如何在浏览器上显示根数字证书?
[英]how to display a root digital certificate on browsers?
问题描述
The steps 
步骤
generate a root cert
生成根证书 a.
一种。 openssl genrsa -out root-key.key 1024b.
湾 openssl req -new -out root-req.csr -key root-key.key -keyform PEMc.
C。 openssl x509 -req -in root-req.csr -out root-cert.cer -signkey root-key.key -CAcreateseriald.
d。 openssl pkcs12 -export -clcerts -in root-cert.cer -inkey root-key.key -out root.p12generate a server cert and sign using root cert
生成服务器证书并使用根证书进行签名 a.
一种。 openssl genrsa -out server-key.key 1024b.
湾 openssl req -new -out server-req.csr -key server-key.keyc.
C。 openssl x509 -req -in server-req.csr -out server-cert.cer -signkey server-key.key -CA root-cert.cer -CAkey root-key.key -CAcreateserial -days 3650d.
d。 openssl pkcs12 -export -clcerts -in server-cert.cer -inkey server-key.key -out server.p12server cert convert to jks
服务器证书转换为jks a.
一种。 keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore server.jksconfig the tomcat
配置tomcat <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="server.jks" keystoreType="JKS" keystorePass="123456" keyAlias="server"/>start tomcat and open the browser to browse it.
启动tomcat并打开浏览器进行浏览。
The question is browser display "unknow authority"(the server cert issue by root,but the browser doesn't display the cert chain,only display the server cert)? 问题是浏览器显示“未知权限”(服务器证书由根颁发,但浏览器不显示证书链,仅显示服务器证书)?
The browser doesn't know the cert issuer,but some website can show the cert issuer(I don't install the root cert of the website on my computer,I'm pretty sure!!) 浏览器不知道证书发行者,但是某些网站可以显示证书发行者(我没有在计算机上安装网站的根证书,我敢肯定!!)
But the another web site can display the root cert ( https://kyfw.12306.cn/otn/ ) 但是另一个网站可以显示根证书( https://kyfw.12306.cn/otn/ )
My cert in browser 我在浏览器中的证书
Another website(can show cert chain ,I am pretty sure,I don't install the cert of it on my computer) 另一个网站(可以显示证书链,我很确定,我没有在计算机上安装证书链)
1 个解决方案
解决方案1
0 2014-08-25 09:37:24
I can't comment on your primary issue because I don't have real server names or real URLS. 我无法评论您的主要问题,因为我没有真实的服务器名称或真实的URL。 However... 然而...
But the another web site can display the root cert ( https://kyfw.12306.cn/otn/ )
The kyfw.12306.cn certificate is not trusted under my version of Firefox or Safari. 我的Firefox或Safari版本不信任kyfw.12306.cn证书。 Firefox prompts me for a security exception. Firefox提示我输入安全例外。
Also, that's one malformed certificate (see below). 另外,那是一张格式错误的证书(请参阅下文)。 It looks like an end-entity (server) certificate, but it has the Certificate Sign bit set. 它看起来像一个终端实体(服务器)证书,但是它设置了“ Certificate Sign位。 I think it can be used to mint certificates in some instances. 我认为它在某些情况下可以用来制作证书。
I would not trust the server certificate if I were you. 如果您是我,我将不信任服务器证书。
If the issuer, Sinorail Certification Authority , signs those on a regular basis, then you should expect other malformed end entity certificates were signed. 如果发行人Sinorail证书颁发机构定期对这些证书进行签名,那么您应该期望还会签署其他格式错误的最终实体证书。 In this case, you should explicitly not trust Sinorail Certification Authority . 在这种情况下,您应该明确不信任Sinorail证书颁发机构 。
The certificate has other problems, too. 证书还有其他问题。 Like a missing Basic Constraints (probably by malicious design decision), one key usage that does not make sense ( Key Agreement is used with Diffie-Hellman parameters, not RSA based certs), and one key usage that violates best practices ( Data Encipherment is bulk encryption under the public key, which should not be performed). 就像缺少基本约束(可能是恶意设计决定)一样,一种没有意义的密钥用法( Key Agreement用于Diffie-Hellman参数,而不是基于RSA的证书),一种密钥用法违反了最佳实践( Data Encipherment是公钥下的批量加密,不应该执行)。 Non Repudiation has no meaning so its inert (I think it was CompSci guys trying to be Lawyers). Non Repudiation没有任何意义,所以它是惰性的(我想这是CompSci的人试图成为律师)。
$ openssl s_client -connect kyfw.12306.cn:443 | \
openssl x509 -text -noout
depth=1 C = CN, O = Sinorail Certification Authority, CN = SRCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4051956438837501785 (0x383b70e9b6441f59)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, O=Sinorail Certification Authority, CN=SRCA
Validity
Not Before: May 26 01:44:36 2014 GMT
Not After : May 25 01:44:36 2019 GMT
Subject: C=CN, O=Sinorail Certification Authority, OU=\x94\xC1\x8D\xEF[\xA2b7g\x0DR\xA1N-_\xC3, CN=kyfw.12306.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bc:0b:19:73:f9:5f:f8:2a:45:24:f1:84:f1:57:
1c:e2:8b:bc:69:da:06:4f:5a:eb:95:06:2c:10:ea:
2c:0b:f7:c8:ad:ef:95:8d:1a:26:02:51:ab:03:5f:
2d:ce:f3:06:3e:3e:d6:45:be:01:0a:92:91:ea:43:
55:3a:b9:e9:a2:1d:2b:6d:85:44:b5:c5:30:6c:53:
f4:ee:5c:5e:80:1d:cf:a8:76:e3:fa:cc:21:8a:71:
49:c7:44:09:2c:45:bf:01:19:28:33:04:0f:d7:dc:
1f:42:50:a9:d8:6b:d6:00:d8:40:48:61:c7:2b:cc:
88:7a:69:10:23:0c:76:ef:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:79:5E:B6:77:B7:E2:52:83:43:ED:C7:51:88:4C:63:85:2C:00:43:58
Netscape Cert Type:
SSL Client, SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign
X509v3 Subject Key Identifier:
8F:FD:26:EF:88:E1:AB:DF:77:22:D3:C2:95:D3:47:60:B2:7C:F3:83
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
Signature Algorithm: sha1WithRSAEncryption
45:de:a1:39:2f:51:54:9e:43:30:31:14:8b:ea:7c:2e:63:bc:
1b:80:a5:cc:e8:9e:7f:99:89:c8:be:e7:42:5c:bb:5e:c9:8e:
a6:74:cc:48:e7:e0:7b:0d:1e:6e:7a:9f:c8:84:6e:63:9c:7f:
5d:df:06:29:74:6a:3e:00:43:3f:61:19:b8:e6:bd:04:ae:7d:
a0:7a:ff:f2:cc:d6:35:5e:fc:e4:95:00:a0:78:0b:d3:54:75:
8e:4f:36:ce:c7:0f:37:4b:7e:44:23:8c:37:a1:08:00:da:d4:
31:fe:4c:fd:fc:ef:d3:79:cc:5a:16:0e:07:a3:43:98:85:b0:
08:74
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.