我想使用给定的签名证书(由运行服务器的公司)连接到服务器,
RootCA.crt和CompanyCA.crt 我可以从签名证书和密钥创build一个Java密钥库。 如果我在SoapUI中使用它,我可以成功地连接到发送SOAP请求的服务器并获得正确的响应
我不能用openssl s_client -connect使用我的证书和密钥。 响应是一个Verify return code: 20 (unable to get local issuer certificate)
我的请求:
openssl s_client -connect service.company.com:443 -cert myCert.crt -key myKey.key
-CAfile c_rehash指定它 /usr/lib/ssl/certs/安装RootCA和CompanyCA并执行c_rehash .p12 )创build.pem并使用它作为-cert openssl verify -CAfile RootCA.crt CompanyCA.crt结果是error 20 at 0 depth lookup:unable to get local issuer certificate openssl verify -CAfile RootCA.crt myCert.crt结果是error 2 at 1 depth lookup:unable to get issuer certificate openssl verify -CAfile RootCA.crt myCert.crt结果是error 2 at 1 depth lookup:unable to get issuer certificate 我总是(几乎)
CONNECTED(00000003) depth=1 C = DE, O = Company, CN = Company CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=DE/ST=City/L=City/O=Company/CN=service.company.com i:/C=DE/O=Company/CN=Company CA 1 s:/C=DE/O=Company/CN=Company CA i:/C=DE/O=Other Company/OU=INST/DSW/CN=Other Company Root CA --- Server certificate -----BEGIN CERTIFICATE----- <SNIP> -----END CERTIFICATE----- subject=/C=DE/ST=City/L=City/O=Company/CN=service.company.com issuer=/C=DE/O=Company/CN=Company CA --- Acceptable client certificate CA names /C=DE/O=Other Company/OU=INST/DSW/CN=Other Company Root CA /C=DE/O=Company/CN=Company CA --- SSL handshake has read 3926 bytes and written 2631 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: SessionId Session-ID-ctx: Master-Key: MasterKey Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: <SNIP> Start Time: 1393503573 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)