客户端 SSL 身份验证导致 IIS 出现 403.7 错误
我正在尝试连接到配置为通过 SSL 客户端证书对用户进行身份验证的 Web 服务(不受我的控制)。我有一个 PKCS12 格式的有效证书,其中包含客户端证书和关联的私钥。该证书由 Web 服务提供商接受的 CA 颁发。
安装证书并尝试在各种浏览器中访问受限区域会产生以下结果:
IE6 - 工作正常,我可以检索 WSDL
IE7 -提示输入证书,但随后从服务器返回 403.7 失败
Firefox3 - 设置为询问,但没有提示,并返回 403.7 失败< /p>
Safari 4 - 证书已安装在钥匙串中,但没有提示且 403.7
此外,尝试以编程方式 (Java) 访问 Web 服务失败,并出现相同的 403.7 错误代码。
奇怪的是,这在 IE6 中有效,但在其他浏览器中无效,我错过了什么?我是否需要在 PKCS12 文件中包含完整的 CA 证书链?
任何帮助将不胜感激。
I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.
Installing the certificate and trying to access the restricted area in various browsers gives the following results:
IE6 - Works fine and I can retrieve the WSDL
IE7 - Prompts for the certificate but then fails with a 403.7 from the server
Firefox3 - Set to ask, but no prompt and fails with a 403.7
Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7
Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.
Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?
Any help would be greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好的,成功了。答案是肯定的,我确实需要将所有中间 CA 证书包含在 PKCS12 文件中。我将所有中间 CA 证书加上文件“chain.pem”中的根 CA 证书连接起来,然后执行以下命令:
Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:
这真的有效!如果您对 -inkey 和 -in 选项感到困惑,它们是 p12 文件中的私钥和证书。您可以使用以下命令将 p12 文件转换为 pem 格式:
并仅将上述命令与“-in file.pem”一起使用。
另外,您可以将根 CA 证书导入到受信任的证书存储中,以下是如何执行此操作的说明:http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl,然后您就不必手动复制证书。安装证书后,使用上面的命令,而不使用“-CAfile chain.pem”。
This really works! If you're confused by the -inkey and -in options, they are the private key and certificate from the p12 file. You can convert the p12 file to pem format with:
and use the above command with "-in file.pem" only.
Also, you can import the root CA cert into your trusted certs store, here is the description how to do that: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl, and then you don't have to manually copy the certificates. After installing the cert use the command above without the "-CAfile chain.pem".