充气城堡相当于openssl pkcs10证书签名命令

时间:2016-10-22 20:15:33

标签: java openssl bouncycastle client-certificates pkcs#10

我正在尝试使用Java中的充气城堡签署pkcs10请求。生成的证书将用于双向ssl方案。我仔细查看了这个和其他网站上的许多示例,但在尝试将我的客户端连接到服务器时,我总是得到以下结果:

- 爪哇 -

org.springframework.web.client.ResourceAccessException: 
I/O error on GET request for "https://localhost:8443/resources/1":
Received fatal alert: certificate_unknown;
nested exception is javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown

- OpenSSL的 -

$ openssl s_client -connect localhost:8443 -CAfile ca.crt -cert client.crt -key client.key -pass pass:password -showcerts
CONNECTED(00000003)
depth=1 /C=xx/ST=xx/L=xx/O=xxxx/OU=xxxx/CN=xxxx/emailAddress=xxxx@xxxx.com
verify return:1
depth=0 /C=xx/ST=xx/L=xx/O=xxxx/OU=xxxx/CN=localhost/emailAddress=xxxx@xxxx.com
verify return:1
76234:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:
/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098
-59.40.2/src/ssl/s3_pkt.c:1145:SSL alert number 46
76234:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:
/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/ssl/s23_lib.c:185:

我在充气城堡中做了很多次尝试,但这只是一次尝试的例子:

public Certificate signCertificateSigningRequest(PKCS10CertificationRequest certificationRequest,
        Certificate caCertificate, PrivateKey caPrivateKey) throws Exception {
    X500Name issuer = getX500Name("xxxx");
    Calendar notBefore = Calendar.getInstance();
    notBefore.add(Calendar.DATE, -1);
    Calendar notAfter = Calendar.getInstance();
    notAfter.add(Calendar.YEAR, 3);
    X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(
        issuer,
        BigInteger.valueOf(3),
        notBefore.getTime(),
        notAfter.getTime(),
        certificationRequest.getSubject(),
        certificationRequest.getSubjectPublicKeyInfo()
    );
    X509CertificateHolder certHolder = certGen
        .build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(caPrivateKey));
    X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder);
    return certificate;
}

我想要的是充满活力的城堡,相当于我知道的以下openssl命令:

$ openssl \
x509 \
-req \
-in client.csr \
-CA ca.crt \
-CAkey ca.key \
-passin pass:password \
-CAcreateserial \
-sha256 \
-out client.crt \
-days 3650

这让我疯了。任何帮助将非常感激。感谢。

1 个答案:

答案 0 :(得分:1)

我在这里找到答案:X509 certificate signed with bouncy castle is not valid

答案与给予X509v3CertificateBuilder的发行人有关。 getX500Name(“xxxx”)返回的颁发者应该与生成证书的发行者返回相同,但我想不是。我不得不改变:

X500Name issuer = getX500Name("xxxx");

为:

X500Name issuer = X500Name.getInstance(((X509Certificate)caCertificate).getSubjectX500Principal().getEncoded());

现在它运作正常。