带有自签名 CA 的客户端 SSL 不起作用
我已经被 SSL 问题困扰了 1 个多月。
我们使用 openssl 生成我们自己的 CA、服务器和客户端证书。我们还有 在 Apache Web 服务器上启用“SSLrequire”(在 htaccess 中这可能是错误的),这意味着任何尝试通过 https 进行连接的人 服务器需要出示有效的证书,
步骤如下;
- 生成 CA 密钥
- 生成 CA CSR
- 使用 CA 密钥对 CA CSR 进行签名,
这样我们就拥有了自己的 CA,用于对我们的服务器和客户端证书进行签名。
下一步
- 生成服务器密钥
- 生成服务器 CSR
- 使用 CA 密钥签署服务器 CSR
这样我们就有了服务器证书和证书我们在服务器上成功安装的服务器私钥
接下来我们
- 生成客户端密钥
- 生成客户端 CSR
- 使用 CA 密钥签署客户端 CSR
然后我们将客户端证书与 CA 证书一起分发给我们的用户。 两者都安装在浏览器中。
尝试连接时,我们收到“对等方无法识别和信任颁发您证书的 CA。 “错误。
我们发现问题是服务器上未安装自签名 CA 证书。通常服务器上 将向尝试连接的设备提供受信任的 CA 列表,并且设备必须发送证书 已由服务器提供的任何 CA 签名。但是由于我们自签名的 CA 证书 服务器上没有安装,浏览器可以提供一个可以被服务器接受的证书 服务器。
因此,我们继续在服务器控制面板 Hsphere 上安装 CA 证书。
我们获取 ca 证书的内容并将其复制到服务器上的“证书颁发机构文件”文本区域中 并且服务器每次都不会接受它,抱怨“无法更新 SSL 配置不同的密钥和证书”
CA 证书是自己签名的,所以服务器怎么能说证书和密钥不同。
我们还尝试将 CA 证书文件和 CA 密钥文件的内容复制到“证书颁发机构文件”文本区域中,但这也行不通。
正如我所说,我们已经为此奋斗了一个多月。如果有人可以提供帮助,我们将不胜感激。 如果我们需要支付服务费用,请告知我们。
提前致谢。
I have been struggling with an SSL problem for more than 1 month.
We have used openssl to generate our own CA, server and client certificates. We have also
enable "SSLrequire" on the Apache web server (in htaccess this may be wrong), which means that anyone trying to connect through https on the
server needs to present a valid certificate
The step are as follows;
- generate the CA key
- generate the CA CSR
- sign the CA CSR with the CA Key
so we have our own CA which is used to sign our server and client certificates.
next step
- generate server key
- generate server CSR
- sign server CSR with CA Key
So we have our server certificate & server private key which we installed succesfully on the server
Next we
- generate client key
- generate client CSR
- sign client CSR with CA Key
We then distribute the client certificate to our users together with the CA certificate.
Both were install in their browsers.
When trying to connect we got the "Peer does not recognize and trust the CA that issued your certificate.
" error.
We identified the problem being that the self signed CA certificate was not installed on the server. Normally the server
will present a list of trusted CA to the device trying to connect to it and the device will have to send a certificate
that has been signed by any of the CAs' the server has presented. But since our self signed CA certificate
was not installed on the server, the browser could present a certificate that would be acceptable by the
server.
So we went on the install the CA cert on the server - control panel Hsphere.
We took the content of the ca certificate and copied it in the "Certificate Authority File" textarea on the server
and the server wouldn't accept it everytime complaining "Failed to update SSL Config Different key and certificate"
The CA certificate has been signed by itself so how can the server say that the certificate and key are different.
We also tried to copy the content of both the CA certificate file and the CA key file into the "Certificate Authority File" textarea, but that also wouldn't work.
As i said we have been struggling with that for more than one month. If anyone can help that would be really appreciated.
If we have to pay for the service please let us know.
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
(也许 https://serverfault.com/ 是解决这个问题的更好地方。)
以下是您可以在 Apache 中使用的一些选项httpd 配置(我不确定它是如何映射到您的配置面板的)。
SSLCertificateFile和SSLCertificateKeyFile是在服务器上启用 SSL 的基本要求。由于您需要客户端证书身份验证,因此需要配置
SSLCACertificatePath(对于目录)或SSLCACertificateFile(对于文件)之一来说明您想要信任的 CA,所以在那里添加您的 CA 证书。这些应该是 PEM 格式的文件。其中的任何证书都将被视为受信任(尽管它可能需要具有 CA 基本约束,我不记得了,如果您自己生成了根 CA 证书,那么这是相当标准的)。除此之外,您还可以将证书放入
SSLCADNRequestFile中。这不是必需的,因为它是从SSLCACertificatePath或SSLCACertificateFile证书指令自动填充的,但如果您希望对服务器公布的 CA 列表进行更多控制,它可能会接受,那就是要做的事情。需要澄清的是,这不是管理客户端证书信任的内容,而是管理服务器通告它可能信任的内容,因此您仍然需要SSLCACertificatePath或SSLCACertificateFile。也许您的配置面板中的“证书颁发机构文件”选项控制着该选项,而不是其他两个选项之一。调试此问题的一种方法是在命令行中执行此操作:
这应该首先列出您提供的证书链(最好将完整的链提供给 CA,因为某些客户端有时似乎需要它,例如据我所知)。然后,它应该列出愿意接受客户端证书身份验证的 CA,否则不发送客户端证书 CA 名称(在这种情况下,上述指令之一存在问题)。这至少会告诉您如何配置
SSLCADNRequestFile或SSLCACertificatePath/SSLCACertificateFile(尽管最后两个很重要)。(Perhaps https://serverfault.com/ would be a better place for this question.)
Here are a few options you can use in the Apache Httpd configuration (I'm not sure how this is mapped to your configuration panel).
SSLCertificateFileandSSLCertificateKeyFileare the basic requirements to enable SSL on your server.Because you want client-certificate authentication, you need to configure one of
SSLCACertificatePath(for a directory) orSSLCACertificateFile(for a file) to say which CAs you want to trust, so add you CA certificate there. These should be files in the PEM format. Any certificate in there will be considered as trusted (although it may need to have the CA basic constraint, I can't remember, that's quite standard if you've generated a root CA certificate yourself anyway).In addition to this, you can put certificates in a
SSLCADNRequestFile. This shouldn't be necessary, as it's populated automatically from theSSLCACertificatePathorSSLCACertificateFilecertificate directives, but if you want more control on the list of CAs the server advertises it may accept, that's where to do it. Just to clarify, this is not what manages the trust in client certificates, but just what the server advertises it may trust, so you still needSSLCACertificatePathorSSLCACertificateFile. Perhaps you "Certificate Authority File" option in your configuration panel controls that and not one of the other two options.One way to debug this is to do this one the command line:
This should list the certificate chain you present first (it would be good for it to present the full chain up to the CA, as some clients seem to need it sometimes, as far as I remember). Then, it should list the CAs it's willing to accept for client-certificate authentication, or No client certificate CA names sent otherwise (in which case there's a problem with one of the directives mentioned above). This will give you at least an indication of how
SSLCADNRequestFileorSSLCACertificatePath/SSLCACertificateFilehave been configured (although it's the last two that matter).