Openssl 客户端和服务器证书的不同中间体
Openssl different intermediates for client and server certs
我正在尝试生成一个证书-(权威)-链,其中一些中间体有特定的任务。
将有一个根证书(跳过测试)签署实际的 CA,一方面,这个 CA 签署一个应该只能签署客户端证书的 CA,另一方面,签署one/multiple 只能执行服务器证书签名的 CA。这个想法是,这个“server-ca”将被部署到一个嵌入式系统中,以便在必要时创建一个具有不同 sans 的新服务器证书,但不应该能够签署客户端证书。 (see my fine drawing)
我没有找到太多关于约束 ca 的信息。 Here 它说这是可能的,所以我尝试创建一个测试设置,我在其中为 device/server-CA 定义了一个 extendedKeyUsage。我创建的证书中的 X509v3 扩展如下所示
Server/Device-CA:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE <-(yeah, forgot 'bout the path-length - hope this is not the problem)
X509v3 Subject Key Identifier:
51:0F:8C:55:88:4D:3E:25:DC:EC:6D:73:39:E4:7D:27:2E:AF:E4:2D
X509v3 Authority Key Identifier:
keyid:B3:6A:53:D9:9B:CF:74:69:B5:64:73:91:D7:18:92:30:E3:A7:7A:A6
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage: critical
TLS Web Server Authentication <--
Server/Device-CA -> 服务器证书
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
AD:BC:E0:73:50:AB:7F:BE:3C:43:71:4F:07:06:D8:3F:1A:38:81:4C
X509v3 Authority Key Identifier:
keyid:51:0F:8C:55:88:4D:3E:25:DC:EC:6D:73:39:E4:7D:27:2E:AF:E4:2D
DirName:/C=XXX/ST=XXX/L=XX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX
serial:10:00
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication <--
Server/Device-CA -> 客户端证书
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Client Certificate
X509v3 Subject Key Identifier:
AD:BC:E0:73:50:AB:7F:BE:3C:43:71:4F:07:06:D8:3F:1A:38:81:4C
X509v3 Authority Key Identifier:
keyid:51:0F:8C:55:88:4D:3E:25:DC:EC:6D:73:39:E4:7D:27:2E:AF:E4:2D
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection <--
无论如何,当我使用 openssl 验证它说两个证书都有效。我希望你能帮助我。
谢谢
一个简单的openssl verify不知道叶子证书应该用作客户端证书。这就是为什么在验证信任链时不会考虑证书的用途:
$ openssl verify -CAfile root.pem -untrusted middle.pem client.pem
client.pem: OK
对于 sslclient 的明确给定目的,它会失败:
$ openssl verify -purpose sslclient -CAfile root.pem -untrusted middle.pem client.pem
CN = middle
error 26 at 1 depth lookup: unsupported certificate purpose
error client.pem: verification failed
拥有一个以 sslclient 作为目的的不同中间证书会成功:
$ openssl verify -purpose sslclient -CAfile root.pem -untrusted alt-middle.pem client.pem
client.pem: OK
我正在尝试生成一个证书-(权威)-链,其中一些中间体有特定的任务。
将有一个根证书(跳过测试)签署实际的 CA,一方面,这个 CA 签署一个应该只能签署客户端证书的 CA,另一方面,签署one/multiple 只能执行服务器证书签名的 CA。这个想法是,这个“server-ca”将被部署到一个嵌入式系统中,以便在必要时创建一个具有不同 sans 的新服务器证书,但不应该能够签署客户端证书。 (see my fine drawing)
我没有找到太多关于约束 ca 的信息。 Here 它说这是可能的,所以我尝试创建一个测试设置,我在其中为 device/server-CA 定义了一个 extendedKeyUsage。我创建的证书中的 X509v3 扩展如下所示
Server/Device-CA:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE <-(yeah, forgot 'bout the path-length - hope this is not the problem)
X509v3 Subject Key Identifier:
51:0F:8C:55:88:4D:3E:25:DC:EC:6D:73:39:E4:7D:27:2E:AF:E4:2D
X509v3 Authority Key Identifier:
keyid:B3:6A:53:D9:9B:CF:74:69:B5:64:73:91:D7:18:92:30:E3:A7:7A:A6
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage: critical
TLS Web Server Authentication <--
Server/Device-CA -> 服务器证书
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
AD:BC:E0:73:50:AB:7F:BE:3C:43:71:4F:07:06:D8:3F:1A:38:81:4C
X509v3 Authority Key Identifier:
keyid:51:0F:8C:55:88:4D:3E:25:DC:EC:6D:73:39:E4:7D:27:2E:AF:E4:2D
DirName:/C=XXX/ST=XXX/L=XX/O=XXX/OU=XXX/CN=XXX/emailAddress=XXX
serial:10:00
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication <--
Server/Device-CA -> 客户端证书
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Client Certificate
X509v3 Subject Key Identifier:
AD:BC:E0:73:50:AB:7F:BE:3C:43:71:4F:07:06:D8:3F:1A:38:81:4C
X509v3 Authority Key Identifier:
keyid:51:0F:8C:55:88:4D:3E:25:DC:EC:6D:73:39:E4:7D:27:2E:AF:E4:2D
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection <--
无论如何,当我使用 openssl 验证它说两个证书都有效。我希望你能帮助我。
谢谢
一个简单的openssl verify不知道叶子证书应该用作客户端证书。这就是为什么在验证信任链时不会考虑证书的用途:
$ openssl verify -CAfile root.pem -untrusted middle.pem client.pem
client.pem: OK
对于 sslclient 的明确给定目的,它会失败:
$ openssl verify -purpose sslclient -CAfile root.pem -untrusted middle.pem client.pem
CN = middle
error 26 at 1 depth lookup: unsupported certificate purpose
error client.pem: verification failed
拥有一个以 sslclient 作为目的的不同中间证书会成功:
$ openssl verify -purpose sslclient -CAfile root.pem -untrusted alt-middle.pem client.pem
client.pem: OK