如何确定服务器将从客户端接受的 CA 证书列表?
根据 https://wiki.jasig.org/display/CASUM/X.509 +证书,
服务器发送标识自身的证书后,它就可以发送愿意接受证书的证书颁发机构名称列表。
我想知道如何确定这个列表是什么,以及如何修改它。
我问的原因是,成功验证后(即票证阶段),我的服务器和客户端之间得到了无限重定向,我认为这与 CAS 服务器 无法识别 CAS 客户端证书(客户端证书是自签名的)。
According to https://wiki.jasig.org/display/CASUM/X.509+Certificates,
After the Server sends the certificate that identifies itself, it then can then send a list of names of Certificate Authorities from which it is willing to accept certificates.
I am wondering how to determine what this list is, and how to modify it.
The reason I am asking is that I am getting an infinite redirect between my server and my client after successful validation (i.e., the ticket stage), and I think it has to do with the CAS server not recognizing the CAS client's certificate (the client's certificate is self-signed).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您想查看此列表是什么,可以使用 OpenSSL:
这将显示有关握手的各种消息,包括
CertificateRequest消息中的证书和 CA 列表。最终,它由活动
X509TrustManager的getAcceptedIssuers()方法。默认情况下,这将是所有信任锚的主题 DN 列表(即信任存储中所有证书的主题 DN)。您的客户端证书必须由服务器验证。这通常是在信任管理器握手期间完成的,信任管理器(除非进行调整)将在信任存储中构建一条到已知 CA(或者至少是已知证书,如果它是用户证书本身)的链。
将自签名证书添加到信任存储区就足够了。它不一定是与 JVM 捆绑在一起的 cacerts 文件,您可以复制它并使用 Apache Tomcat 连接器的信任存储设置来设置它。
If you want to see what this list is, you can use OpenSSL:
This will show various messages regarding the handshake, including the certificates and the list of CAs in the
CertificateRequestmessage.Ultimately, it's determined by the active
X509TrustManager'sgetAcceptedIssuers()method. By default, this will be the list of Subject DNs of all your trust anchors (that is, the Subject DNs of all the certificates in your trust store).Your client certificate will have to be verified by the server. This is normally done during the handshake by the trust manager, which (unless tweaked) will build a chain to a known CA (or at least known cert if it's the user cert itself) in the trust store.
Adding your self-signed certificate to your trust store should be sufficient. It doesn't have to be the
cacertsfile bundled with the JVM, you could make a copy of it and use the trust store settings of Apache Tomcat's connector to set it up.