Python pyopenssl 签名证书错误 (Firefox: SEC_ERROR_REUSED_ISSUER_AND_SERIAL, chrome: ERR_CERT_AUTHORITY_INVALID)
Python pyopenssl signed certificate error (Firefox: SEC_ERROR_REUSED_ISSUER_AND_SERIAL, chrome: ERR_CERT_AUTHORITY_INVALID)
我正在为研究所的一个项目创建防病毒软件。作为项目的一部分,我正在尝试创建一个可以拦截 https 数据的代理服务器。
为此,我创建了一个 CA 证书并将其附加到 Firefox 和 Windows 存储。它是使用以下方法创建的:
from OpenSSL import crypto
import os
KEY_FILE = "self_sertificate.key"
CERT_FILE = "self_sertificate.crt"
def get_self_sert():
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.set_version(2)
cert.get_subject().C = "US"
cert.get_subject().ST = "State"
cert.get_subject().L = "City"
cert.get_subject().O = "Organization"
cert.get_subject().OU = "Organization CA"
cert.get_subject().CN = "Organization CA"
cert.set_serial_number(24695562)
cert.add_extensions([
crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),
])
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
return cert,k
def create_self_signed_cert(dir='\cert'):
cert,k = get_self_sert()
with open(os.path.join(os.getcwd() + dir, CERT_FILE), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, KEY_FILE), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
后续证书的创建:
def create_cert_req(url):
pKey = crypto.PKey()
pKey.generate_key(crypto.TYPE_RSA, 2048)
req = crypto.X509Req()
subj = req.get_subject()
subj.C = 'US'
subj.ST = 'State'
subj.L = 'City'
subj.O = 'Organization'
subj.OU = 'Organization CA'
subj.CN = url
subj.emailAddress = 'example@example.org'
req.set_pubkey(pKey)
req.sign(pKey,'sha256')
return req
def create_signed_cert_demo(url,serial=106570068,dir='\lib\cert\',cert_name=str(random.randint(100000,1000000))):
req = create_cert_req(url)
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.getcwd() + dir + CERT_FILE).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.getcwd() + dir + KEY_FILE).read())
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, b"DNS:" + url.encode())])
cert.sign(ca_key,'sha256')
with open(os.path.join(os.getcwd() + dir, cert_name+'.crt'), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, cert_name+'.key'), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM,cert.get_pubkey()))
return cert_name+'.crt',cert_name+'.key'
然后创建了一个接受 https 连接并创建新证书的代理:
cert_crt,cert_key = certificate.create_signed_cert_demo(headers['host']) # Calling the function that creates the certificate
print('\lib\cert\'+cert_crt)
print('\lib\cert\'+cert_key)
conn = ssl.wrap_socket(conn,server_side=True,certfile=os.getcwd() +'\lib\cert\'+cert_crt,keyfile=os.getcwd() +'\lib\cert\'+cert_key)
data = conn.recv(1024)
当我通过浏览器访问 http 站点时,我的代理工作正常,但是当我访问 https 站点时,出现错误:
Firefox:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
Chrome:
ERR_CERT_AUTHORITY_INVALID
Python 错误:
File "Proxy.py", line 102, in <module>
conn.start()
File "Proxy.py", line 52, in start
conn = ssl.wrap_socket(conn,server_side=True,certfile=os.getcwd() +'\lib\cert\'+cert_crt,keyfile=os.getcwd() +'\lib\cert\'+cert_key)
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1405, in wrap_socket
return context.wrap_socket(
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1040, in _create
self.do_handshake()
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1108)
证书示例:
加州
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIEAXjTCjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
aXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYDVQQDDA9Pcmdh
bml6YXRpb24gQ0EwHhcNMjAwNjMwMDYxODAzWhcNMzAwNjI4MDYxODAzWjB3MQsw
CQYDVQQGEwJVUzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNV
BAoMDE9yZ2FuaXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYD
VQQDDA9Pcmdhbml6YXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCywk1rl4sltY6c3yfLVplhYjCkXHsZIUsTxr58rdX6igKiY6iNuSE5mhAo
dT/im0sTuFbn7EK4iopjlAqOJ0zo6abp2pkD2aCG2OC+3tl0brzim7yeG4TtPY/A
HoWh/Ax3csrGgVxWQjjNDJTgDqiC6u3rP75JjF0dqyF+0XyPOK+IjrKzzFDyTsI9
vC+rSGEi78Lo0x+Gx5FGBdaZXP8nMRaaTDagWTI37dijb0Cx2BaRxeQUUqX7tp/W
ilGxb5swu0/CLKDv9k0IPeqiMax/YFZTjg9efUkUBtT4nTJi4QXkwAv1sF9InmMm
/kVcihVvtic+lCbDvGKbheY9XcrvAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFNo5o+5ea0sNMlW/75VgGJCv2AcJMA0GCSqGSIb3DQEBCwUA
A4IBAQB2s+HyTJN0M83Ovvyl8TAOI1jDRHqe48mWSYgBTEge7kSu/BwIdfz3W/S2
M2MN8kdm0T8s0+s2Hqwo5kgfoI2QVahNB0gHhycE+Pnmvey6rfgvaRzCU1UvnLJu
PhSJaAth0IOVifcfCIWdVSVwRslJPwr/VkSR8al6bMA9ZVQ2lcw8NqtHZkVDFidZ
GdJefC9cS+M+1B9T/uR+cXJTBTdOKzwilwLFwP5NoPdQEg3OgFjWWaYyvdMM/DLO
YSqn/Uuc7+eJfFPPLgai1Rgkx912HWvQz/C8R3UHopii/789AfnWp3Nq7wNjAITK
lgjuq1T/u7kCvn9sBzBFUlN7akCT
-----END CERTIFICATE-----
example.org
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIEBlohVDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
aXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYDVQQDDA9Pcmdh
bml6YXRpb24gQ0EwHhcNMjAwNjMwMDYzMDA3WhcNMzAwNjI4MDYzMDA3WjCBlzEL
MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYD
VQQKDAxPcmdhbml6YXRpb24xGDAWBgNVBAsMD09yZ2FuaXphdGlvbiBDQTEUMBIG
A1UEAwwLZXhhbXBsZS5vcmcxIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBs
ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCbPNPw/IdWx67
aY8H6ODRhxum/sdll9PjYgkrvGbJoERPUthaON/MaIMAHZXuqnXITwYL3FgFzZ/f
YlbCWoTapT/+N9/jnjR0XZEhIBubK+Asgy/pmQ5Nq0bjT7agMhp5z4eqKjXgziNf
6BdPdb5MDXIlvZ50Nm3b6wTx16yCvZ1tcCnkv+8vj/ADcq5/soPI/pI0mBv/MTI/
AzAC0OvAMXEoG2KX2GHl8F3CA+4PnsUnhY7PBJJ8XuG9tmbgD5zDUe9v4KmwIw7H
L6oMc8Dij+Z1gU7zCKyTMyuiS0yoIziPixFGY7ApVkr7LVF1z0y0snZffDdMrFnP
Zrg64D/FAgMBAAGjGjAYMBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMA0GCSqGSIb3
DQEBCwUAA4IBAQB6fRWks0FanwRVBsTVHpAJmoUSVf7PxyhH+/ZXJx5L74wT587B
sbjefwFlDMHimsyFHJxLBK7A/HPbkbNIioW2rmBHdipTSs4s6X/wQTJjLt9YvCs6
l4LzZ5Iqs68PvkgVMRkbOZKbPbIBEW2qe2zg++BB3ye9EWhE/jGa338+RvwzwnVn
f8EV1KIKtK9p9rUQPaY/ipV+8E74oDoL0Hk/M4qobjpCJEQzI/triORzDefdjZ50
UVpVbsOMjtlhymUon/h8OluwY0to/ehjs1RD6KIxZ6sjK0cERMotSSzYnlQh7xW8
8ZxXEYF2jVJkqSLnW9QDrK6tGZJ/MbeRqJKc
-----END CERTIFICATE-----
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
您对同一 CA 颁发的不同证书使用相同的序列号(硬编码为 106570068)。但是每个CA颁发的证书必须有不同的序列号。
ERR_CERT_AUTHORITY_INVALID
CA 可能没有作为受信任的 CA 正确导入浏览器。但它也可能只是一个稍微错误且不太具体的错误消息,由 Firefox 显示的基本相同的问题触发。
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1108)
这只是浏览器拒绝证书的副作用。
事实证明,浏览器会在单个会话中记住证书。要解决此问题,您需要保存证书并使用它们。
更新函数 create_signed_cert_demo:
def create_signed_cert_demo(url,serial=random.randint(1,100000000),dir='\lib\cert\',cert_name=str(random.randint(100000,1000000))):
dir_list = os.listdir(os.getcwd() + dir)
if url + '.crt' in dir_list:
return url + '.crt', url + '.key'
req = create_cert_req(url)
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.getcwd() + dir + CERT_FILE).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.getcwd() + dir + KEY_FILE).read())
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, b"DNS:" + url.encode())])
cert.sign(ca_key,'sha256')
with open(os.path.join(os.getcwd() + dir, url+'.crt'), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, url+'.key'), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM,cert.get_pubkey()))
return url+'.crt',url+'.key'
我正在为研究所的一个项目创建防病毒软件。作为项目的一部分,我正在尝试创建一个可以拦截 https 数据的代理服务器。 为此,我创建了一个 CA 证书并将其附加到 Firefox 和 Windows 存储。它是使用以下方法创建的:
from OpenSSL import crypto
import os
KEY_FILE = "self_sertificate.key"
CERT_FILE = "self_sertificate.crt"
def get_self_sert():
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.set_version(2)
cert.get_subject().C = "US"
cert.get_subject().ST = "State"
cert.get_subject().L = "City"
cert.get_subject().O = "Organization"
cert.get_subject().OU = "Organization CA"
cert.get_subject().CN = "Organization CA"
cert.set_serial_number(24695562)
cert.add_extensions([
crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),
])
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
return cert,k
def create_self_signed_cert(dir='\cert'):
cert,k = get_self_sert()
with open(os.path.join(os.getcwd() + dir, CERT_FILE), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, KEY_FILE), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
后续证书的创建:
def create_cert_req(url):
pKey = crypto.PKey()
pKey.generate_key(crypto.TYPE_RSA, 2048)
req = crypto.X509Req()
subj = req.get_subject()
subj.C = 'US'
subj.ST = 'State'
subj.L = 'City'
subj.O = 'Organization'
subj.OU = 'Organization CA'
subj.CN = url
subj.emailAddress = 'example@example.org'
req.set_pubkey(pKey)
req.sign(pKey,'sha256')
return req
def create_signed_cert_demo(url,serial=106570068,dir='\lib\cert\',cert_name=str(random.randint(100000,1000000))):
req = create_cert_req(url)
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.getcwd() + dir + CERT_FILE).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.getcwd() + dir + KEY_FILE).read())
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, b"DNS:" + url.encode())])
cert.sign(ca_key,'sha256')
with open(os.path.join(os.getcwd() + dir, cert_name+'.crt'), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, cert_name+'.key'), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM,cert.get_pubkey()))
return cert_name+'.crt',cert_name+'.key'
然后创建了一个接受 https 连接并创建新证书的代理:
cert_crt,cert_key = certificate.create_signed_cert_demo(headers['host']) # Calling the function that creates the certificate
print('\lib\cert\'+cert_crt)
print('\lib\cert\'+cert_key)
conn = ssl.wrap_socket(conn,server_side=True,certfile=os.getcwd() +'\lib\cert\'+cert_crt,keyfile=os.getcwd() +'\lib\cert\'+cert_key)
data = conn.recv(1024)
当我通过浏览器访问 http 站点时,我的代理工作正常,但是当我访问 https 站点时,出现错误:
Firefox:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
Chrome:
ERR_CERT_AUTHORITY_INVALID
Python 错误:
File "Proxy.py", line 102, in <module>
conn.start()
File "Proxy.py", line 52, in start
conn = ssl.wrap_socket(conn,server_side=True,certfile=os.getcwd() +'\lib\cert\'+cert_crt,keyfile=os.getcwd() +'\lib\cert\'+cert_key)
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1405, in wrap_socket
return context.wrap_socket(
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1040, in _create
self.do_handshake()
File "C:\Users\Илья\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1108)
证书示例: 加州
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIEAXjTCjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
aXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYDVQQDDA9Pcmdh
bml6YXRpb24gQ0EwHhcNMjAwNjMwMDYxODAzWhcNMzAwNjI4MDYxODAzWjB3MQsw
CQYDVQQGEwJVUzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNV
BAoMDE9yZ2FuaXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYD
VQQDDA9Pcmdhbml6YXRpb24gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCywk1rl4sltY6c3yfLVplhYjCkXHsZIUsTxr58rdX6igKiY6iNuSE5mhAo
dT/im0sTuFbn7EK4iopjlAqOJ0zo6abp2pkD2aCG2OC+3tl0brzim7yeG4TtPY/A
HoWh/Ax3csrGgVxWQjjNDJTgDqiC6u3rP75JjF0dqyF+0XyPOK+IjrKzzFDyTsI9
vC+rSGEi78Lo0x+Gx5FGBdaZXP8nMRaaTDagWTI37dijb0Cx2BaRxeQUUqX7tp/W
ilGxb5swu0/CLKDv9k0IPeqiMax/YFZTjg9efUkUBtT4nTJi4QXkwAv1sF9InmMm
/kVcihVvtic+lCbDvGKbheY9XcrvAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFNo5o+5ea0sNMlW/75VgGJCv2AcJMA0GCSqGSIb3DQEBCwUA
A4IBAQB2s+HyTJN0M83Ovvyl8TAOI1jDRHqe48mWSYgBTEge7kSu/BwIdfz3W/S2
M2MN8kdm0T8s0+s2Hqwo5kgfoI2QVahNB0gHhycE+Pnmvey6rfgvaRzCU1UvnLJu
PhSJaAth0IOVifcfCIWdVSVwRslJPwr/VkSR8al6bMA9ZVQ2lcw8NqtHZkVDFidZ
GdJefC9cS+M+1B9T/uR+cXJTBTdOKzwilwLFwP5NoPdQEg3OgFjWWaYyvdMM/DLO
YSqn/Uuc7+eJfFPPLgai1Rgkx912HWvQz/C8R3UHopii/789AfnWp3Nq7wNjAITK
lgjuq1T/u7kCvn9sBzBFUlN7akCT
-----END CERTIFICATE-----
example.org
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIEBlohVDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxFTATBgNVBAoMDE9yZ2Fu
aXphdGlvbjEYMBYGA1UECwwPT3JnYW5pemF0aW9uIENBMRgwFgYDVQQDDA9Pcmdh
bml6YXRpb24gQ0EwHhcNMjAwNjMwMDYzMDA3WhcNMzAwNjI4MDYzMDA3WjCBlzEL
MAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYD
VQQKDAxPcmdhbml6YXRpb24xGDAWBgNVBAsMD09yZ2FuaXphdGlvbiBDQTEUMBIG
A1UEAwwLZXhhbXBsZS5vcmcxIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBs
ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCbPNPw/IdWx67
aY8H6ODRhxum/sdll9PjYgkrvGbJoERPUthaON/MaIMAHZXuqnXITwYL3FgFzZ/f
YlbCWoTapT/+N9/jnjR0XZEhIBubK+Asgy/pmQ5Nq0bjT7agMhp5z4eqKjXgziNf
6BdPdb5MDXIlvZ50Nm3b6wTx16yCvZ1tcCnkv+8vj/ADcq5/soPI/pI0mBv/MTI/
AzAC0OvAMXEoG2KX2GHl8F3CA+4PnsUnhY7PBJJ8XuG9tmbgD5zDUe9v4KmwIw7H
L6oMc8Dij+Z1gU7zCKyTMyuiS0yoIziPixFGY7ApVkr7LVF1z0y0snZffDdMrFnP
Zrg64D/FAgMBAAGjGjAYMBYGA1UdEQQPMA2CC2V4YW1wbGUub3JnMA0GCSqGSIb3
DQEBCwUAA4IBAQB6fRWks0FanwRVBsTVHpAJmoUSVf7PxyhH+/ZXJx5L74wT587B
sbjefwFlDMHimsyFHJxLBK7A/HPbkbNIioW2rmBHdipTSs4s6X/wQTJjLt9YvCs6
l4LzZ5Iqs68PvkgVMRkbOZKbPbIBEW2qe2zg++BB3ye9EWhE/jGa338+RvwzwnVn
f8EV1KIKtK9p9rUQPaY/ipV+8E74oDoL0Hk/M4qobjpCJEQzI/triORzDefdjZ50
UVpVbsOMjtlhymUon/h8OluwY0to/ehjs1RD6KIxZ6sjK0cERMotSSzYnlQh7xW8
8ZxXEYF2jVJkqSLnW9QDrK6tGZJ/MbeRqJKc
-----END CERTIFICATE-----
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
您对同一 CA 颁发的不同证书使用相同的序列号(硬编码为 106570068)。但是每个CA颁发的证书必须有不同的序列号。
ERR_CERT_AUTHORITY_INVALID
CA 可能没有作为受信任的 CA 正确导入浏览器。但它也可能只是一个稍微错误且不太具体的错误消息,由 Firefox 显示的基本相同的问题触发。
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1108)
这只是浏览器拒绝证书的副作用。
事实证明,浏览器会在单个会话中记住证书。要解决此问题,您需要保存证书并使用它们。 更新函数 create_signed_cert_demo:
def create_signed_cert_demo(url,serial=random.randint(1,100000000),dir='\lib\cert\',cert_name=str(random.randint(100000,1000000))):
dir_list = os.listdir(os.getcwd() + dir)
if url + '.crt' in dir_list:
return url + '.crt', url + '.key'
req = create_cert_req(url)
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(os.getcwd() + dir + CERT_FILE).read())
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(os.getcwd() + dir + KEY_FILE).read())
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, b"DNS:" + url.encode())])
cert.sign(ca_key,'sha256')
with open(os.path.join(os.getcwd() + dir, url+'.crt'), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(os.path.join(os.getcwd() + dir, url+'.key'), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM,cert.get_pubkey()))
return url+'.crt',url+'.key'