我尝试生成自己的CSR以获得我的域的证书。
我按照他们的教程生成了一个具有CSR的商店:
keytool -genkey -alias codesigncert -keypass -keyalg RSA -keysize 2048 -dname "CN=displayname,O=companyname,C=US,ST=state,L=city" -keystore codesignstore -storepass
但是godaddy拒绝了生成的CSR,所以我使用了他们生成的CSR。
之后,我使用了thomasvitale.com教程中的以下命令:
keytool -import -alias <my alias> -file <downloadedcertificate file>.crt -keystore keystore.p12 -storepass password
生成的.p12密钥库无法启动,因为spring说:
DerInputStream.getLength(): lengthTag=109, too big.
读了很多关于这方面的文章后,我发现这是密钥库生成的方式和某个东西的版本。因此,我必须生成另一个密钥库。
要生成当前有问题的密钥库,我尝试了以下media.com说明:
用于生成密钥库:
keytool -genkey -alias <alias> -keyalg RSA -keystore <keystore.jks> -keysize 2048
用于生成CSR:
keytool -certreq -alias <alias> -keystore <keystore.jks> -file <domain>.csr
发送CSR以生成ssl证书,并使用tomcat选项下载它们。然后导入证书:
中级证书:
keytool -import -trustcacerts -alias <alias> -file gd_bundle-g2-g1.crt -keystore <keystore.jks>
keytool -import -trustcacerts -alias <alias> -file e2e56xxxxf40c7.crt -keystore <keystore.jks>
然后,我通过以下方式创建了pcks密钥库:
keytool -importkeystore -srckeystore <keystore.jks> -destkeystore <keystore.p12> -srcstoretype JKS -deststoretype PKCS12 -deststorepass <password> -srcalias <src alias> -destalias <dest alias>
之后,安装证书的spring引导配置为:
在对这个问题发表评论后,我改为使用JKS并删除了密码。
server:
port: 8443
ssl:
enabled: true
key-store-type: JKS
key-store: classpath:asgard_keystore.jks
key-store-password: generated
key-alias: asgard
err_ssl_version_or_cipher_mismatch
或
SSL_ERROR_NO_CYPHER_OVERLAP
在wireshark刚刚提到的警报21中使用TLS 1.2握手失败(40)捕捉到了这一点。
我用海底拖作为服务器。我不记得我是否在CSR的“姓名”字段中使用了域。
使用我得到的digicert工具解码我的CSR:
Common name
<my domain>
Organization
<my org>
Organizational unit
<my city>
City/locality
<my city>
State/province
<my estate>
Country
<my country>
Signature algorithm
SHA256
Key algorithm
RSA
Key size
2048
根据对该问题的评论,keytool-list调用:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: asgard
Creation date: Dec 7, 2018
Entry type: trustedCertEntry
Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 7
Valid from: Tue May 03 07:00:00 UTC 2011 until: Sat May 03 07:00:00 UTC 2031
Certificate fingerprints:
MD5: 96<removed>:40
SHA1: 2<removed>B8
SHA256: 97:3A<removed>E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
< not relevant >
]
*******************************************
*******************************************
Alias name: intermediate
Creation date: Dec 14, 2018
Entry type: trustedCertEntry
Owner: CN=<removed>, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 5c<removed>
Valid from: Fri Dec 07 20:25:19 UTC 2018 until: Mon Dec 07 18:10:35 UTC 2020
Certificate fingerprints:
MD5: 31<removed>74:77
SHA1: 8D:<removed>:C0:F5:AE:0B
SHA256: 77:14:9<removed>8B:1D:67:46:1A:67:A2:72:2F:2F:9E:F2:16
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
< not relevant >
]
*******************************************
*******************************************
Alias name: server
Creation date: Dec 7, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=<removed>, OU=São Paulo, O=Ideas Farm, L=São Paulo, ST=SP, C=BR
Issuer: CN=a<removed>, OU=São Paulo, O=Ideas Farm, L=São Paulo, ST=SP, C=BR
< not relevant >
]
]
*******************************************
*******************************************
完整报告:
pastebin report
我已经删除了我认为不相关的部分回复。我发现pkcs(.p12)文件报告为jks类型很奇怪。
此外,我从证书颁发机构收到的文件包括:
5<removedhex>6b1b.crt
gd_bundle-g2-g1.crt
gdig2.crt.pem
gd_包包含3个证书
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
三次。另外两个只是一个。