<分区>
我按照此说明创建了一个自签名证书 http://apetec.com/support/GenerateSAN-CSR.htm .但是,证书总是验证失败,我的 tls 连接程序无法使用此证书建立连接。
知道为什么以及如何解决吗?
下面是生成证书和验证结果的命令。
$ openssl genrsa -out private.key 2048
$ openssl req -new -out public.csr -key private.key -config openssl.conf
$ openssl req -text -noout -in public.csr
$ openssl x509 -req -days 365 -in public.csr -signkey private.key -out public.crt -extensions v3_req -extfile openssl.conf
$ openssl verify -CAfile public.crt public.crt
public.crt: O = My Company, L = My Town, ST = State or Providence, C = US
error 20 at 0 depth lookup:unable to get local issuer certificate
以下是openssl.conf。 IP 地址被部分划掉。
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 1xx.1x.1xx.xxx
最佳答案
您生成的是自签名根证书。 OpenSSL 尝试通过将证书链接到其证书存储中存在的可信根来验证证书。因为你的(显然)不在那个商店里,所以它总是会失败。
以下是消除警告的三种方法:
禁用证书验证
这通常不是一个好主意,因为如果没有证书验证,您就完全禁用了 TLS 握手的身份组件。仅在开发中使用它(永远不要让它泄漏到生产中!)
将您的根证书添加到信任库
如果您愿意在每台需要与此端点通信的机器上安装证书,这将起作用。 (对于 OpenSSL,这是一个位于分发特定位置的 ca_bundle 文件)
从 CA 购买证书
最简单,但也是成本 $$$。如果您这样做,那么您安装此证书的站点将在全局范围内受到信任。
关于security - 自签名 SAN 证书验证失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/16699192/