具有自签名证书链的无效 CA 证书
Invalid CA certificate with self signed certificate chain
我有一个带有这些命令的自签名证书链,并在 Apache 服务器上配置了它们
但是当我尝试 openssl s_client -showcerts -servername server -connect my-host.local:443 -CAfile all.crt
我从 openssl 收到错误 Verify return code: 24 (invalid CA certificate)
是不是生成证书的命令或者配置文件有问题?
用于创建证书链的命令
# self signed root cert
openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3000 -key ca.key -out ca.crt -config ca.conf
# intermediate cert signed with the root cert
openssl genrsa -aes256 -out int.key 4096
openssl req -new -key int.key -out int.csr -config int.conf
openssl x509 -req -days 3000 -in int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out int.crt
# leaf cert signed with the intermediate cert
openssl genrsa -aes256 -out leaf.key 4096
openssl req -new -key leaf.key -out leaf.csr -config leaf.conf
openssl x509 -req -days 3000 -in leaf.csr -CA int.crt -CAkey int.key -set_serial 01 -out leaf.crt
cat ca.crt int.crt leaf.crt > all.crt
这些是我用过的配置文件
ca.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = root
[ v3_ca ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:1
extendedKeyUsage=serverAuth
int.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = ext
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = int
[ ext ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE,pathlen:0
extendedKeyUsage=serverAuth
leaf.conf
[ req ]
distinguished_name = req_distinguished_name
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = leaf
CA 根证书has to be marked as belonging to a CA:
A CA certificate must include the basicConstraints value with the CA
field set to TRUE. An end user certificate must either set CA to FALSE
or exclude the extension entirely. Some software may require the
inclusion of basicConstraints with CA set to FALSE for end entity
certificates.
这是通过 基本约束 标准扩展完成的。要检查您的根证书是否设置了 CA 属性,运行 openssl x509 -text -noout -in ca.crt 并在输出中查找 CA:True。请注意,OpenSSL 实际上 let you sign other certs with a non-CA root cert(或至少曾经如此),但此类证书的验证将失败(因为 CA 检查将失败)。
使用您的配置文件,只需在生成根证书的命令中包含 -extensions v3_ca 就足够了:
openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf
我有一个带有这些命令的自签名证书链,并在 Apache 服务器上配置了它们
但是当我尝试 openssl s_client -showcerts -servername server -connect my-host.local:443 -CAfile all.crt
我从 openssl 收到错误 Verify return code: 24 (invalid CA certificate)
是不是生成证书的命令或者配置文件有问题?
用于创建证书链的命令
# self signed root cert
openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3000 -key ca.key -out ca.crt -config ca.conf
# intermediate cert signed with the root cert
openssl genrsa -aes256 -out int.key 4096
openssl req -new -key int.key -out int.csr -config int.conf
openssl x509 -req -days 3000 -in int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out int.crt
# leaf cert signed with the intermediate cert
openssl genrsa -aes256 -out leaf.key 4096
openssl req -new -key leaf.key -out leaf.csr -config leaf.conf
openssl x509 -req -days 3000 -in leaf.csr -CA int.crt -CAkey int.key -set_serial 01 -out leaf.crt
cat ca.crt int.crt leaf.crt > all.crt
这些是我用过的配置文件
ca.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = root
[ v3_ca ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:1
extendedKeyUsage=serverAuthint.conf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = ext
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = int
[ ext ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE,pathlen:0
extendedKeyUsage=serverAuthleaf.conf
[ req ]
distinguished_name = req_distinguished_name
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = leaf
CA 根证书has to be marked as belonging to a CA:
A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.
这是通过 基本约束 标准扩展完成的。要检查您的根证书是否设置了 CA 属性,运行 openssl x509 -text -noout -in ca.crt 并在输出中查找 CA:True。请注意,OpenSSL 实际上 let you sign other certs with a non-CA root cert(或至少曾经如此),但此类证书的验证将失败(因为 CA 检查将失败)。
使用您的配置文件,只需在生成根证书的命令中包含 -extensions v3_ca 就足够了:
openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf