我正在使用jetty v9.4.9。我想使用client certificate验证请求。我已经在keystore中配置了'jetty-base\etc'文件。我在服务器和客户端中都使用self-signed certificates。
我有一个服务器证书和一个根证书。我已使用OpenSSL生成keystore文件。
从https://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html,
生成pkcs12文件:
$ cat example.crt intermediate.crt [intermediate2.crt] ... rootCA.crt > cert-chain.txt
$ openssl pkcs12 -export -inkey example.key -in cert-chain.txt -out example.pkcs12
加载密钥库文件:
$ keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
使用上述方法,我生成了'new_keystore'文件。我在jetty-base\start.d\ssl.ini中将新生成的密钥库文件配置为
jetty.sslContext.keyStorePath=etc\new_keystore
jetty.sslContext.trustStorePath=etc\new_keystore
现在我正在使用cURL中的Windows发送请求
请求:
curl -v --cacert root.crt --key client.key --cert client.crt https://localhost:8443
这会导致unknown certificate错误
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, certificate unknown (558):
* error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
* Closing connection 0
curl: (35) error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
在jetty中,如何确定unknown certificate错误背后的原因?是否可以将其配置为显示在log文件上?如何调试和修复它?