and Chrome's export dialog offers these options:
- Base64-encoded ASCII, single certificate
- Base64-encoded ASCII, certificate chain
- DER-encoded binary, single certificate
- PKCS #7, single certificate
- PKCS #7, certificate chain
- All Files
I assume "DER-encoded binary, single certificate" is appropriate?
回答1:
With a Browser
The following generated a certificate that I was able to import using keytool:
- Level: sb1.geolearning.com
- File Type: DER-encoded binary, single certificate
For posterity, here was the command used to import:
sudo keytool -import -keystore /opt/jrun4/jre/lib/security/cacerts -alias "sb1.geolearning.com (Thawte SSL CA)" -storepass changeit -noprompt -trustcacerts -file ~/Downloads/sb1.geolearning.com
Without a Browser
Here's what I'm doing these days (in a Vagrant provisioner). In this script, the keystore is hard-coded, because I'm only using it for Lucee, at the moment; however, the path the the keystore could easily be parameterized. Also, the runfile related code is just so Vagrant doesn't run the script more than once; those lines are superfluous if you're not using the code as a Vagrant provisioner.
The only thing that really differentiates this from the above solution is that this gets the cert via openssl s_client (and cleans it up with sed) instead doing so manually, via a browser.
#!/usr/bin/env bash
set -e
description="Add cert to Lucee's keystore."
while :
do
case $1 in
--provisioned-dir=*)
provisioned_dir=${1#*=} # Delete everything up till "="
shift
;;
--runfile-name=*)
runfile_name=${1#*=} # Delete everything up till "="
shift
;;
--site-host-name=*)
site_host_name=${1#*=} # Delete everything up till "="
shift
;;
-*)
echo "WARN: Unknown option (ignored): $1" >&2
shift
;;
*) # no more options. Stop while loop
break
;;
esac
done
runfile="${provisioned_dir}/${runfile_name}"
if [ -f "${runfile}" ]; then
echo "${description}: Already run."
exit 0
fi
echo "add cert to keystore"
echo -n | \
openssl s_client -connect ${site_host_name}:443 \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
> /tmp/${site_host_name}.cert
/opt/lucee/jdk/jre/bin/keytool \
-import \
-keystore /opt/lucee/lib/lucee-server/context/security/cacerts \
-alias "${site_host_name} (self-signed)" \
-storepass changeit \
-file /tmp/${site_host_name}.cert \
-noprompt \
|| true
touch "${runfile}"
来源:https://stackoverflow.com/questions/15645256/exporting-ssl-certificate-in-linux-browser-or-linux-command-line-for-java-cert