简体繁体 English

具有CA证书问题的HTTPS SSL自签名证书

[英]HTTPS SSL Self-Signed Certificate with CA Certificate issue

原文 2012-03-21 15:06:44 9 3 http/ https/ ssl-certificate/ self-signed

I have a website on our Internal network that is also accessible to the public. 我在内部网络上有一个网站，公众也可以访问。 I have purchased and installed an SSL certificate for that public site. 我已经为该公共站点购买并安装了SSL证书。 The site is available using both https://site.domain.com (Public) and https://site.domain.local (Internal). 可以使用https://site.domain.com （公共）和https：//site.domain.local （内部）访问该站点。

The problem I am having is creating and installing a self-signed certificate for the internal "site.domain.local" so that people on our internal network do not get the security warning. 我遇到的问题是为内部“ site.domain.local”创建并安装自签名证书，以便内部网络上的人员不会收到安全警告。 I have a keystore in the root folder and also created a self-signed certificate in that keystore with no luck. 我在根文件夹中有一个密钥库，并且在该密钥库中创建的自签名证书没有运气。 The public key is working just fine. 公钥工作正常。 I am running Debian linux with Tomcat 7 installed and I am also using Active Directory on the network with Microsoft DNS. 我正在运行安装了Tomcat 7的Debian linux，并且还在网络上通过Microsoft DNS使用Active Directory。 Any and all help would be greatly appreciated. 任何和所有帮助将不胜感激。 If you need more details, please ask. 如果您需要更多详细信息，请询问。

3 个解决方案

If your certificate is for site.domain.com and users are going to site.domain.local and getting that cert, then clearly there is a name mismatch and the browser will always warn you. 如果您的证书是针对site.domain.com的，并且用户要访问site.domain.local并获取该证书，则显然名称不匹配，浏览器将始终警告您。

You either need to : 您要么需要：

get the cert regenerated with BOTH names 获取使用两个名称重新生成的证书
get a cert for just the internal site 仅针对内部站点获取证书
mangle DNS so that when your internal users go to site.domain.com they get the IP address of site.domain.local. 修改DNS，以便当内部用户访问site.domain.com时，他们获得site.domain.local的IP地址。

Not sure I fully understand your set-up, but you could front your Tomcat with Apache, install the cert on the Apache instance and then do a Reverse-Proxy (plain http) to your Tomcat instance. 不确定我是否完全了解您的设置，但是您可以在Tomcat上使用Apache，在Apache实例上安装证书，然后对Tomcat实例执行反向代理（纯HTTP）。 People would access the Apache instance which would handle the SSL connection. 人们将访问处理SSL连接的Apache实例。

One way would be to add the CA certificate in every client certificate trusted store (which is not convenient) : the client click on the certificate warning message and install/trust the self signed x509 CA certificate. 一种方法是在每个客户端证书受信任存储区中添加CA证书（这不方便）：客户端单击证书警告消息并安装/信任自签名的x509 CA证书。 If this doesn't work, there is a problem with the certificate (though most openssl generated stuff .CER/.CRT/.P12/.PFX will install with no problem under recent windows). 如果这不起作用，则说明证书存在问题（尽管大多数openssl生成的东西.CER / .CRT / .P12 / .PFX都可以在最近的Windows下正常安装）。

If one client accepts the self-signed certificate with manual setup, you can try to install these certificates with Active Directory ; 如果一个客户端通过手动设置接受了自签名证书，则可以尝试使用Active Directory安装这些证书； basically you add trusted CA cert within your AD, and client automagically synchronize (nb: mostly on login) : See there for a hint about setting thing up with AD : http://support.microsoft.com/kb/295663/en-us (You may try this or dig in that direction : with AD, you never know). 基本上，您在AD中添加了受信任的CA证书，并且客户端自动进行了同步（nb：主要在登录时）：请参见此处，了解有关使用AD进行设置的提示： http : //support.microsoft.com/kb/295663/zh-我们（您可以尝试这样做或向那个方向挖掘：使用AD，您永远不会知道）。

Another possibility would be to set up your internal DNS to point site.domain.com to the local web site address (the easy way ). 另一种可能性是设置您的内部DNS，以将site.domain.com指向本地网站地址（ 简便方法 ）。 You can test this setup with you /etc/hosts file on linux/unix flavours (or system32/drivers/etc/hosts on windows flavours) 您可以使用linux / unix风味上的/etc/hosts文件（或Windows风味上的system32/drivers/etc/hosts ）来测试此设置