自制CA证书篇
来源:互联网 发布:编程猫参与联合国会议 编辑:程序博客网 时间:2024/04/28 03:32
参考:liang.iteye.com/blog/2003057
在tomcat实施后发现提示弱签名算法,晕,百度竟然没有找到解决的方法,则google之Weak signature,
在这里找到解决的思路:http://michaelwyres.com/2012/05/chrome-weak-signature-algorithm-solved/
The solution?Change the hashing from MD5 to SHA512.If you create your certificates directly from the command line, use the -sha512 switch instead of the -md5 switch – for example: “openssl req -new -x509 -sha512 -nodes -out server.crt -keyout server.key”If using an “openssl.cnf” configuration file, make sure all “default_md” directives have “sha512″ as their values. “default_md = sha512″Your new keys should now be signed with SHA512 instead of MD5, and no more complaints from Google Chrome about the weak algorithm.
p.s. CMD命令(手动敲)
set OPENSSL_CONF=openssl.cnfopenssl.exe制作CA根证书:req -new -x509 -sha512 -nodes -days 3650 -out ca.crt -keyout ca.keypkcs12 -export -inkey ca.key -in ca.crt -out ca.p12 生成请求证书并用CA根证书签名:req -new -key server_21.key -out server_21.csr -days 3650 -extensions v3_req -config openssl-21.cnf ca -in server_21.csr -out server_21.crt -cert ca.crt -keyfile ca.key -config openssl-21.cnfpkcs12 -export -inkey server_21.key -in server_21.crt -out server_21.p12注:-extensions v3_req加入SubjectAltName列表;If you have not setcopy_extensions=copy
under the[CA_default]
section in theopenssl.cnf
file, the signed certificate will not include any of the certificate extensions that were in the original CSR.参考帖子:http://apetec.com/support/GenerateSAN-CSR.htmhttp://documentation.progress.com/output/Iona/artix/5.5/security_guide_java/i382674.html REVOKE:ca -cert ca.crt -keyfile ca.key -revoke server_29.crt 查看:req -text -noout -in server_21.csr
问题:1
java.security.cert.CertificateException: No subject alternative names present
解决:
-extensions v3_req加入SubjectAltName列表
问题:2
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetat sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)at sun.security.validator.Validator.validate(Validator.java:260)at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)... 31 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
解决:
把根证书加入jre的信任证书库:管理员运行cmdkeytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts" |find "myca"keytool -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -delete -alias myca keytool -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -import -alias gcidesignca -file ca.crt
问题:3
IP address as subjectaltname does not work with IE8 but works with firefox
解决:Apparently, to make IE work, you need to use subjectAltName=DNS:10.0.0.1 instead of subjectAltName=IP:10.0.0.1.
Actually, to make all web browsers work, you'll want to use subjectAltName=DNS:10.0.0.1,IP:10.0.0.1.
(待补充)
0 0
- 自制CA证书篇
- 用ssl.ca自制证书
- CA证书
- CA证书
- CA证书
- ca证书
- CA证书
- CA证书
- CA 证书
- 配置https服务器系列之一:自制ca证书并配置到nodejs-express服务器
- CA证书常识
- 什么是CA证书?
- RSA - 证书与CA
- openssl ca 证书管理
- 制作CA证书
- 证书管理机构—CA
- 如何生成CA证书
- CA证书数字签名
- oltp compress
- 详细介绍=====c++中的引用与指针的区别
- 关于Ibatis在多线程下出现异常“WebSessionStore: Could not obtain reference to HttpContext“
- dao层和service层的重用
- post方式传参数长度限制及解决办法
- 自制CA证书篇
- java web项目与oracle rac 连接 JNDI
- BitBlt 和StretchBlt的区别
- linux基础概念
- 【树】树的概念
- 错误:内存不能为Read的解决方法
- android http UrlEncode 中文乱码等问题
- OSI七层模型与TCP/IP四层模型
- Android中的各种布局