问题[certificate](server)

我有 OpenSSL 证书颁发机构，并且生成了根证书（自签名）、中间证书（由根证书签名）、服务器证书（由中间证书签名）和客户端证书（由中间证书签名）。

服务器证书上传到我的 Cisco ASA 上（作为身份证书）。另外，我还上传了我的 ASA 根证书和中级证书。

我是否需要在客户端计算机上安装根证书和中间证书？或者客户端证书就足够了？（这适用于应使用客户端证书进行身份验证的 VPN 客户端）

通过 CERTLM 导入设备证书/私钥时，GUI 似乎选择了一个已弃用的加密服务提供商 (CSP)，称为“Microsoft Strong Cryptographic Provider”；我想知道是否有办法通过向导或组策略或（其他方式）将其更改为“Microsoft Software Key Storage Provider”。

更多详细信息：供应商要求我通过以下行命令语法将 PFX 导入 Windows 11 本地计算机证书存储：

certutil -csp "Microsoft Software Key Storage Provider" -importpfx MyPathToCertificate.pfx NoExport

这与他们的软件配合得很好，但是当我之前尝试导入相同的 PFX 时，我使用 CERTLM (GUI) 将证书导入到同一位置（本地计算机/个人存储）。这在当时似乎有效（证书出现在那里），但导致了解密错误，如供应商日志中所示。

以下是我通过 CERTLM 导入的方式：

1. 我通过 UAC / 选择证书启动命令提示符（本地计算机）
2. 我使用默认选项将 PFX 导入到个人商店

运行以下命令后： Certutil -store My

我注意到证书有以下行： Provider = Microsoft Strong Cryptographic Provider

而 certutil 命令明确选择“Microsoft Software Key Storage Provider”

根据https://www.pkisolutions.com/understanding-microsoft-crypto-providers/，“Microsoft Strong Cryptographic Provider”是一个已弃用的旧提供程序，而“Microsoft Software Key Storage Provider”是使用新密钥的现代首选。

不同的 CSP 解释了为什么供应商的应用程序在原始导入后无法工作，我理解为什么 MS 会选择“旧”提供程序作为向后兼容性的默认提供程序，但我很好奇是否有方法在执行时指定 CSP今后将通过 CERTLM 进行导入。

问题

"The issuer of this certificate could not be found."我已经通过 AD 证书服务创建了一个证书，但尽管 PFX 中存在完整的链，但它还是出现错误。

语境

我使用标准模板从我们组织的 AD 证书服务服务器创建了一个代码签名证书code signing，并导出创建的证书（带有可导出的私钥）。

尽管我们的根证书在所有公司设备上都受到信任，但我们在使用此证书签署代码时遇到了问题。

经过调查，如果我将 PFX 转换为 PEM（文件扩展名为.CER）并在文本编辑器中打开它，我可以看到 PEM 文件中列出的客户端、中间和根证书。但是，如果我双击此 CER 文件（即在 中打开它crypto shell extensions），证书路径选项卡仅显示客户端证书并将证书状态显示为"The issuer of this certificate could not be found."。

查看客户端的颁发者，它正确命名了中间证书。

如果我将中间证书和根证书从 PEM 文件复制到自己的证书中，将其另存为 .CER 并打开它，则中间证书和根证书会正确列出。客户端的与中间体的issuer完全匹配；issued to并且客户端的与中间体的issuer完全匹配。subject name

要将 PFX 转换为 PEM，我正在使用openssl.exe pkcs12 -in "mycert.pfx" -out "mycert.cer" -nokeys -passin "pass:mypassword"

与任何 IT 环境一样，Web 服务器证书的数量在不断增加。随着持续时间缩短至 1 年，如果此类流程未实现自动化，则管理工作量会同时增加。目前我们有一个基于 MS ADCS 的简单 PKI。

我从来没有将 Web 服务器（主要是带有 IIS、Apache、Tomcat...的 Windows Server）证书的颁发委托给 Web 服务器，因为我无法控制在使用 Microsoft 板载资源的 Web 服务器请求中指定了哪个域。即使您仍然可以将展览限制在某些群体中。

这是一个技术示例

我很想知道其他人的情况如何，以及其他人是否也越来越多地达到此处所述的地步。从 CA 的角度来看，我宁愿有一个可以控制哪些服务器请求哪个 Web 服务器证书的生命周期。从纯粹的管理和成本角度来看，很容易为所有人发布模板。

这是我到目前为止所做的。

1. 在 CentOS 上使用 docker 安装 AWX 2.9。
2. 使用证书身份验证通过 AWX 和 WinRM 成功管理 Windows 节点 (8,10)。（这里没问题）
3. 最近获得了一个 Windows 11 节点，并且通过 AWX 的证书身份验证失败。错误是

"msg": "certificate: ('Connection aborted.', OSError("(104, 'ECONNRESET')",))"

4. 与其他 Windows 版本一样，相同的脚本用于在 Windows 11 系统中启用 PS 远程处理。

5. 另请注意，基本身份验证适用于 Windows 11 系统。所以我怀疑证书身份验证存在一些问题。

6. 此外，ansible 控制器的证书位于 Windows 客户端的 Trusted People 和 Trusted Root 存储中。此证书是自签名的。

7. 在互联网上度过了 2 天。不知从何开始。

任何帮助是极大的赞赏。

我们在 Windows Server 2019 上运行 Microsoft 证书颁发机构。我们通过 MDM 向 Android 设备颁发证书。Android 设备用户使用需要客户端证书的 Chrome Web 浏览器（在 Android 上）浏览到 Web 应用程序（由 Apache 托管，在 PHP 8 中实现）。

我们正在安装一个具有 Microsoft OCSP 响应者角色的单独 Windows Server 2019 实例，以验证/验证提交给 Apache Web 服务器的客户端证书是否有效。Apache 有几个指令来处理 OCSP 验证。我们还想在 PHP 中验证证书以提高安全性。

根据我阅读多个 RFC 和 Microsoft 技术文档的研究，Microsoft OCSP Responder 似乎通过引用 CRL 来验证证书的吊销状态。

如果证书已从 CA 中删除而不是吊销，Microsoft OCSP 响应程序如何验证证书？如果已删除且未撤销，它们将不会显示在 CRL 中。

我在这里错过了什么吗？Microsoft OCSP 响应程序是否会根据 CA 数据库验证序列号及其吊销状态？

最初的问题是，当您打开 Domino 控制台应用程序并尝试连接到服务器时，您会得到“服务器控制器未运行或未侦听端口 2050”。服务器控制器正在运行，并且正在侦听和接受端口 2050 上的连接。所有 Notes.ini 设置都已设置，等等）长话短说，我决定检查端口 2050 上的 TLS/SSL 版本，发现：

issuer:     C=US,2.5.4.17=#13053031383836,ST=MA,L=Westford,O=Lotus Development Corporation,OU=Iris,CN=DominoConsole
valid from: 2001-06-18 18:27:18 UTC
valid to:   2021-06-13 18:27:18 UTC

2021 年 6 月正是我们开始遇到麻烦的时候，从那以后我们就一直蹒跚前行。（顺便说一句，这不是 http/https 证书。该证书完全不同，设置为仅接受 TLS 1.2 并且是最新的。）

有没有办法更新或更换这个证书，或者是升级服务器的唯一选择？

使用 Ubuntu Focal 窝。我试图为 VPN 安装检查点 ssl 软件，但似乎有些东西弄乱了我的所有证书。现在每当我尝试

sudo apt-get update

我收到以下错误。

Get:1 file:/var/cudnn-local-repo-ubuntu2004-8.3.1.22  InRelease
Ign:1 file:/var/cudnn-local-repo-ubuntu2004-8.3.1.22  InRelease
Get:2 file:/var/cudnn-local-repo-ubuntu2004-8.3.1.22  Release [564 B]
Get:2 file:/var/cudnn-local-repo-ubuntu2004-8.3.1.22  Release [564 B]
Ign:3 https://dl.google.com/linux/chrome/deb stable InRelease
Ign:4 https://gitlab.com/feren-os/feren-repositories-neon-focal/raw/master stable InRelease        
Err:5 https://dl.google.com/linux/chrome/deb stable Release                                        
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 74.125.68.91 443]
Ign:6 https://dl.winehq.org/wine-builds/ubuntu focal InRelease                                     
Ign:7 https://gitlab.com/feren-os/feren-repositories-focal/raw/master stable InRelease             
Err:8 https://dl.winehq.org/wine-builds/ubuntu focal Release                                       
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 199.232.46.217 443]
Ign:9 https://packages.microsoft.com/repos/azure-cli focal InRelease                               
Err:10 https://gitlab.com/feren-os/feren-repositories-neon-focal/raw/master stable Release         
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 172.65.251.78 443]
Ign:11 https://packages.microsoft.com/repos/ms-teams stable InRelease                              
Err:12 https://gitlab.com/feren-os/feren-repositories-focal/raw/master stable Release              
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 172.65.251.78 443]
Err:13 https://packages.microsoft.com/repos/azure-cli focal Release                                
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 40.65.182.21 443]
Ign:14 https://download.docker.com/linux/ubuntu focal InRelease                                    
Ign:15 https://desktop-download.mendeley.com/download/apt stable InRelease                         
Err:16 https://packages.microsoft.com/repos/ms-teams stable Release                                
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 40.65.182.21 443]
Err:17 https://download.docker.com/linux/ubuntu focal Release                                      
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 13.33.33.8 443]
Err:19 https://desktop-download.mendeley.com/download/apt stable Release                           
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 162.159.130.86 443]
Ign:20 https://packagecloud.io/AtomEditor/atom/any any InRelease                                   
Ign:21 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  InRelease       
Err:22 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  Release         
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 152.199.39.144 443]
Hit:23 http://archive.ubuntu.com/ubuntu focal InRelease                                            
Hit:24 http://archive.canonical.com/ubuntu focal InRelease                                         
Ign:25 http://repo.vivaldi.com/stable/deb stable InRelease                                         
Hit:26 http://repo.vivaldi.com/stable/deb stable Release                                           
Hit:27 http://deb.volian.org/volian scar InRelease                                                 
Get:28 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]                           
Hit:29 http://ppa.launchpad.net/alessandro-strada/ppa/ubuntu focal InRelease                       
Err:30 https://packagecloud.io/AtomEditor/atom/any any Release                                     
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 52.52.107.175 443]
Get:31 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]                         
Hit:33 http://ppa.launchpad.net/inkscape.dev/stable/ubuntu focal InRelease                         
Get:34 http://archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]                  
Reading package lists... Done                                        
W: https://dl.google.com/linux/chrome/deb/dists/stable/InRelease: No system certificates available. Try installing ca-certificates.
W: https://gitlab.com/feren-os/feren-repositories-neon-focal/raw/master/dists/stable/InRelease: No system certificates available. Try installing ca-certificates.
W: https://dl.google.com/linux/chrome/deb/dists/stable/Release: No system certificates available. Try installing ca-certificates.
W: https://dl.winehq.org/wine-builds/ubuntu/dists/focal/InRelease: No system certificates available. Try installing ca-certificates.
W: https://gitlab.com/feren-os/feren-repositories-focal/raw/master/dists/stable/InRelease: No system certificates available. Try installing ca-certificates.
E: The repository 'https://dl.google.com/linux/chrome/deb stable Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://dl.winehq.org/wine-builds/ubuntu/dists/focal/Release: No system certificates available. Try installing ca-certificates.
W: https://packages.microsoft.com/repos/azure-cli/dists/focal/InRelease: No system certificates available. Try installing ca-certificates.
E: The repository 'https://dl.winehq.org/wine-builds/ubuntu focal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://gitlab.com/feren-os/feren-repositories-neon-focal/raw/master/dists/stable/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://gitlab.com/feren-os/feren-repositories-neon-focal/raw/master stable Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://packages.microsoft.com/repos/ms-teams/dists/stable/InRelease: No system certificates available. Try installing ca-certificates.
W: https://gitlab.com/feren-os/feren-repositories-focal/raw/master/dists/stable/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://gitlab.com/feren-os/feren-repositories-focal/raw/master stable Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://packages.microsoft.com/repos/azure-cli/dists/focal/Release: No system certificates available. Try installing ca-certificates.
W: https://download.docker.com/linux/ubuntu/dists/focal/InRelease: No system certificates available. Try installing ca-certificates.
E: The repository 'https://packages.microsoft.com/repos/azure-cli focal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://desktop-download.mendeley.com/download/apt/dists/stable/InRelease: No system certificates available. Try installing ca-certificates.
W: https://packages.microsoft.com/repos/ms-teams/dists/stable/Release: No system certificates available. Try installing ca-certificates.
W: https://download.docker.com/linux/ubuntu/dists/focal/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://packages.microsoft.com/repos/ms-teams stable Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://download.docker.com/linux/ubuntu focal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://desktop-download.mendeley.com/download/apt/dists/stable/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://desktop-download.mendeley.com/download/apt stable Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://packagecloud.io/AtomEditor/atom/any/dists/any/InRelease: No system certificates available. Try installing ca-certificates.
W: https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/InRelease: No system certificates available. Try installing ca-certificates.
W: https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: https://packagecloud.io/AtomEditor/atom/any/dists/any/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'https://packagecloud.io/AtomEditor/atom/any any Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

什么是出路，保存重新安装一切的核选项？N：有关存储库创建和用户配置的详细信息，请参见 apt-secure(8) 手册页。N：跳过获取配置文件“main/binary-i386/Packages”作为存储库“http://deb.volian.org/volian Scar InRelease”不支持架构“i386”

假设我有一个域的 TLS 证书，但我不确定是否所有可能通过 HTTP 连接的用户代理都会接受它。我能否获得另一个证书，由另一个证书颁发机构签名，并在这种情况下作为后备使用，对用户透明？如果可能，建立安全连接的客户端-服务器通信将如何进行？这个用例在流行的 HTTP 服务器的配置中是否广为人知并受支持？

我知道有类似的问题，但他们询问通过子域（可能）或路径前缀（不可能的 IIUC，因为在协商时服务器只知道权限，而不是完整的请求 URI）来改变使用的证书。

我有两个 Windows 系统与 AWS CloudHSM v2（cavium HSM）相关联。一方面，我生成了 CSR，并接受/添加了使用该 CSR 购买的证书。我可以签名并通过密钥容器从 HSM 正确提取私钥。

另一个签名是我的生产签名系统，它与现有证书一起正常工作，但是当我尝试添加新证书时，没有Key Container设置。我习惯于需要运行修复过程，但在这种情况下，我没有提供文件的 ID。

1. 认证"\Program Files\Amazon\CloudHSM\tools\set_cloudhsm_credentials.exe" --user REDACTED --password "..."
2. 添加证书certutil -addstore my my-new-cert.crt
3. 转储商店详细信息certutil -store my > cert_store_details.txt

    Serial Number: REDACTED
    Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=DigiCert, Inc., C=US
     NotBefore: 1/25/2022 12:00 AM
     NotAfter: 1/25/2023 11:59 PM
    Subject: CN=REDACTED, C=US, SERIALNUMBER=REDACTED, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
    Non-root Certificate
    Cert Hash(sha1): REDACTED
    No key provider information
    Cannot find the certificate and private key for decryption.

通常，我会创建一个 repair.txt 像这样在和之间使用Key Containerid但是，我没有其中一个，所以我不走运=&Container

        [Properties]
        11 = "" ; Add friendly name property
        2 = "{text}" ; Add Key Provider Information property
        _continue_="Container=&"
        _continue_="Provider=Cavium Key Storage Provider&"
        _continue_="Flags=0&"
        _continue_="KeySpec=2"    

如果我只是进行维修certutil -repairstore my "REDACTED"，那么我会被要求提供智能卡。哦，这台机器是 Windows Core 2016（所以没有 UI 或有限的 UI）。