tej*_*jas 5 apache ssl openssl self-signed ssl-certificate
我有一个带有这些命令的自签名证书链,并在Apache服务器上对其进行了配置
但是当我尝试 openssl s_client -showcerts -servername server -connect my-host.local:443 -CAfile all.crt
我从openssl收到错误 Verify return code: 24 (invalid CA certificate)
用于生成证书的命令或配置文件是否有问题?
# self signed root cert
openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3000 -key ca.key -out ca.crt -config ca.conf
# intermediate cert signed with the root cert
openssl genrsa -aes256 -out int.key 4096
openssl req -new -key int.key -out int.csr -config int.conf
openssl x509 -req -days 3000 -in int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out int.crt
# leaf cert signed with the intermediate cert
openssl genrsa -aes256 -out leaf.key 4096
openssl req -new -key leaf.key -out leaf.csr -config leaf.conf
openssl x509 -req -days 3000 -in leaf.csr -CA int.crt -CAkey int.key -set_serial 01 -out leaf.crt
cat ca.crt int.crt leaf.crt > all.crt
ca.conf
[REQ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
dirstring_type = nobmp
[req_distinguished_name]
COMMONNAME =通用名称(例如,您的姓名)
commonName_default =根
[v3_ca]
的keyUsage =关键的,keyCertSign
执行subjectKeyIdentifier =散列
执行authorityKeyIdentifier = KEYID:总是,发行者:总是
basicConstraints =严重,CA:真,路径:1
extendedKeyUsage = serverAuthint.conf
[req]
杰出名称= req_distinguished_name
x509_extensions = ext
[req_distinguished_name]
commonName =通用名称(例如,您的名字)
commonName_default = int
[ext]
keyUsage = critical,keyCertSign
subjectKeyIdentifier = hash
AuthorityKeyIdentifier = keyid:always,
issues :总是,pathlen:0
extendedKeyUsage = serverAuthleaf.conf
[req]
专有名称= req_distinguished_name
dirstring_type = nobmp
[req_distinguished_name]
commonName =通用名称(例如,您的名称)
commonName_default = leaf
mni*_*tic 15
CA 根证书必须标记为属于 CA:
CA 证书必须包含 basicConstraints 值,且 CA 字段设置为 TRUE。最终用户证书必须将 CA 设置为 FALSE 或完全排除扩展。对于最终实体证书,某些软件可能需要包含 CA 设置为 FALSE 的 basicConstraints。
这是通过基本约束标准扩展来完成的。要检查您的根证书是否已CA设置属性,请运行并在输出中openssl x509 -text -noout -in ca.crt查找。CA:True请注意,OpenSSL 实际上会让您使用非 CA 根证书(或至少习惯于)签署其他证书,但此类证书的验证将失败(因为 CA 检查将失败)。
使用您的配置文件,只需-extensions v3_ca在命令中包含生成根证书就足够了:
openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf
| 归档时间: |
|
| 查看次数: |
2685 次 |
| 最近记录: |