tomcat 上的 SSL 带通配符证书
[英]SSL on tomcat with wildcard certificate
问题描述
I have an application which has to run on tomcat 7 on windows only, as my customer/client wants HTTPS implemented on tomcat.
我有一个应用程序必须在 windows 上的 tomcat 7 上运行,因为我的客户/客户希望在 HTTPS035785ED5359D44B71 上实现
I am able to run the tomcat on https with self-signed certificate.我可以使用自签名证书在 https 上运行 tomcat。
But problem is client has told me that the "Known CA certificate" would be wildcard certificate, and i have to create a batch file which just takes one input, ie, the location of certificate and the script/batch should do the rest, no ROOT and INTERMEDIATE certificate would be provided, he said i have to extract it from the MAIN certificate which can be of any extension.但问题是客户告诉我“已知 CA 证书”将是通配符证书,我必须创建一个只需要一个输入的批处理文件,即证书的位置和脚本/批处理应该执行 rest,不将提供ROOT和INTERMEDIATE证书,他说我必须从MAIN证书中提取它,该证书可以是任何扩展名。
Is it possible to extract the root and intermediate certificate from the main certificate.是否可以从主证书中提取根证书和中间证书。
what would be the steps.步骤是什么。
PS: I an new with SSL implementation PS:我是一个新的 SSL 实现
TIA TIA
1 个解决方案
解决方案1
0 2019-11-11 14:27:29
I'm not really sure what the exact use case is.我不确定确切的用例是什么。
I can think of two possible cases:我可以想到两种可能的情况:
- Your client wants to support client-side cert-based authentication.您的客户希望支持基于证书的客户端身份验证。 So they need to just provide a certificate file for each client which your script should automatically add to the truststore together with the extracted intermediate and root certificates.因此,他们只需要为每个客户端提供一个证书文件,您的脚本应将其与提取的中间证书和根证书一起自动添加到信任库中。
- Your client wants to support multiple server certificates on the same server installation (eg multiple
SSLHostConfig) or on different installations.您的客户端希望在同一服务器安装(例如多个SSLHostConfig)或不同安装上支持多个服务器证书。 So they need a way to automate the server certificate configuration by just providing one server cert file to your script, which may again need to extract intermediate and root for sending to clients during https handshake.因此,他们需要一种方法来自动化服务器证书配置,只需向您的脚本提供一个服务器证书文件,这可能需要在 https 握手期间再次提取中间文件和根目录以发送给客户端。
Your question below can apply to both cases:您的以下问题适用于这两种情况:
"Is it possible to extract the root and intermediate certificate from the main certificate."
The certificate can be provided by your client as a signle file in the following ways:您的客户可以通过以下方式将证书作为签名文件提供:
- A file containing multiple x509 PEM/DER certificates forming a certificate chain.包含多个形成证书链的 x509 PEM/DER 证书的文件。 eg the certificate itself, the intermediate and the root and possibly a private key.例如证书本身、中间证书和根证书以及可能的私钥。
- A keystore (JKS or P12) containing the above certificate chain and possibly a private key.包含上述证书链和可能的私钥的密钥库(JKS 或 P12)。
- A file containing a single PEM/DER certificate包含单个 PEM/DER 证书的文件
Answer:回答:
In the first two cases you can easily extract the intermediate and root certificates because they are contained inside that single file.在前两种情况下,您可以轻松提取中间证书和根证书,因为它们包含在该单个文件中。
In the latter case the information contained in the certificate for the parent (eg intermediate certificate) is the Issuer: information which itself is not a certificate.在后一种情况下,父证书(例如中间证书)中包含的信息是Issuer:本身不是证书的信息。
One possible way to fetch the issuer certificate in this case is by reading the CA Issuers link from the Authority Information Access (AIA) extension (if this is present in the certificate) and then fetching the certificate from there.在这种情况下,获取颁发者证书的一种可能方法是从Authority Information Access (AIA)扩展(如果存在于证书中)读取CA Issuers颁发者链接,然后从那里获取证书。
For trusting client-certificates your script should add the certificate and the (provided or fetched dynamically) intermediate and root to the truststore one by one.为了信任客户端证书,您的脚本应将证书以及(动态提供或获取的)中间证书和根证书一一添加到信任库中。
For server-side certificate you need to form a chain containing intermediate and root (provided or fetched dynamically) and add this and the private key to the keystore.对于服务器端证书,您需要形成一个包含中间和根(动态提供或获取)的链,并将其和私钥添加到密钥库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.