个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
25
4
我现在正在努力为 Windows 7 创建 CA 证书以连接到 strongSwan。
问题是,无论我尝试多少标志,Windows 都不会使用它。我在 Trusted Root Certification Authorities 组中有 20 个证书。默认情况下这些都在那里。当我安装我的时,总共有 21 个。在连接尝试中,Windows 将尝试默认的 20,甚至是过时的,但不是我的。
形成StrongSwan wiki ,这是所需的日志输出:
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP4_SERVER
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP6_SERVER
May 12 05:49:56 koala charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
May 12 05:49:56 koala charon: 13[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan 2009 CA"
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
May 12 05:49:56 koala charon: 13[CFG] looking for peer configs matching 10.10.0.1[%any]...10.10.0.6[10.10.0.6]
我得到的是这样的:
11[ENC] unknown attribute type INTERNAL_IP4_SERVER
11[ENC] unknown attribute type INTERNAL_IP6_SERVER
11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
11[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
11[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
11[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
11[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
11[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
11[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
11[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
11[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
11[IKE] received cert request for unknown ca with keyid 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
11[IKE] received cert request for unknown ca with keyid f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a
11[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
11[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
11[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
11[IKE] received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
11[IKE] received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
11[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
11[CFG] looking for peer configs matching 192.168.0.204[%any]...192.168.0.201[192.168.0.201]
... 我的应该是 cc a6 77 ce 07 ca 9c e5 e1 79 c1 2f 52 0d 60 41 c0 fc 2c 02 但没有试过。
我添加了其他证书(以及更多)中包含的所有额外信息:
[ all_opts ]
keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage = 1.3.6.1.5.5.8.2.2,1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3, 1.3.6.1.5.5.7.3.4, 1.3.
6.1.5.5.7.3.5, 1.3.6.1.5.5.7.3.6, 1.3.6.1.5.5.7.3.7, 1.3.6.1.5.5.7.3.8, 1.3.6.1.5.5.7.3.17
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
nsCertType=sslCA, emailCA, objCA
crlDistributionPoints=URI:http://myhost.com/myca.crl
...但到目前为止还没有成功。
这是许多失败的 TEST 证书之一的 openssl x509 -text 输出。我确实将它与一个有效的匹配,包括了每个选项(甚至是看似无关紧要的选项,如 CRL),但到目前为止还没有成功。
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ed:47:46:38:44:e7:ef:40
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=TEST, CN=TEST CA
Validity
Not Before: Jun 17 10:18:16 2011 GMT
Not After : Jun 16 10:18:16 2015 GMT
Subject: C=AU, ST=Some-State, O=TEST, CN=TEST CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:85:90:c3:2c:30:da:8d:02:c0:6c:11:39:bc:
f4:d7:31:db:a2:bc:04:b6:c2:a4:92:ce:c1:4a:c7:
f9:43:57:6e:bc:c8:30:ee:17:45:46:57:95:37:bb:
7c:06:60:7b:20:a8:60:09:b8:1d:37:7f:26:dc:b2:
db:47:c4:91:91:8c:81:7a:b9:72:ec:0b:c6:90:50:
66:56:d1:05:a2:a0:99:66:ee:57:31:95:7c:04:a2:
4f:48:1f:89:c0:09:5b:cf:3f:09:4c:06:a8:36:99:
0e:c6:b1:27:d9:20:11:c5:fc:ec:cb:20:41:a7:8f:
d5:2a:58:2b:5c:36:f9:03:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, IPSec End System, IPSec Tunnel, IPSec User, Time Stamping, 1.3.6.1.5.5.7.3.17
X509v3 Subject Key Identifier:
CC:A6:77:CE:07:CA:9C:E5:E1:79:C1:2F:52:0D:60:41:C0:FC:2C:02
X509v3 Authority Key Identifier:
keyid:CC:A6:77:CE:07:CA:9C:E5:E1:79:C1:2F:52:0D:60:41:C0:FC:2C:02
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 CRL Distribution Points:
URI:http://myhost.com/myca.crl
Signature Algorithm: sha1WithRSAEncryption
69:11:dc:65:4d:f2:af:50:6f:58:56:67:97:fd:26:c4:a4:93:
0e:59:c3:bf:0f:ae:d5:58:9e:33:e3:21:11:7d:8a:fd:dd:10:
11:6e:b3:69:b8:39:28:d4:c9:a4:8f:01:94:d6:96:92:0a:bd:
0d:13:eb:29:5c:d0:7c:7c:12:09:f0:db:c0:fd:7a:4b:33:5d:
d6:68:36:51:a3:8b:b9:92:90:52:ea:7d:13:f6:4e:83:d3:60:
22:c1:c1:b0:9b:f2:72:2c:d1:f7:ae:3c:b0:7c:17:7b:66:a0:
ff:3a:50:ee:56:e4:bc:35:16:fb:65:41:78:1d:32:2d:7f:51:
2b:ce
-----BEGIN CERTIFICATE-----
. . .
我在 Windows 端得到的是:
Error 13801: IKE authentication credentials are unacceptable.
最佳答案
尝试将它们添加到您的计算机的证书存储区而不是您的用户的证书存储区,然后它将起作用。
关于windows-7 - 为 Windows 7 的 IPSec 客户端创建 CA,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/6384489/
25
4
0
我正在尝试在 Java 中执行此操作,但我认为这是一个一般证书问题。我有一个根CA,一个由根CA颁发的中间CA1,一个由中间CA1颁发的中间CA2,以及一个由中间CA2颁发的证书。 rootCA ->
编辑 1:https://security.stackexchange.com/questions/83972/trust-ca-and-parent-ca-but-not-other-derivat
我正在使用“任何?” block 中的方法。该片段正在字符串中查找字符串“CA”(拆分)检查: region="CA" check="AU,US,UK,CA,ZA" if check.split(',
我有一个SpringBoot应用程序,它使用以下配置与PostgreSQL通信,通过AWS Beanstrik部署:。在我将AWS Aurora证书更新为rds-ca-ecc384-g1之前,一切都很
我们正在使用我们现有的 CA 进行 freeipa 安装。在安装过程中,会生成 CSR,并且必须由 CA 签名才能创建证书。这个证书必须有 X509v3 Basic Constraints: CA:T
我正在尝试导出客户端证书以供网络浏览器使用。 目标是使用 指令限制对管理区域的访问。我看过很多关于使用自签名 CA 的教程。你会如何使用第三方来做到这一点? 1) 如果它是受信任的根 CA,我是否需要
我已经设法弄清楚 x509Certificate2Collection 中的证书是否是证书颁发机构证书,但我如何才能安全地确定它是根证书还是中间证书?以下是否足够安全? var collection
我使用 fabric-ca-sdk(fabric-sdk-java/fabric-sdk-java/src/test/fixture/sdkintegration) 中的测试代码启动 ca 服务器。并
环境: Red Hat Enterprise Linux Server release 7.7 (Maipo) # openssl version OpenSSL 1.0.2g 1 Mar 2016
导出 K8s 集群 CA 证书和 CA 私钥 团队,我有一个 Kubernetes 集群正在运行。我将一次又一次地删除和创建它,所以我想一直重复使用相同的 CA 证书,我需要保存 CA 证书和 key
我正在编写一个自定义客户端和服务器,我想通过公共(public) Internet 安全地进行通信,因此我想使用 OpenSSL 并让两端进行对等验证以确保我的客户端不会被 MITM 误导,同样,未经
问题: 我想构建一个 docker 容器 FROM:ubuntu:20.04但我无法访问外部互联网 我在内部网络上有一个 apt 镜像,可以使用 apt 镜像位于 https 后面,带有自定义证书 我
Linux 的新手,正在尝试了解更多,我遇到了这种情况。 我已经尝试使用 ps 命令并使用 grep 来捕获“ca”,但它会返回每次出现的“ca”,无论它来自什么,它实际上对我没有帮助。 我已经尝试过
我正在尝试在我的 .NET 应用程序和我安装了第三方根 CA 证书和中间 CA 证书的网站之间建立 TLS 连接: ServicePointManager.SecurityProtocol = Sec
SSL 证书永远不会让我眼花缭乱。我有一个网络应用程序,它从合作伙伴那里对另一项服务进行休息调用以获取某些数据。他们使用为公司生成的自签名或内部 CA。问题是每当另一端更新 SSL 证书时,我的应用程
我正在开发一个带有证书固定的移动应用程序。我将在 DMZ 中有一个盒子来代理我的请求。该服务器是否应该拥有来自可信 CA 的证书,还是我可以使用我自己的 CA 生成的证书? 从移动客户端使用受信任的
有没有人设法将 CA 证书安装到 activemq 实例中?我一直在进行谷歌搜索并阅读 activemq 文档,但我没有找到任何关于如何在 activemq 中使用预先存在的 CA 证书的信息。 我假
openssl ca 和 openssl x509 命令有什么区别?我正在使用它来创建和签署我的 root-ca、intermed-ca 和客户端证书,但是 openssl ca 命令不会在证书上注册
在 keystore 中创建私钥和自签名证书 keytool -genkey -alias mydomain -keystore mydomain.ks -dname cn=mydomain.com
我的 Raspberry Pi 3 出了点问题。我不得不运行 fsck.ext3,但是很多包都损坏了,例如 python 等。现在,ca-certificates 不会重新安装。每当它运行 updat
我是一名优秀的程序员,十分优秀!