安装自签名p12证书后,在firefox上获取ssl_error_bad_cert_alert
[英]Getting ssl_error_bad_cert_alert on firefox after installing self signed p12 certificate
问题描述
I am doing a tutorial on Mutual SSL authentication using tomcat. 
我正在使用tomcat进行相互SSL身份验证的教程。 I tried google and stackoverflow for the answer but I haven't been lucky so far. 我尝试了谷歌和stackoverflow的答案,但到目前为止我还不幸运。 I have done the following steps 我已经完成了以下步骤
1. Generated a self signed Certificate using the command as... 1.使用命令生成自签名证书...
keytool -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore D:\server.keystore -dname "CN=KeshavServer,OU=AppDev,O=Netambit,L=Noida,S=UP,C=IN" -storepass server123 -keypass server123
Result(DOS Output): 结果(DOS输出):
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days for: CN=KeshavServer, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
New certificate (self-signed):
[
[
Version: V3
Subject: CN=KeshavServer, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 169745031109692228700332160907879660712549791227819060217679327134557
60724387920644418620368961814809125561438164385172820012631533276651192871536066
44484789458740611952365817466495640787815691991239210085729312562284526930712191
68874744017392521167643053301439564836240073082909781032758910760996909343586608
99178037089977353808963798076122662239868847716719923568980681140353282369676681
53737103284233931190726847482006084262000642602659963850552605206369455374224663
42718874198088754429094645464054866254482989193982685337964154043630072713972109
68332098433075932439269617793403644275259520886009675985568022246951
public exponent: 65537
Validity: [From: Mon Aug 12 12:16:13 IST 2013,
To: Thu Aug 10 12:16:13 IST 2023]
Issuer: CN=KeshavServer, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
SerialNumber: [ 713ab315]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D6 0E 1F 23 B2 11 92 D2 19 7B C9 AA 19 EF 82 EB ...#............
0010: A6 0C 35 57 ..5W
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 4C 36 84 CD FE 2C 11 4B 88 C1 AE 3A 7A 6A A1 C4 L6...,.K...:zj..
0010: 2C 6E F5 73 33 64 57 06 04 7F AC 1B D6 CA BF E0 ,n.s3dW.........
0020: D2 88 09 A9 B8 4D 70 EE 73 6E 02 45 33 83 42 1E .....Mp.sn.E3.B.
0030: C4 8E 67 F3 51 D7 9C 53 08 CD C7 EA 4B BC 27 0D ..g.Q..S....K.'.
0040: 17 36 9B 12 4A F7 F7 23 0E C2 51 0A 18 06 B5 80 .6..J..#..Q.....
0050: 1C 44 17 0D 99 14 6E 27 40 30 56 DF 31 D9 CC 15 .D....n'@0V.1...
0060: 46 7C 72 C2 54 CE 2E 2B 41 94 19 54 9B 3A F7 85 F.r.T..+A..T.:..
0070: 96 CE 5F 80 C5 A5 02 AE 09 17 A5 C3 E4 A6 BB 63 .._............c
0080: A3 EF 99 4F BC A4 FF 4F 2B BD 46 E5 BE 57 C7 BD ...O...O+.F..W..
0090: 85 54 F9 B1 5F 01 18 07 9F DD 02 99 91 B3 35 FB .T.._.........5.
00A0: 62 74 2A 0A 37 8A 9B 0D E8 BF B4 24 CE 24 12 8A bt*.7......$.$..
00B0: 22 68 39 90 BD 02 24 A4 E9 9B 52 E1 AA 76 1D 16 "h9...$...R..v..
00C0: 91 2A 60 49 D3 F6 91 0A 01 E4 98 1B BB EB B7 E5 .*`I............
00D0: E3 DF 39 B8 73 02 C3 1D EA 95 D1 95 A7 27 53 FC ..9.s........'S.
00E0: 28 2B 21 50 90 BF 48 9A 25 92 28 D8 EC FE 82 60 (+!P..H.%.(....`
00F0: B9 21 28 B3 1A 37 B6 79 17 8B FF 4C 0B C1 6D 0C .!(..7.y...L..m.
]
[Storing D:\server.keystore]
2. Generated the developer key by using the command as... 2.使用命令生成开发人员密钥为...
keytool -genkey -v -alias developerKey -keyalg RSA -storetype PKCS12 -keystore dev.p12 -dname "CN=KeshavClient,OU=AppDev,O=Netambit,L=Noida,S=UP,C=IN" -storepass dev123 -keypass dev123
Result(DOS Output):
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
th a validity of 90 days
for: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
New certificate (self-signed):
[
[
Version: V3
Subject: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 257861330490904259854513552509935970316490717846991127699603148980652
01114722960469328519589253139525292368465436006354129813882061510118729695295380
60706390500779076802188937858019079525575493711793923541823056735274180328061957
20693618061100873813154701306998418961615717804323475393466678818363454317730604
32071710089666113885067366725913386597296681138020057906688646996872449490785655
01898351843152376966821908896570275550705585694195185294854938453556896208850780
54361881798687601045808741784626686357148783050499722574071065943861302398542177
91929018282855348848062666985932392623629290470810910913665654471519
public exponent: 65537
Validity: [From: Mon Aug 12 12:16:26 IST 2013,
To: Sun Nov 10 12:16:26 IST 2013]
Issuer: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
SerialNumber: [ 503c03cf]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD 4A E3 0E 3D E9 DB B0 8E DF 8F 66 34 28 AE AF .J..=......f4(..
0010: 34 63 F2 4C 4c.L
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 91 79 CF CC 0F FD CA BB 2A 60 5E 87 8F 2F 6D B6 .y......*`^../m.
0010: DD 71 05 6A B1 21 DB B0 B0 0F D7 3E 7A DB 12 84 .q.j.!.....>z...
0020: 3A C0 63 1B C1 FE FD C5 60 27 E3 2E 14 A0 38 2C :.c.....`'....8,
0030: EE 82 8C 6E 13 05 8A BC 24 2F A1 4F 5C 25 24 10 ...n....$/.O\%$.
0040: EC 5A D1 E3 23 AC 51 BA D4 33 6C AF AF A2 68 2F .Z..#.Q..3l...h/
0050: 29 4F 33 F9 0A 56 C1 83 0C 07 30 14 40 A2 CF 17 )O3..V....0.@...
0060: B1 A1 18 AD 51 76 EA 8E D6 6E 50 4E 7A 7C F5 89 ....Qv...nPNz...
0070: B1 73 F4 05 D2 E9 1B 94 48 2F 65 30 33 F4 1B 28 .s......H/e03..(
0080: AA 36 4C 11 52 C5 2A 9D 4A 11 6D FA 9B C6 09 37 .6L.R.*.J.m....7
0090: A1 CC AC A3 67 B1 60 E6 65 F1 0C 98 0E 5E C0 89 ....g.`.e....^..
00A0: BD 54 98 81 51 DB 6C 53 A5 8C AD 05 57 60 46 20 .T..Q.lS....W`F
00B0: 5E 60 74 58 F8 88 2A 46 F6 F5 5A D3 20 FC 9E FA ^`tX..*F..Z. ...
00C0: 8D 14 A8 72 99 F5 FF 9E 0B 5B F9 68 77 30 75 93 ...r.....[.hw0u.
00D0: 3E 7A 16 38 55 11 30 D6 A1 39 97 97 DB 86 B8 9E >z.8U.0..9......
00E0: 3F 08 84 93 A3 A7 E0 4F 6D 07 A2 E6 F9 09 E8 3B ?......Om......;
00F0: 6C 86 F2 26 F6 20 04 D9 92 66 DC 3B 69 FA 75 30 l..&. ...f.;i.u0
]
[Storing dev.p12]
3 Exported and saved the certificate in dev.cer keytool -export -alias developerKey -keystore dev.p12 -storetype PKCS12 -storepass dev123 -rfc -file dev.cer 3在dev.cer中导出并保存证书 keytool -export -alias developerKey -keystore dev.p12 -storetype PKCS12 -storepass dev123 -rfc -file dev.cer
Result(DOS Output):
Certificate stored in file <dev.cer>
4.Imported dev.cer in the keystore as using the command as... and selected y keytool -import -v -file dev.cer -keystore tomcat.keystore -storepass server123 4.使用命令将密钥库中的dev.cer导入...并选择y keytool -import -v -file dev.cer -keystore tomcat.keystore -storepass server123
Result(DOS Output):
Owner: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
Issuer: CN=KeshavClient, OU=AppDev, O=Netambit, L=Noida, ST=UP, C=IN
Serial number: 503c03cf
Valid from: Mon Aug 12 12:16:26 IST 2013 until: Sun Nov 10 12:16:26 IST 2013
Certificate fingerprints:
MD5: 7A:CE:AD:78:31:12:89:3A:20:94:01:63:5C:E6:6D:48
SHA1: 4C:E3:4A:CF:93:EF:69:46:AD:01:B1:AC:22:F4:E6:91:B5:62:D1:C3
SHA256: D1:E6:20:9C:A7:3C:82:46:7A:2A:E6:61:1E:30:E3:F0:B9:E6:F0:03:DA:
19:87:B4:6F:F2:B1:BE:D3:89:A8:2B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD 4A E3 0E 3D E9 DB B0 8E DF 8F 66 34 28 AE AF .J..=......f4(..
0010: 34 63 F2 4C 4c.L
]
]
Trust this certificate? [no]: y
Certificate was added to keystore
[Storing tomcat.keystore]
5.Added the connecter entry to server.xml as... 5.添加到server.xml的连接器条目为...
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="D:/server.keystore" keystorePass="server123"
truststoreFile="D:/server.keystore" truststorePass="server123"
clientAuth="true" sslProtocol="TLS" />
6. Started Tomcat, firefox and on Tools->Options->Advanced->View Certificates->Your Certificate->import, imported the dev.p12 file Result: asked me for the password which I entered as dev123 then i hit next, next till finish 6.启动Tomcat,firefox和工具 - >选项 - >高级 - >查看证书 - >您的证书 - >导入,导入dev.p12文件结果:问我输入的密码是dev123然后我点击下一步,接下来直到完成
Final Result on opening https://localhost:8443/CertificatePOC/
Secure Connection Failed
An error occurred during a connection to localhost:8443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)
If in the server.xml I change the attribute clientAuth to false then the web page opens correctly. 如果在server.xml中我将属性clientAuth更改为false,则网页将正确打开。
Any help will be appreciated I am using tomcat7 with eclipse indigo OS windows 7 If any more details/screenshot is required I will happily provide 任何帮助将不胜感激我正在使用tomcat7与eclipse indigo OS Windows 7如果需要更多细节/截图我会很乐意提供
1 个解决方案
解决方案1
4 2014-12-02 15:48:17
The ssl_error_bad_cert_alert error in this case means the server doesn't trust your self-signed cert. 在这种情况下,ssl_error_bad_cert_alert错误意味着服务器不信任您的自签名证书。 One way to solve this is to generate certs and CSR's, and then sign them with a local development CA. 解决此问题的一种方法是生成证书和CSR,然后使用本地开发CA对其进行签名。 Then you just add your dev CA to the JVM truststore. 然后,您只需将您的开发CA添加到JVM信任库。 It is slightly more setup, but is more flexible (eg, you can create signed certs for a whole development team, test revocation via OCSP/CRL, etc). 它稍微有点设置,但更灵活(例如,您可以为整个开发团队创建签名证书,通过OCSP / CRL测试撤销等)。
These steps are copied from my history and probably require changes: 这些步骤是从我的历史记录中复制的,可能需要更改:
Create a local dev CA 创建本地开发CA.
openssl genrsa -out ca.key -aes256 -passout pass:changeit 4096
openssl req -new -x509 -key ca.key -config openssl.conf -days 3560 -sha256 -out ca.pem -passin pass:changeit
openssl rsa -in ca.key -out ca.key -passin pass:changeit
Generate client and server keystores with a keypair in each 生成客户端和服务器密钥库,每个密钥对都包含密钥对
keytool -genkey -keyalg RSA -alias client -keystore client.jks -storepass changeit -validity 1000
keytool -genkey -keyalg RSA -alias tomcat -keystore ~/.keystore -storepass changeit -validity 1000
Generate client and server cert signing requests (csr) based on above keystore keypairs 根据以上密钥库密钥对生成客户端和服务器证书签名请求(csr)
keytool -certreq -v -alias client -keystore client.jks -storepass changeit -file client.csr
keytool -certreq -v -alias tomcat -keystore ~/.keystore -storepass changeit -file tomcat.csr
Sign the requests (create certs) for client/server csr's 为客户端/服务器csr签署请求(创建证书)
openssl x509 -req -CA ca.pem -CAkey ca.key -in client.csr -out client.cer -days 1000 -CAcreateserial
openssl x509 -req -CA ca.pem -CAkey ca.key -in tomcat.csr -out tomcat.cer -days 1000 -CAcreateserial
Import the CA cert into client/server keystores (possibly not necessary, since it must be added to truststore anyway) 将CA证书导入客户端/服务器密钥库(可能没有必要,因为它必须始终添加到truststore)
keytool -import -keystore client.jks -file ca.pem -alias rootca
keytool -import -keystore ~/.keystore -file ca.pem -alias rootca
Import the client and server certs into their respective keystores 将客户端和服务器证书导入其各自的密钥库
keytool -import -keystore client.jks -file client.cer -alias client
keytool -import -keystore ~/.keystore -file tomcat.cer -alias tomcat
Convert the client cert to a p12 (PKCS12) so it can be imported into firefox or wherever 将客户端证书转换为p12(PKCS12),以便可以将其导入到Firefox或任何地方
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -srcalias client -destalias client -srckeypass changeit -destkeypass changeit -noprompt
Import the CA cert into the JVM truststore 将CA证书导入JVM信任库
sudo keytool -import -trustcacerts -alias suter-dev-ca -file ca.pem -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_60.jdk/Contents/Home/jre/lib/security/cacerts
Optionally, import the CA cert into your browser. (可选)将CA证书导入浏览器。
Your post was hard to read because of the formatting. 由于格式化,您的帖子很难阅读。 Hope this helps. 希望这可以帮助。
Sources: http://shib.kuleuven.be/docs/ssl_commands.shtml , https://docs.oracle.com/cd/E19509-01/820-3503/ggezy/index.html 资料来源: http : //shib.kuleuven.be/docs/ssl_commands.shtml,https : //docs.oracle.com/cd/E19509-01/820-3503/ggezy/index.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.