通过 X509Certificate 加载私钥证书时不支持数字签名
最近,我需要与 java web 服务交换 SOAP 消息,其中数字签名消息对于通信是必需的。正如预期的那样,该过程是使用私钥对消息进行签名,以便对方站点使用公共密钥等对其进行验证。这次唯一的区别是对方是权威机构本身。
我最初使用以下命令创建证书请求。
openssl req -new -newkey rsa:1024 -keyout myprivatekey.pem -out myrequest.pem
上面的命令创建私钥和证书请求。然后,我向他们发送(通过他们的网站)证书请求“myrequest.pem”,以便他们授权证书并创建最终(且有效)证书。当我收到答案时(假设授权证书“complete.pem”)与之前生成的 myprivatekey.pem 一起创建了 .pfx 私钥,该私钥应该可以立即使用。
openssl pkcs12 -export -out myprivatekey.pfx -in complete.pem -inkey myprivatekey.pem -name "testcertificate"
上面创建了 myprivatekey.pfx,我成功地根据证书进行了验证。当我尝试使用以下代码通过 Studio 2005 和 WSE 3.0 对消息进行签名时,问题就出现了:
X509Certificate2 cert = new X509Certificate2(path,"pass");
X509SecurityToken certToken = new X509SecurityToken(cert);
certToken 的 SupportsDigitalSignature 属性设置为 false,因此我无法对消息进行签名,因此无法继续。请注意,使用我自己颁发并加载到 X509SecurityToken 中的自签名证书和私钥的相同过程似乎支持数字签名(属性为 true)。
我想这与我从他们那里获得的最终授权证书有关,但我开始怀疑我做错了什么。
有什么想法要检查什么吗?
Recently i faced a need to exchange SOAP messages with a java web service where digitally signing messages is mandatory for communication. The proccess is, as expected, signing messages with a private key in order for the opposite site to validate it with a public one e.t.c. The only difference this time is that the opposite is the Authority itself.
I initially create a certificate request using the following command
openssl req -new -newkey rsa:1024 -keyout myprivatekey.pem -out myrequest.pem
The command above creates the private key and the request for my certificate. Afterwards, I send them (via their site) the certificate request "myrequest.pem" in order for them to authorize the certificate and create the final (and valid) one. When I receive my answer, (lets say the authorized certificate "complete.pem"), together with the previous generated myprivatekey.pem I create the .pfx private key which should be ready for immediate use.
openssl pkcs12 -export -out myprivatekey.pfx -in complete.pem -inkey myprivatekey.pem -name "testcertificate"
The above creates myprivatekey.pfx which I succesfully verify against the certificate. The problems begin when I try to sign my message via Studio 2005 and WSE 3.0 with the following code :
X509Certificate2 cert = new X509Certificate2(path,"pass");
X509SecurityToken certToken = new X509SecurityToken(cert);
The SupportsDigitalSignature property of certToken is set to false so I'm not able to sign my messages and thus cannot continue. Note that the same procedure with a self signed certificate and a private key I issued myself and loaded in X509SecurityToken seems to support digital signature (property is true).
I guess that something has to do with the final authorized certificate i get from them but I'm starting to suspect that I'm doing something wrong.
Any ideas what to check?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
将证书安装到 Windows 证书存储(在资源管理器中双击 PFX 文件)。然后转到 Internet Explorer 中的“Internet 设置”对话框,并在“内容”选项卡上找到“证书”按钮。在打开的对话框中找到已安装的证书并浏览其详细信息。检查密钥用法字段。它必须包含数字签名(或类似的词语)。
更新:正如我在下面的评论中提到的,如果是另一方生成证书,您可以询问他们的软件在处理您的请求时是否正确设置了密钥使用扩展。通常,设置密钥用法是 CA 的工作,因为他们授权您将此证书用于特定目的。
Install your certificate to Windows Certificate storage (double-click on PFX file in Explorer). Then go to Internet Settings dialog in Internet Explorer and find "Certificates" button on Contents tab. In the dialog that opens find the installed certificate and browse it's details. Check Key Usage field. It must include Digital Signature (or similar words).
Update: as I mentioned in the comment below, if it's the other party that generates the certificate, you can ask them if their software sets Key Usage extension properly when processing your request. Usually it's CA's job to set Key Usage, as they authorize you to use this certificate for certain purpose.
您的证书可能不包含数字签名作为有效的密钥用法。您可以使用以下命令检查它:
Possibly your certificate do not include Digital Signature as valid key usage. You can check it with following command:
当您使用 -x509 开关生成自签名证书时,将“请求”不同的默认扩展。检查OpenSSL 的配置文件,特别是 req_extensions 和 x509_extensions 部分。
When you use the -x509 switch to generate a self signed certificate, different default extensions are "requested". Check your config file for OpenSSL, notably the req_extensions and x509_extensions sections.