如何使用 Microsoft 证书服务生成 SSL 证书,然后安装/配置它以与 Apache 一起使用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/364429/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I generate an SSL Certificate with Microsoft Certificate Services and then install / configure it to work with Apache?
提问by ScArcher2
I've generated a certificate request, submitted it to the Microsoft Certificate Services program. It issues the certificate. I downloaded it to conf/ssl/server.cert
我生成了一个证书请求,并将其提交给 Microsoft 证书服务计划。它颁发证书。我下载到 conf/ssl/server.cert
I configured it in apache to using
我在 apache 中将它配置为使用
SSLCertificateFile conf/ssl/server.cert
SSLCertificateKeyFile conf/ssl/server.key
When I start the server with this config I get
当我用这个配置启动服务器时,我得到
Secure Connection Failed An error occurred during a connection to 192.168.1.100.
安全连接失败 连接到 192.168.1.100 期间发生错误。
Certificate type not approved for application. (Error code: sec_error_inadequate_cert_type) The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
未批准申请的证书类型。(错误代码:sec_error_inadequate_cert_type) 由于无法验证接收到的数据的真实性,因此无法显示您尝试查看的页面。
- Please contact the web site owners to inform them of this problem.
- 请联系网站所有者以告知他们此问题。
If I download the CA Certificate and install it with
如果我下载 CA 证书并安装它
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
SSLCACertificateFile conf/ssl/cacert.crt
The server fails to start.
服务器无法启动。
It works fine if I generate a self signed certificate an install it, but I need it to come from Microsoft Certificate Services so it won't warn internal users about the certificate.
如果我生成自签名证书并安装它,它工作正常,但我需要它来自 Microsoft 证书服务,这样它就不会警告内部用户有关证书的信息。
回答by Mark Brackett
Sounds like your cert isn't allowed to be used for a server. IIRC, you can view the certificate in a browser and look for Usage or some such language, and it should say SSL Server (possibly among other things).
听起来您的证书不允许用于服务器。IIRC,您可以在浏览器中查看证书并查找 Usage 或某些此类语言,它应该说 SSL Server(可能还有其他内容)。
回答by Calrion
You need to make sure that the issued certificate has "Server Authentication" specified as one of the permitted uses in the extended key usage extension. The easiest way to do this (and only way on Win2k3 Standard) is to use the Web Server certificate template.
您需要确保颁发的证书将“服务器身份验证”指定为扩展密钥用法扩展中允许的用途之一。执行此操作的最简单方法(也是 Win2k3 标准上的唯一方法)是使用 Web 服务器证书模板。
You need to use the Certificate Services MMC snap-in to add this certificate template to the list of those allowed, and then need to configure permissions so the appropriate user(s) can request certificates.
您需要使用证书服务 MMC 管理单元将此证书模板添加到允许的列表中,然后需要配置权限以便适当的用户可以请求证书。
