客户给了我们3个证书,这些证书按顺序安装在Windows服务器上,并且:
在mmc中,当我检查#2时,我可以看到链为:
威瑞信(根) - >威瑞信(中级) - >赛门铁克(中级)
检查#3(自签名证书)时,没有链。只有CompanyX。
似乎Windows无法在最后一个中间证书和自签名证书之间建立链,因此当客户端连接到Web服务器时,他们会看到自签名或不受信任的证书警告,大概是因为服务器没有发布中级证书。
我已经确认通用名称完全匹配,并重复几次安装程序。我在安装证书时做错了吗?我错过了什么吗?
答案 0 :(得分:0)
证书#3不是VeriSign颁发的证书的一部分。它可以是从节点复制的不完整请求的伪证书(在证书MMC中)。如果是这种情况(比较公钥或Subject Key Identifier扩展值),则为#2和#3证书。如果匹配,请将证书#3移至Certificate Enrollment Requests节点。
您的客户需要做的是转到生成原始请求的计算机(我怀疑在IIS服务器上)并尝试通过运行以下命令正确安装已颁发的证书:
certreq -accept path\certNo2.cer
如果命令成功,证书将自动安装在个人存储中。如果命令失败,客户必须找到生成请求的机器并运行上面的命令。
答案 1 :(得分:0)
Just for the record and possible future searches, here's how I solved it:
Since both #3 and #2 have the same subject (and public key), and I had the private key for #3 but not #2, I wanted to try the #3 private key on the #2 certificate, so:
Extract the key from #3 with openssl pkcs12 -in Cert3.pfx -nocerts -nodes. Where Cert3.pfx is #3 certificate with key, and which creates a new Cert3.key file with only the private key.
Merge the #2 certificate with the extracted key with openssl pkcs12 -export -out 'NewCert2.pfx' -inkey Cert3.key -in Cert2.cer. Where Cert2.cer is #2 without key, and creates NewCert2.pfx with #2 cert and #3 key merged.
Deleted #3 from the Personal store and deleted #2 from the Intermediate store.
Imported the new merged #2 into Personal store.
Updated IIS bindings for the new certificate.
The result is using #2 as SSL certificate, already tested with SSL-Checker and everything is working fine.