IIS的个人CA签名证书给出了“此证书对于所选用途无效”错误

Question

IIS的个人CA签名证书给出了“此证书对于所选用途无效”错误

我使用OpenSSL创建了一个CA，并用它来为我的本地主机签名证书，并在我的本地主机Preview-localhost上创建辅助DNS条目。我已将CA证书安装到计算机上的“受信任的根证书”中，并将本地主机证书添加到IIS。当查看签名的本地主机证书时，会看到以下错误：

签署的本地主机证书签名的本地主机路径

已安装的CA证书表示该证书适用于其查看器上的所有发行和应用程序策略。我已经包括了来自OpenSSL的两个证书的输出。我已经用<description text>替换了所有敏感（以及一些不敏感的信息）。

CA证书

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Serial Number
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 16:17:41 2015 GMT
        Not After : Apr 24 16:17:41 2025 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            <Subject Key Identifier>
        X509v3 Authority Key Identifier:
            keyid:<keyid>
        X509v3 Basic Constraints:
            CA:TRUE
        X509v3 Key Usage:
            Digital Signature, Key Encipherment
        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

Run Code Online (Sandbox Code Playgroud)

本地主机证书

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Some Serial Number>
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 18:09:18 2015 GMT
        Not After : Apr 26 18:09:18 2016 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
CN=localhost/emailAddress=<Email Address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Basic Constraints:
            CA:FALSE
        X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
        Netscape Comment:
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
            <SKI>
        X509v3 Authority Key Identifier:
            keyid:<KEY ID>

        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

Run Code Online (Sandbox Code Playgroud)

非常感谢您找出为什么我的本地主机证书无法遵循CA路径的任何帮助。谢谢！

Answer 1

小智 3

创建 CA 时，您可能需要在 openssl.cnf 的 X509_extensions 部分中指定以下 keyUsage：

keyUsage = keyCertSign, cRLSign

Run Code Online (Sandbox Code Playgroud)

为了澄清起见，您的配置文件应包含以下内容：

[ CA_default]
...
x509_extensions = ca_extensions
...
[ ca_extensions ]
keyUsage = keyCertSign, cRLSign
...

Run Code Online (Sandbox Code Playgroud)

请参阅如何向证书颁发机构签署证书签名请求？有关该过程的非常详细的解释。

归档时间：	10 年，8 月前
查看次数：	2471 次
最近记录：	10 年，3 月前