私钥和密钥库中签名证书之间的链接
[英]link between private key and signed certificate in keystore
问题描述
I am doing the jetty SSL configuration .
我正在做jetty SSL configuration 。
I have created CSR using keytool which has added a private key to the keystore,我使用 keytool 创建了 CSR,它已将私钥添加到密钥库,
Received the certificate based on the CSR, converted the certificate to DER format and imported the certificate into the keystore as trustcacerts收到基于CSR的证书,将证书转换为DER格式,并将证书导入keystore作为trustcacerts
The signed certificate has the root/intermediate certificates in the certificate path签名证书在证书路径中具有根/中间证书
I also installed the root and intermediate certificate in the IE under the trusted root certificate after converting it into DER format.我也是把根证书和中间证书转成DER格式后安装在IE下的可信根证书下。
while using https , the browser shows certificate error and considers the certificate as self signed certificate.使用 https 时,浏览器显示证书错误并将证书视为自签名证书。
Question题
Does this mean the the installed signed certificate is not considered since the certificate does not have the Root/intermediate certificate in the certificate path?这是否意味着不考虑安装的签名证书,因为证书在证书路径中没有根/中间证书?
Though the signed certificate received from the CA have the link to the root/intermediate certificate in the certificate path.尽管从 CA 收到的签名证书在证书路径中具有指向根/中间证书的链接。
Please suggest if anything is wrong in the process .如果过程中有任何错误,请提出建议。 Adding the keytool commands followed for this.为此添加了 keytool 命令。
Created keystore创建密钥库
keytool -keystore serverdns.keystore -alias server -genkey -keyalg RSA -keysize 2048
create CSR创建企业社会责任
keytool -certreq -alias server -keystore serverdns.keystore -file server.csr
installing signed certificate安装签名证书
keytool -import -trustcacerts -alias cert -keystore serverdns.keystore -file signedcert.der.cer
I have tried using the same alias 'server' while installing the signed certificate but it failed with the error我在安装签名证书时尝试使用相同的别名“服务器”,但由于错误而失败
keytool error: java.lang.Exception: Failed to establish chain from reply
2 个解决方案
解决方案1
2 已采纳 2014-04-23 08:04:21
You need to import the signed certificate using the same alias as the private key and the CSR.您需要使用与私钥和 CSR 相同的别名导入签名证书。 Otherwise there is no connection between them, and the new certificate is just another certificate.否则它们之间没有任何联系,新的证书只是另一个证书。 You should not use -trustcacerts for this step, and if you are asked whether to trust the certificate you've got the alias wrong.您不应在此步骤中使用-trustcacerts ,如果系统询问您是否信任该证书,则您的别名是错误的。
解决方案2
-1 2014-04-23 08:09:55
keytool error: java.lang.Exception: Failed to establish chain from reply
Take a look at the option -trustcacerts, if your CA is in the truststore.如果您的 CA 在信任库中,请查看选项 -trustcacerts。 Also you should have to add the CA's intermediate certificates to your keystore, before than signedcert.der.cer此外,您还应该在signedcert.der.cer之前将CA的中间证书添加到您的密钥库中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.