生成“类似的”证书

==我的问题可能需要一些背景：生成“类似的”证书

我从甲骨文（Oracle访问管理器）产品的工作，尝试配置测试配置在那里我有他们所称的“ webgate“，但在webgate和OAM服务器之间使用”CERT“模式进行通信。

通常启用CERT模式由具有证书，密钥和根CA证书和的：

在OAM服务器： - 导入CA证书到Oracle特定JKS密钥库 - 导入的证书和加密的密钥到另一个Oracle专用密钥库JCEKS

在webgate： - 将证书文件，加密的密钥文件，和根CA文件的副本到特定目录

从测试，它可以用于OAM服务器端和webgate端的相同证书+密钥（和根CA证书）。

==问题：

我的配置使用证书+键（+根CA），我下班（与由他们的CA颁发）的工作，但我希望能够使用我自己产生，证书，所以我一直在试图建立一个证书+键使用OpenSSL的命令，但到目前为止，我还没有成功。当我做进口等的CERT /按键/根CA我创建证书的，我结束了得到一个 “decrypt_error”：

NioProcessor-1，RECV的TLSv1警告：致命，decrypt_error

我一直在琢磨我openssl.cnf中，我用它来发布我的证书，并且我也有到如此地步，我发出的证书看起来几乎一样的一个从办公室里，例如：

> [[email protected] ~]# openssl x509 -in /apps/ca2/foo13.crt -text Certificate: 
>  Data: 
>   Version: 3 (0x2) 
>   Serial Number: 15375053440205592664 (0xd55f29a4b21a1858) 
>  Signature Algorithm: sha1WithRSAEncryption 
>   Issuer: C=US, O=My Company, CN=JL-Test-CA 
>   Validity 
>    Not Before: Jul 5 01:03:02 2016 GMT 
>    Not After : Jul 3 01:03:02 2026 GMT 
>   Subject: C=US, ST=VA, L=Herndon, O=o, OU=ou, CN=foo13 
>   Subject Public Key Info: 
>    Public Key Algorithm: rsaEncryption 
>     Public-Key: (2048 bit) 
>     Modulus: 
>      00:e3:71:40:0f:a5:08:72:50:33:67:6e:57:a5:c0: 
>      7d:b5:a7:26:4a:4c:af:ed:59:f1:42:57:a6:0e:a1: 
>      d5:aa:10:40:f5:d9:cf:bb:21:52:59:4b:54:0d:ca: 
>      ef:b6:6a:b7:c4:dd:d6:81:c0:d8:cb:5a:2d:69:ca: 
>      d4:ec:f1:c1:b7:03:32:f9:bd:9c:b8:77:43:1d:c0: 
>      c9:48:be:62:08:f2:57:29:a2:66:98:dd:c6:a2:97: 
>      5c:53:8c:de:78:f1:b2:21:ef:eb:c2:83:9b:94:cb: 
>      a1:c1:df:20:f6:7f:b6:20:41:53:0a:4a:a2:a4:fa: 
>      c7:b7:3c:d9:09:7b:a5:7f:31:00:c9:9d:a4:cf:a1: 
>      87:24:7f:9b:b0:62:0a:8a:ee:90:9c:56:61:e4:9f: 
>      f0:dc:1a:fb:66:34:95:3e:29:3d:50:27:b4:fb:5d: 
>      7f:84:c2:c1:c1:6b:34:8f:cb:c1:de:51:5f:46:89: 
>      74:00:a2:13:60:4a:36:7b:1c:70:90:c5:80:74:0f: 
>      1c:0b:3e:3f:ed:6d:72:d5:4a:e9:2d:e4:88:4a:c7: 
>      c3:ff:d4:fa:8d:00:55:80:a4:51:59:3a:a1:9e:83: 
>      2e:66:13:00:52:fc:aa:80:eb:f5:a0:55:6b:ee:99: 
>      1e:cb:60:a6:e0:b8:21:e3:91:9c:c1:5f:6d:4e:62: 
>      24:a3 
>     Exponent: 65537 (0x10001) 
>   X509v3 extensions: 
>    X509v3 Certificate Policies: 
>     Policy: 2.16.840.1.101.2.1.11.7 

>   X509v3 Key Usage: critical 
>    Digital Signature, Key Encipherment 
>   X509v3 Extended Key Usage: 
>    TLS Web Server Authentication, TLS Web Client Authentication 
>   X509v3 Subject Key Identifier: 
>    F6:3D:09:31:E1:45:B1:96:0C:B8:A0:68:FE:40:1D:07:B6:D0:44:63 
>   X509v3 Authority Key Identifier: 
>    keyid:F9:56:E1:66:6C:B2:E0:31:F6:FF:E3:98:17:BB:15:88:45:55:4A:B8 
> 
> Signature Algorithm: sha1WithRSAEncryption 
>  45:4e:91:32:44:be:1a:31:62:96:5a:42:61:94:13:6f:3a:ca: 
>  44:1b:0c:6a:a2:10:3b:61:44:58:b2:34:b4:41:0d:2a:0c:26: 
>  ae:bc:e7:b2:9a:1e:c9:8a:25:5e:f2:55:19:22:06:44:4b:67: 
>  83:39:b8:80:2d:b1:9f:06:b7:a7:ec:4c:08:3d:11:ec:c7:32: 
>  03:49:70:05:7c:4b:4c:05:30:4d:06:a4:f1:0d:cf:f3:a6:37: 
>  4d:d9:31:af:e1:f8:e6:b7:d7:62:7b:06:e0:82:dd:72:2c:1e: 
>  92:f8:cd:03:f4:c0:67:cb:0b:ba:af:a6:1c:0b:ff:f2:44:07: 
>  83:db:ac:5e:8d:94:fb:51:5c:a7:c3:89:9c:fb:69:c6:4f:49: 
>  b7:07:2d:c2:07:9f:46:b2:9a:2c:51:c5:50:c4:57:bf:b1:c7: 
>  e0:4b:02:d5:cb:f0:4c:14:a2:cf:73:fc:43:d2:4b:3e:19:0c: 
>  25:d0:38:7e:98:f5:db:e6:15:12:bc:d0:3f:9d:93:10:9f:c3: 
>  be:29:bd:54:7f:97:ed:80:16:c7:28:1e:39:13:90:a1:15:fd: 
>  df:7b:d8:27:52:13:d4:6f:16:90:97:b6:dc:c0:a7:5a:6f:3e: 
>  e0:20:88:58:d4:e5:cf:49:bb:1c:00:3a:38:fb:fc:ab:f3:23: 
>  fd:89:45:73:9a:65:e9:72:a5:f2:f4:6e:08:a7:06:3e:2d:83: 
>  1b:4d:9b:b9:9e:ef:a0:53:7a:3c:de:fb:b3:ee:6c:ab:46:d9: 
>  42:f4:ee:0c:0a:88:59:7f:c4:31:33:53:57:a1:26:92:8b:f6: 
>  fd:95:82:d5:2a:7d:b8:72:fb:52:a3:35:6d:60:9d:2c:99:41: 
>  29:6d:9f:48:91:1c:c1:78:1f:0f:6f:17:c9:42:51:3d:00:cd: 
>  f3:9c:69:9a:33:5d:0f:ca:3a:ee:d5:02:ca:e4:4d:d2:35:fc: 
>  83:c9:f0:46:b2:a5:14:f8:56:59:c6:43:30:b7:33:40:2c:a3: 
>  7e:07:76:d8:55:8d:35:ca:87:db:57:dd:30:25:90:68:84:89: 
>  ac:d8:61:a4:58:a5:08:56:64:95:5e:3c:6b:ac:2f:15:8e:02: 
>  f2:4d:e8:6b:e1:b3:af:4e:b0:30:97:c5:d1:00:8c:59:6b:f2: 
>  c6:9e:cb:3b:ed:a8:c3:af:8d:4f:75:d8:f3:65:5b:38:1e:18: 
>  6b:03:ce:31:e3:8a:8a:02:84:3e:c0:e8:bb:ee:b5:4a:9c:f4: 
>  51:f6:be:ac:b1:ea:0f:fc:0e:7d:98:78:8f:b5:8e:24:14:32: 
>  64:52:bf:6a:94:59:70:e0:75:c8:17:7b:0e:00:5a:3b:a3:63: 
>  ff:ab:1a:0c:e1:43:e5:03

但，不管什么我尝试过，我总是得到decrypt_error当我尝试我颁发证书。

因此，我一直在视觉上比较“openssl x509”的输出，比较好的证书和我的证书，我注意到一个区别是我的证书中的“签名算法：sha1WithRSAEncryption”要大得多比 “签名算法：sha1WithRSAEncryption” 好/工作证的，如：

Signature Algorithm: sha1WithRSAEncryption 
    5b:47:09:64:41:d8:11:49:73:a3:ac:47:b2:07:5b:1b:75:a9: 
    19:09:62:94:c6:46:fa:fa:84:b1:22:c6:f8:0b:b9:20:5a:5e: 
    0b:51:df:e2:7a:ea:6f:4a:82:e4:57:f0:c9:69:25:ef:f9:92: 
    17:91:f2:53:d4:08:a0:b6:2f:4b:58:bd:4b:3b:1f:1e:6f:00: 
    fc:e8:35:26:04:b7:03:bc:fa:8d:da:cb:ad:15:d2:7f:7a:d8: 
    xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: 
    51:45:7c:08:cb:45:d5:b9:99:45:c5:14:c8:07:07:2c:c4:9a: 
    de:d2:a3:6e:bd:c8:ec:dc:c3:df:4f:0f:31:02:66:f3:45:e1: 
    92:29:9e:0f:82:65:cf:62:c8:99:ae:73:da:d9:d0:0a:66:f3: 
    4e:7c:60:d9:02:86:d2:1b:8f:de:1d:0b:c0:ef:10:2b:47:58: 
    22:73:2d:19:66:ed:e0:e8:e2:76:32:4a:f1:af:a1:ab:63:ae: 
    c9:7b:94:4f:54:7f:65:b8:ad:82:6b:57:d7:e9:38:2b:78:d7: 
    ac:3f:18:92:7d:42:72:e2:7f:11:f8:67:ab:da:29:ca:8c:ec: 
    c3:f8:94:00:a3:1a:4a:00:6b:e6:82:90:ee:7f:0d:50:a3:c3: 
    0b:ca:34:28

与

Signature Algorithm: sha1WithRSAEncryption 
    45:4e:91:32:44:be:1a:31:62:96:5a:42:61:94:13:6f:3a:ca: 
    44:1b:0c:6a:a2:10:3b:61:44:58:b2:34:b4:41:0d:2a:0c:26: 
    ae:bc:e7:b2:9a:1e:c9:8a:25:5e:f2:55:19:22:06:44:4b:67: 
    83:39:b8:80:2d:b1:9f:06:b7:a7:ec:4c:08:3d:11:ec:c7:32: 
    03:49:70:05:7c:4b:4c:05:30:4d:06:a4:f1:0d:cf:f3:a6:37: 
    4d:d9:31:af:e1:f8:e6:b7:d7:62:7b:06:e0:82:dd:72:2c:1e: 
    92:f8:cd:03:f4:c0:67:cb:0b:ba:af:a6:1c:0b:ff:f2:44:07: 
    83:db:ac:5e:8d:94:fb:51:5c:a7:c3:89:9c:fb:69:c6:4f:49: 
    b7:07:2d:c2:07:9f:46:b2:9a:2c:51:c5:50:c4:57:bf:b1:c7: 
    e0:4b:02:d5:cb:f0:4c:14:a2:cf:73:fc:43:d2:4b:3e:19:0c: 
    25:d0:38:7e:98:f5:db:e6:15:12:bc:d0:3f:9d:93:10:9f:c3: 
    be:29:bd:54:7f:97:ed:80:16:c7:28:1e:39:13:90:a1:15:fd: 
    df:7b:d8:27:52:13:d4:6f:16:90:97:b6:dc:c0:a7:5a:6f:3e: 
    e0:20:88:58:d4:e5:cf:49:bb:1c:00:3a:38:fb:fc:ab:f3:23: 
    fd:89:45:73:9a:65:e9:72:a5:f2:f4:6e:08:a7:06:3e:2d:83: 
    1b:4d:9b:b9:9e:ef:a0:53:7a:3c:de:fb:b3:ee:6c:ab:46:d9: 
    42:f4:ee:0c:0a:88:59:7f:c4:31:33:53:57:a1:26:92:8b:f6: 
    fd:95:82:d5:2a:7d:b8:72:fb:52:a3:35:6d:60:9d:2c:99:41: 
    29:6d:9f:48:91:1c:c1:78:1f:0f:6f:17:c9:42:51:3d:00:cd: 
    f3:9c:69:9a:33:5d:0f:ca:3a:ee:d5:02:ca:e4:4d:d2:35:fc: 
    83:c9:f0:46:b2:a5:14:f8:56:59:c6:43:30:b7:33:40:2c:a3: 
    7e:07:76:d8:55:8d:35:ca:87:db:57:dd:30:25:90:68:84:89: 
    ac:d8:61:a4:58:a5:08:56:64:95:5e:3c:6b:ac:2f:15:8e:02: 
    f2:4d:e8:6b:e1:b3:af:4e:b0:30:97:c5:d1:00:8c:59:6b:f2: 
    c6:9e:cb:3b:ed:a8:c3:af:8d:4f:75:d8:f3:65:5b:38:1e:18: 
    6b:03:ce:31:e3:8a:8a:02:84:3e:c0:e8:bb:ee:b5:4a:9c:f4: 
    51:f6:be:ac:b1:ea:0f:fc:0e:7d:98:78:8f:b5:8e:24:14:32: 
    64:52:bf:6a:94:59:70:e0:75:c8:17:7b:0e:00:5a:3b:a3:63: 
    ff:ab:1a:0c:e1:43:e5:03

要要清楚，我不知道如果在“签名算法”是长度的区别，但我可以在这一点上辨别唯一的区别，所以我想知道我怎样才能使一个证书，将有类似的长度良好的证书？那如何控制？

很抱歉，如果这是一种奇怪的问题，但我一直在这个很长一段时间和我那种“在抓救命稻草”：（...

来源

2016-07-05 user555303

I * *想，我已经决定如何使“签名算法”一样大小的“好”的证书：它看起来像我曾与4096创建的根CA密钥比特，如果我用2048比特创建一个新的CA密钥，然后从该CA颁发证书，那么“签名算法”是256字节。不幸的是，这个新的CA颁发了一个证书，并在OAM服务器和webgate中重新部署了新的证书，并且得到了完全相同的“decrypt_error”，所以我再次被卡住了，为什么我的证书发行不适用于此OAM配置？ – user555303

Stack Overflow是编程和开发问题的网站。这个问题似乎与题目无关，因为它不涉及编程或开发。请参阅帮助中心的[我可以询问哪些主题]（http://stackoverflow.com/help/on-topic）。也许[超级用户]（http://superuser.com/）或[Unix＆Linux堆栈交换]（http://unix.stackexchange.com/）会是一个更好的地方。另请参阅[我在哪里发布有关Dev Ops的问题？]（http://meta.stackexchange.com/q/134306）。 – jww

签名算法肯定不是问题。将证书或CA导入密钥库可能是一个问题。我建议使用GUI工具portecle来检查JKS的内容。请确保您的证书正确地由您的CA – pedrofb

所有 - 我只是想出了什么问题是，这是不是在颁发证书。

确切地说，问题是，CA证书是一个SHA256证书。

我创建了一个新的CA（和CA证书，它是一个SHA1证书）并发布了一个新的SHA1证书并使用了该新的CA证书和颁发的证书，并且我能够通过CERT启用该10g webgate-to-OAM服务器协议。

感谢，吉姆

来源

2016-07-05 14:56:55 user555303

生成“类似的”证书

回答

相关问题