This question already has an answer here:
X509 certificate signed with bouncy castle is not valid
(1个答案)
3年前关闭。
我正在尝试使用Java中的充气城堡来签名pkcs10请求。生成的证书将在双向SSL方案中使用。我已经浏览了该站点和其他站点上的许多示例,但是尝试将客户端连接到服务器时,总会得到以下结果:
--java--
--openssl--
我已经尝试了很多充气城堡,但是这里仅举一个例子:
我想要的是与我知道有效的以下openssl命令等效的充气城堡:
这让我发疯。任何帮助将非常感激。谢谢。
至:
现在工作正常。
(1个答案)
3年前关闭。
我正在尝试使用Java中的充气城堡来签名pkcs10请求。生成的证书将在双向SSL方案中使用。我已经浏览了该站点和其他站点上的许多示例,但是尝试将客户端连接到服务器时,总会得到以下结果:
--java--
org.springframework.web.client.ResourceAccessException:
I/O error on GET request for "https://localhost:8443/resources/1":
Received fatal alert: certificate_unknown;
nested exception is javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown
--openssl--
$ openssl s_client -connect localhost:8443 -CAfile ca.crt -cert client.crt -key client.key -pass pass:password -showcerts
CONNECTED(00000003)
depth=1 /C=xx/ST=xx/L=xx/O=xxxx/OU=xxxx/CN=xxxx/[email protected]
verify return:1
depth=0 /C=xx/ST=xx/L=xx/O=xxxx/OU=xxxx/CN=localhost/[email protected]
verify return:1
76234:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:
/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098
-59.40.2/src/ssl/s3_pkt.c:1145:SSL alert number 46
76234:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:
/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s23_lib.c:185:
我已经尝试了很多充气城堡,但是这里仅举一个例子:
public Certificate signCertificateSigningRequest(PKCS10CertificationRequest certificationRequest,
Certificate caCertificate, PrivateKey caPrivateKey) throws Exception {
X500Name issuer = getX500Name("xxxx");
Calendar notBefore = Calendar.getInstance();
notBefore.add(Calendar.DATE, -1);
Calendar notAfter = Calendar.getInstance();
notAfter.add(Calendar.YEAR, 3);
X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(
issuer,
BigInteger.valueOf(3),
notBefore.getTime(),
notAfter.getTime(),
certificationRequest.getSubject(),
certificationRequest.getSubjectPublicKeyInfo()
);
X509CertificateHolder certHolder = certGen
.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(caPrivateKey));
X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
return certificate;
}
我想要的是与我知道有效的以下openssl命令等效的充气城堡:
$ openssl \
x509 \
-req \
-in client.csr \
-CA ca.crt \
-CAkey ca.key \
-passin pass:password \
-CAcreateserial \
-sha256 \
-out client.crt \
-days 3650
这让我发疯。任何帮助将非常感激。谢谢。
最佳答案
我在这里找到了答案:X509 certificate signed with bouncy castle is not valid
答案与授予X509v3CertificateBuilder的发行者有关。由getX500Name(“ xxxx”)返回的签发者应与生成证书的签发者相同,但我想事实并非如此。我不得不改变:
X500Name issuer = getX500Name("xxxx");
至:
X500Name issuer = X500Name.getInstance(((X509Certificate)caCertificate).getSubjectX500Principal().getEncoded());
现在工作正常。
09-04 19:22