[英]SSL on tomcat with wildcard certificate
I have an application which has to run on tomcat 7 on windows only, as my customer/client wants HTTPS implemented on tomcat.我有一个应用程序必须在 windows 上的 tomcat 7 上运行,因为我的客户/客户希望在 HTTPS035785ED5359D44B71 上实现
I am able to run the tomcat on https with self-signed certificate.我可以使用自签名证书在 https 上运行 tomcat。
But problem is client has told me that the "Known CA certificate" would be wildcard certificate, and i have to create a batch file which just takes one input, ie, the location of certificate and the script/batch should do the rest, no ROOT
and INTERMEDIATE
certificate would be provided, he said i have to extract it from the MAIN
certificate which can be of any extension.但问题是客户告诉我“已知 CA 证书”将是通配符证书,我必须创建一个只需要一个输入的批处理文件,即证书的位置和脚本/批处理应该执行 rest,不将提供
ROOT
和INTERMEDIATE
证书,他说我必须从MAIN
证书中提取它,该证书可以是任何扩展名。
Is it possible to extract the root and intermediate certificate from the main certificate.是否可以从主证书中提取根证书和中间证书。
what would be the steps.步骤是什么。
PS: I an new with SSL implementation PS:我是一个新的 SSL 实现
TIA TIA
I'm not really sure what the exact use case is.我不确定确切的用例是什么。
I can think of two possible cases:我可以想到两种可能的情况:
SSLHostConfig
) or on different installations.SSLHostConfig
)或不同安装上支持多个服务器证书。 So they need a way to automate the server certificate configuration by just providing one server cert file to your script, which may again need to extract intermediate and root for sending to clients during https handshake. Your question below can apply to both cases:您的以下问题适用于这两种情况:
"Is it possible to extract the root and intermediate certificate from the main certificate."
“是否可以从主证书中提取根证书和中间证书。”
The certificate can be provided by your client as a signle file in the following ways:您的客户可以通过以下方式将证书作为签名文件提供:
Answer:回答:
In the first two cases you can easily extract the intermediate and root certificates because they are contained inside that single file.在前两种情况下,您可以轻松提取中间证书和根证书,因为它们包含在该单个文件中。
In the latter case the information contained in the certificate for the parent (eg intermediate certificate) is the Issuer:
information which itself is not a certificate.在后一种情况下,父证书(例如中间证书)中包含的信息是
Issuer:
本身不是证书的信息。
One possible way to fetch the issuer certificate in this case is by reading the CA Issuers
link from the Authority Information Access (AIA)
extension (if this is present in the certificate) and then fetching the certificate from there.在这种情况下,获取颁发者证书的一种可能方法是从
Authority Information Access (AIA)
扩展(如果存在于证书中)读取CA Issuers
颁发者链接,然后从那里获取证书。
For trusting client-certificates your script should add the certificate and the (provided or fetched dynamically) intermediate and root to the truststore one by one.为了信任客户端证书,您的脚本应将证书以及(动态提供或获取的)中间证书和根证书一一添加到信任库中。
For server-side certificate you need to form a chain containing intermediate and root (provided or fetched dynamically) and add this and the private key to the keystore.对于服务器端证书,您需要形成一个包含中间和根(动态提供或获取)的链,并将其和私钥添加到密钥库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.