我有一个带有这些命令的自签名证书链,并在 Apache 服务器上配置了它们
但是当我尝试 openssl s_client -showcerts -servername server -connect my-host.local:443 -CAfile all.crt
我从 openssl Verify return code: 24 (invalid CA certificate) 中收到错误
是不是生成证书的命令有问题,还是配置文件有问题?
用于创建证书链的命令
# self signed root cert
openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3000 -key ca.key -out ca.crt -config ca.conf
# intermediate cert signed with the root cert
openssl genrsa -aes256 -out int.key 4096
openssl req -new -key int.key -out int.csr -config int.conf
openssl x509 -req -days 3000 -in int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out int.crt
# leaf cert signed with the intermediate cert
openssl genrsa -aes256 -out leaf.key 4096
openssl req -new -key leaf.key -out leaf.csr -config leaf.conf
openssl x509 -req -days 3000 -in leaf.csr -CA int.crt -CAkey int.key -set_serial 01 -out leaf.crt
cat ca.crt int.crt leaf.crt > all.crt
这些是我用过的配置文件
ca.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = root
[ v3_ca ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:1
extendedKeyUsage=serverAuthint.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = ext
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = int
[ ext ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE,pathlen:0
extendedKeyUsage=serverAuthleaf.conf
[ req ]
distinguished_name = req_distinguished_name
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = leaf
最佳答案
CA 根证书 has to be marked as belonging to a CA :
A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.
这是通过基本约束 标准扩展完成的。要检查您的根证书是否设置了 CA
属性,请运行 openssl x509 -text -noout -in ca.crt
并查找 CA:True
在输出中。请注意,OpenSSL 实际上会 let you sign other certs with a non-CA root cert (或至少曾经)但此类证书的验证将失败(因为 CA 检查将失败)。
使用您的配置文件,只需在生成根证书的命令中包含 -extensions v3_ca
就足够了:
openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf
关于apache - 具有自签名证书链的无效 CA 证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53881437/