Tomcat 内部CA的PKIX路径构建
我试图在Tomcat中将几个应用程序正确地链接在一起,但我得到了以下结果Tomcat 内部CA的PKIX路径构建,tomcat,ssl,https,jira,Tomcat,Ssl,Https,Jira,我试图在Tomcat中将几个应用程序正确地链接在一起,但我得到了以下结果 Invalid response from getting the pageId: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
Invalid response from getting the pageId: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
我在过去使用内部CA处理过这个问题,没有问题
My current server.xml如下所示:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
....
keystoreFile="/jira-home/jira.example.org.p12"
keystorePass="xxx"
keystoreType="pkcs12"
keyAlias="jira.example.org"
truststoreFile="/jira-home/jira.example.org.p12"
truststoreType="pkcs12"
truststorePass="xxx"
/>
我还验证了Java可执行文件的命令行参数没有覆盖keystore/truststore值
据我所知,我的p12文件看起来也不错
Bag Attributes
localKeyID: 47 96 87 64 A2 A0 66 C3 B7 3C 09 53 BD 22 ED 50 37 DE 62 B7
friendlyName: jira.example.org
subject=/C=US/ST=Kansas/L=Kansas City/O=CFCA/OU=IS/CN=jira.example.org
issuer=/DC=org/DC=example/CN=example-CA2-CA
-----BEGIN CERTIFICATE-----
MIIF1TCCBL2gAwIBAgIKEOfX4AAAAAAB5zANBgkqhkiG9w0BAQUFADBHMRMwEQYK
k8ThWdXWScM8
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/CN=CA2.example.org
issuer=/DC=org/DC=example/CN=example-CA2-CA
-----BEGIN CERTIFICATE-----
MIIE0jCCA7qgAwIBAgIKYQCskwAAAAAIFTANBgkqhkiG9w0BAQUFADBHMRMwEQYK
motn49ZLI61VXW4KrM2ZCgSOu1O5DMqLnd4DZCgHxvYwckemqDo=
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/CN=OFFLINECA2-CA
issuer=/CN=OFFLINECA2-CA
-----BEGIN CERTIFICATE-----
MIIDMjCCAhqgAwIBAgIQIvkuOz6aNL5K+7XhjbwOMDANBgkqhkiG9w0BAQUFADAY
MF2ktx6a
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 47 96 87 64 A2 A0 66 C3 B7 3C 09 53 BD 22 ED 50 37 DE 62 B7
friendlyName: jira.example.org
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----
行李属性
localKeyID:47 96 87 64 A2 A0 66 C3 B7 3C 09 53 BD 22 ED 50 37 DE 62 B7
friendlyName:jira.example.org
subject=/C=US/ST=Kansas/L=Kansas City/O=CFCA/OU=IS/CN=jira.example.org
发卡机构=/DC=org/DC=example/CN=example-CA2-CA
-----开始证书-----
MIIf1TCBL2gawibagikeofx4aaaaaaaab5zanbgkqhkig9w0baqufadbhmrmweqyk
k8ThWdXWScM8
-----结束证书-----
行李属性:
subject=/CN=CA2.example.org
发卡机构=/DC=org/DC=example/CN=example-CA2-CA
-----开始证书-----
MIIE0JCCA7QGAWIBAGIKYQCSKWAAAAIFTANBGKQHKIG9W0BAQUFADBHMRWEYK
MOTN49ZLI61VxW4KRM2ZCGSOU5DMQLND4DZCGHxVYWCKEMQDO=
-----结束证书-----
行李属性:
主题=/CN=离线CA2-CA
发卡机构=/CN=离线CA2-CA
-----开始证书-----
MIIDMjCCAhqgAwIBAgIQIvkuOz6aNL5K+7xhjbwomdanbgkqhkig9w0baqufday
MF2ktx6a
-----结束证书-----
行李属性
localKeyID:47 96 87 64 A2 A0 66 C3 B7 3C 09 53 BD 22 ED 50 37 DE 62 B7
friendlyName:jira.example.org
关键属性:
-----开始私钥-----
xxxxxxxxxxxxxxxxxxxxxx
-----结束私钥-----
我连接到的所有其他应用程序服务器也来自同一个中间和根CA。我觉得这个链不合适。但可能是因为我不熟悉输出 这张照片是彼得·古特曼的。这是我期待看到的
这是我看到的 服务器 因此,链中的下一个主题需要
example-CA2-CA
中间的
嗯。。。使用CN=example-CA2-CA的受试者发生了什么事
为什么发卡机构CN=example-CA2-CA
?发行人不应该是CN=OFFLINECA2-CA
支持私钥认证
从10000英尺的高度看还可以
subject=/C=US/ST=Kansas/L=Kansas City/O=CFCA/OU=IS/CN=jira.example.org
issuer=/DC=org/DC=example/CN=example-CA2-CA
subject=/CN=CA2.example.org
issuer=/DC=org/DC=example/CN=example-CA2-CA
subject=/CN=OFFLINECA2-CA
issuer=/CN=OFFLINECA2-CA