自我SSL-无效的证书
[英]Self SSL - Invalid Certificate
问题描述
I used Self SSL for the first time today to create a certificate for our exchange-OMA/OWA. 
我今天第一次使用Self SSL为我们的Exchange-OMA / OWA创建证书。 I have imported the certificate into trusted root certificate authorities on my local computer so that it will not prompt that the certificate is not from a trusted source. 我已将证书导入本地计算机上的受信任的根证书颁发机构,以便它不会提示该证书不是来自受信任的来源。
I am however still getting a certificate error "Invalid Certificate", the IE8 browser bar turns red with a security warning. 但是,我仍然收到证书错误“ Invalid Certificate”,IE8浏览器栏变成红色,并带有安全警告。 When I view the certificate it does not display any error and says the certificate is fine. 当我查看证书时,它没有显示任何错误,并说证书很好。
Can anyone tell me why I am getting this error? 谁能告诉我为什么我会收到此错误? is it normal for self signed certificates or is the certificate really invalid some how? 自签名证书是正常的还是证书真的无效呢?
Thank you 谢谢
1 个解决方案
解决方案1
1 已采纳 2011-09-26 22:17:06
Make sure that the CN ("Common Name") attribute matches in your URL and certificate. 确保URL和证书中的CN(“通用名称”)属性匹配。 For example, if you created your certificate using the CN=localhost, but you are accessing it in IE using something like https://machine.domain.topleveldomain , then IE will complain that machine.domain.topleveldomain is not the same as localhost. 例如,如果您使用CN = localhost创建了证书,但是您正在使用诸如https://machine.domain.topleveldomain之类的方法在IE中访问证书 ,则IE将抱怨machine.domain.topleveldomain与localhost不同。 I believe it does a string comparison. 我相信它可以进行字符串比较。
Make sure that the certificate was installed in the Trusted Root Certification Authorities (TRCA) under the Local Computer physical store. 确保证书安装在本地计算机物理存储下的受信任的根证书颁发机构(TRCA)中。
If all is installed correctly, then there is one more possibility. 如果所有组件都正确安装,则还有另一种可能性。 Windows has a "feature" that wipes out untrusted certificates (untrusted according to mircosoft) from the TRCA. Windows具有清除来自TRCA的不受信任的证书(根据mircosoft不受信任的证书)的“功能”。 You can disable this feature first and then reinstall the certificate. 您可以先禁用此功能,然后重新安装证书。
Open up gpedit.msc and drill down to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off Automatic Root Certificates Update . 打开gpedit.msc并展开至“ Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off Automatic Root Certificates Update 。 Enable Turn off Automatic Root Certificates Update . 启用Turn off Automatic Root Certificates Update 。
Microsoft provides some details about what that feature does---its a security feature where your TRCA is compared against microsoft's database of valid root certificates. Microsoft提供了有关该功能作用的一些详细信息-它是一种安全功能,可将TRCA与Microsoft的有效根证书数据库进行比较。
If it is still not working after you turn that feature off, then there is a problem with the way in which you created that certificate. 如果在关闭该功能后仍无法使用,则说明创建该证书的方式存在问题。 You can make a certificate using makecert . 您可以使用makecert制作证书。 http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx http://msdn.microsoft.com/zh-CN/library/bfsktky3(v=vs.80).aspx
If your computer's fully qualified name is: machine.domain.com, you can do this: 如果您的计算机的标准名称是:machine.domain.com,则可以执行以下操作:
makecert -n "CN=machine.domain.com" c:\\file.cer
Eventually you can access your resources by: https://machine.domain.com 最终,您可以通过以下方式访问资源: https : //machine.domain.com
Hope this helps. 希望这可以帮助。 I have had my fair share of self-signed certificate woes. 我遇到了很多自签名证书问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.