客户端证书丢失:如何恢复
[英]Client certificate missing: How to recover it
问题描述
I am on a team that is are trying to connect a Java J2SE application to a secure corporate web services site using certificates.
我所在的团队正在尝试使用证书将 Java J2SE 应用程序连接到安全的企业 Web 服务站点。 None of the team members have prior experience creating certificates and coding for this type of connection.所有团队成员都没有为此类连接创建证书和编码的经验。
We prepared and submitted a CSR and received a .p7b certificate from the web service site.我们准备并提交了 CSR,并从 Web 服务站点收到了 .p7b 证书。 The .p7b contains two certificates: one for us issued by the web services site and a second for the web services site issued by the corporate owner's own CA. .p7b 包含两个证书:一个是由 Web 服务站点颁发给我们的,另一个是由公司所有者自己的 CA 颁发的 Web 服务站点证书。 Both appear in the keystore list below.两者都出现在下面的密钥库列表中。 The keystore is referenced in a custom SSLContext and the Java code creates an Apache HttpClient with that SSLContext without error.密钥库在自定义 SSLContext 中被引用,Java 代码使用该 SSLContext 创建一个 Apache HttpClient,没有错误。
When the Java code attempts to execute an HttpGet, the web service site rejects the SSLHandshake and terminates the connection with the error:当 Java 代码尝试执行 HttpGet 时,Web 服务站点拒绝 SSLHandshake 并终止连接并显示错误:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
In the handshake debug trace, in step 13 of the handshake, is the message:在握手调试跟踪中,在握手的第 13 步中,是消息:
ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
Certificate chain
Empty
Keytool lists the contensts of the keystore as: (corporate identities redacted) Keytool 将密钥库的内容列为:(公司身份已编辑)
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: server
Creation date: Mar 28, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: ...
Issuer: ...
Serial number: ...
Valid from: Mon Mar 11 19:00:00 CDT 2019 until: Wed Mar 11 18:59:59 CDT 2020
Certificate fingerprints:
SHA1: ...
SHA256: ...
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.16.840.1.113733.1.6.9 Criticality=false
0000: 01 01 FF ...
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://onsite-crl.pki.digicert.com/ATTServicesIncApplicationCertificates/LatestCRL.crl]
]]
#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
#5: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
]
Certificate[2]:
Owner: ...
Issuer: ...
Serial number: ...
Valid from: Wed Feb 23 18:00:00 CST 2011 until: Tue Feb 23 17:59:59 CST 2021
Certificate fingerprints:
SHA1: ...
SHA256: ...
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 97 20 99 C2 73 2A 45 EB E0 02 7F 47 DA 7B AB 7C . ..s*E....G....
0010: EB 1F AF 6E ...n
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://onsitecrl.verisign.com/offlineca/ATTServicesIncATTServicesIncRootCA.crl]
]]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=VeriSignMPKI-2-51
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 25 64 37 69 DB DC 57 99 43 80 79 29 90 6C B8 13 %d7i..W.C.y).l..
0010: 58 EE B6 D0 X...
]
]
*******************************************
*******************************************
]
}
It appears that the keystore includes an entry for our private key but not a client certificate;密钥库似乎包含我们私钥的条目,但不包含客户端证书; only the two certificates from the .p7b from the web services site are listed.仅列出了来自 Web 服务站点的 .p7b 中的两个证书。
The StackOverflow post at: StackOverflow 帖子位于:
why doesn't java send the client certificate during SSL handshake? 为什么java在SSL握手期间不发送客户端证书?
suggests exporting the client certificate from the keystore and editing the certificate chain.建议从密钥库中导出客户端证书并编辑证书链。 This does not relieve the problem, apparently because the keystore contains our private key but not our signed certificate.这并不能解决问题,显然是因为密钥库包含我们的私钥而不是我们的签名证书。
I do not have an artifact that identifies as the client certificate.我没有标识为客户端证书的工件。 The Oracle procedure given at:在以下位置给出的 Oracle 过程:
https://docs.oracle.com/cd/E19509-01/820-3503/ggezu/index.html https://docs.oracle.com/cd/E19509-01/820-3503/ggezu/index.html
suggests the signed client certificate should have been created in the process of preparing the original CSR (step 3 of the procedure) , however we do not appear to have that certificate file as a separate artifact.建议应该在准备原始 CSR 的过程中创建签名的客户端证书(程序的第 3 步),但是我们似乎没有将该证书文件作为单独的工件。
I think we need to reconstruct the client certificate and import it into the proper location of the certificate chain in the keystore.我认为我们需要重建客户端证书并将其导入密钥库中证书链的正确位置。 Since we do not appear to have the original file created when the CSR was created, can the client certificate be re-created now from scratch (step 3 - 5 of the Oracle procedure) and edited back into the chain?由于我们似乎没有在创建 CSR 时创建原始文件,现在可以从头开始重新创建客户端证书(Oracle 过程的第 3 - 5 步)并编辑回链中吗? Is there a way to extract or reconstitute the client certificate from the original CSR?有没有办法从原始 CSR 中提取或重组客户端证书?
Any questions, insights or suggestions very much appreciated.非常感谢任何问题、见解或建议。 Thanks.谢谢。
1 个解决方案
解决方案1
1 2019-03-31 21:58:57
It appears that the keystore includes an entry for our private key but not a client certificate;
The PrivateKeyEntry you show listed by keytool does contain a client certificate (by BC, KU and NCT), and a CA certificate that presumably is the issuing (parent) cert for that client cert.您显示的由 keytool 列出的 PrivateKeyEntry确实包含一个客户端证书(由 BC、KU 和 NCT)和一个 CA 证书,该证书可能是该客户端证书的颁发(父)证书。 (If you imported these certs to this keystore with keytool, the CA cert is definitely the issuer because keytool verifies that; if you used another tool it should enforce the same requirement, but might not.) You describe the p7b as containing "second for the web services site issued by the corporate owner's own CA" but (1) if that were the case keytool would not have imported it as part of the same chain and (2) it would make no sense, because the client does not need a CA-issued (ie not self-signed) server cert in its keystore or truststore, only the cert of the server's CA in its truststore, and that as a separate entry not in the client's PrivateKeyEntry even if it's a shared file. (如果您使用 keytool 将这些证书导入到此密钥库,则 CA 证书肯定是颁发者,因为 keytool 会验证这一点;如果您使用其他工具,它应该强制执行相同的要求,但可能不会。)您将 p7b 描述为包含“second for由公司所有者自己的 CA 发布的 Web 服务站点”,但是 (1) 如果是这种情况,keytool 将不会将其作为同一链的一部分导入,并且 (2) 没有意义,因为客户端不需要CA 在其密钥库或信任库中颁发(即非自签名)服务器证书,只有服务器CA在其信任库中的证书,并且作为单独的条目不在客户端的 PrivateKeyEntry 中,即使它是共享文件。
Per your description you are getting a javax.net.debug=ssl trace, so look at the part of that trace where it loads the keystore and make sure this entry is getting loaded, and look at the server's *** CertificateRequest under Cert Authorities to see what CA(s) it is asking for (immediately before *** ServerHelloDone ) and compare that(those) to the actual CA for the chain in your keystore (unredacted).根据您的描述,您将获得javax.net.debug=ssl跟踪,因此请查看该跟踪加载密钥库的部分并确保此条目已加载,并查看服务器的*** CertificateRequest下的Cert Authorities查看它要求的 CA(紧接在*** ServerHelloDone之前)并将其与密钥库中链的实际 CA(未编辑)进行比较。 Since you are using Apache HttpClient, if you are using one of the overloads that specifies a PrivateKeyStrategy make sure it selects the alias correctly.由于您使用的是 Apache HttpClient,如果您使用指定 PrivateKeyStrategy 的重载之一,请确保它正确选择别名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.