I am developing a project in IBM Worklight 6.2 targeting Android and IOS. My project should use X509 Certificate based authentication. I am using Windows 7 OS, and following this PDF to
我正在开发一个针对Android和IOS的IBM Worklight 6.2项目。我的项目应该使用基于X509证书的身份验证。我使用的是Windows 7操作系统,并遵循此PDF格式。
- Create Root CA
- 创建根CA
- Create Signing CA
- 创建CA签名
- Create Server Certificate
- 创建服务器证书
- Create certificate chain for the server certificate
- 为服务器证书创建证书链
- Export a PKCS12 file for the signing CA
- 为签名CA导出PKCS12文件
- Export a PKCS12 file for the server certificate
- 导出服务器证书的PKCS12文件
I have installed openssl-0.9.8h-1-setup in windows, so I got openssl.cnf inside C:\Program Files (x86)\GnuWin32\share. With the help of this config file, I have successfully created Root CA. Next when I am trying to sign the Signing CA, it throws the message. The command and the messages are as follows:
我已经安装了openssl-0.9.8h-1-setup在windows中,所以我有openssl.cnf C:\Program Files (x86)\GnuWin32\share.内部在这个配置文件的帮助下,我成功地创建了根CA,接下来当我尝试签名CA时,它会抛出消息。命令和信息如下:
openssl ca -in signingca\signing_ca.csr -out signingca\signing_ca.crt -keyfile rootca\root_ca_key.pem -cert rootca\root_ca.crt -config openssl.cnf -name root_authority_ca_config -extensions signing_authority -md sha512 -days 365 -passin pass:passRoot
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'Development Signing CA'
The mandatory countryName field was missing
With this message it creates the signs the Signing CA.
使用此消息,它将创建签名CA的符号。
Next I am trying to create the server certificate, where it shows the error message. The code and the error message are as follows:
接下来,我尝试创建服务器证书,其中显示错误消息。代码和错误信息如下:
#REM Sign the CSR with the signing CA
openssl ca -in server\server.csr -out server\server.crt -keyfile signingca\signing_ca_key.pem -cert signingca\signing_ca.crt -config openssl.cnf -name signing_authority_ca_config -extensions server_identity -md sha512 -days 365 -passin pass:passSigning
It throws the following message, and it is unable to sign the Server CA.
它抛出以下消息,并且无法签署服务器CA。
Using configuration from openssl.cnf
unable to load certificate
4716:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting:
TRUSTED CERTIFICATE
I need to know how to solve this!
我需要知道如何解决这个问题!
1 个解决方案
#1
4
The second error appears because the Root CA certificate failed to be properly generated, so it is saying that it could not find a trusted certificate for it, so after you fix the first error the other ones should work.
第二个错误出现是因为根CA证书未能正确生成,因此它表示无法为它找到一个受信任的证书,因此在修复第一个错误之后,其他错误应该可以工作。
The first error happens because something is missing in your openssl.cnf file. In your configuration, you have to specify which fields are optional for you and which are required. As shown in slide 18 in the User Certificate Authentication Getting started guide, you specify each one in the policy_match section like this:
第一个错误发生是因为在您的openssl.cnf文件中丢失了一些东西。在您的配置中,必须指定哪些字段是可选的,哪些是必需的。如用户证书身份验证入门指南中的幻灯片18所示,您在policy_match部分中指定每个参数,如下所示:
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Make sure you add all the configuration options specified in each of the separate slides to your openssl.cnf, or alternatively, use the openssl.cnf supplied in the provided sample project that has all the configuration already there.
请确保将每个独立幻灯片中指定的所有配置选项添加到您的openssl.cnf中,或者使用提供的示例项目中提供的openssl.cnf,该示例项目已经具有所有配置。
#1
4
The second error appears because the Root CA certificate failed to be properly generated, so it is saying that it could not find a trusted certificate for it, so after you fix the first error the other ones should work.
第二个错误出现是因为根CA证书未能正确生成,因此它表示无法为它找到一个受信任的证书,因此在修复第一个错误之后,其他错误应该可以工作。
The first error happens because something is missing in your openssl.cnf file. In your configuration, you have to specify which fields are optional for you and which are required. As shown in slide 18 in the User Certificate Authentication Getting started guide, you specify each one in the policy_match section like this:
第一个错误发生是因为在您的openssl.cnf文件中丢失了一些东西。在您的配置中,必须指定哪些字段是可选的,哪些是必需的。如用户证书身份验证入门指南中的幻灯片18所示,您在policy_match部分中指定每个参数,如下所示:
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Make sure you add all the configuration options specified in each of the separate slides to your openssl.cnf, or alternatively, use the openssl.cnf supplied in the provided sample project that has all the configuration already there.
请确保将每个独立幻灯片中指定的所有配置选项添加到您的openssl.cnf中,或者使用提供的示例项目中提供的openssl.cnf,该示例项目已经具有所有配置。