我试图在jboss服务器前设置httpd,并使用x.509证书进行客户端身份验证。我已经按照本教程使用openssl创建了自己的CA,服务器和客户端证书,并且可以使用。现在,我尝试使用ejbca工具而不是openssl生成证书,但是失败了。我生成的证书配置错误,因为当我尝试使用它们时,我在apache和jboss之间收到ssl握手错误,并且在apache日志中可以看到
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server hello A
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 2, subject: /CN=DEXXISCA/O=DEXXIS/C=FR, issuer: /CN=DEXXISCA/O=DEXXIS/C=FR
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 1, subject: /CN=DEXXIS-RND-CA/O=DEXXIS/C=FR, issuer: /CN=DEXXISCA/O=DEXXIS/C=FR
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 0, subject: /CN=centralbase/O=DEXXIS/C=FR, issuer: /CN=DEXXIS-RND-CA/O=DEXXIS/C=FR
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server certificate A
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server key exchange A
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server certificate request A
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server done A
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1660): Proxy client certificate callback: (centralbase:443) entered
[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1705): Proxy client certificate callback: (centralbase:443) no client certificate found!?
有人知道我需要在ejbca中进行配置以获取允许我在apache和jboss之间使用ssl的证书吗(我正在使用mod_proxy_http)?
我发现问题出在证书链长度上。如果我生成的证书仅使用一个根CA签名,则一切正常。如果我创建由某个子CA签名的证书,并且此子CA由根CA签名,则它将失败。不能与CA链一起很好地工作是一个apache问题吗?
—
2013年