根证书颁发机构适用于 Windows/Linux,但不适用于 Mac OSX - (格式错误)

根证书颁发机构适用于 Windows/Linux,但不适用于 Mac OSX - (格式错误)

我已经创建了一个自签名根证书颁发机构,如果我将其安装到 Windows、Linux 上,或者甚至使用 Firefox(Windows/Linux/macosx)中的证书存储区,它都可以与我的终止代理完美配合。

我已将其安装到系统钥匙串中,并且已将证书设置为始终信任。

Chrome 浏览器详细信息中显示“Chrome 在此次连接尝试期间收到的证书格式不正确,因此 Chrome 无法使用它来保护您的信息。错误类型:证书格式错误”

我使用以下代码创建证书:

openssl genrsa -des3 -passout pass:***** -out private/server.key 4096
openssl req -batch -passin pass:***** -new -x509 -nodes -sha1 -days 3600 -key private/server.key -out server.crt -config ../openssl.cnf

如果问题不是格式错误(因为它在其他地方都可以正常工作),那么可能是什么问题?我安装不正确吗?

需要明确的是:
在 Windows/Linux 操作系统中,所有浏览器都可以正常工作。在 Mac 中,只有使用内部证书存储而不是钥匙串的 Firefox 才能正常工作。导入证书的钥匙串方法导致了此问题。因此,所有使用钥匙串的浏览器都将无法工作。

根 CA 证书:

-----开始证书-----
**一些 base64 内容**
-----证书结束-----

中级 CA 证书:

证书:
    数据:
        版本:3(0x2)
        序列号:1(0x1)
        签名算法:sha1WithRSAEncryption
        发行人:C=*****、ST=******、L=******、O=******、CN=******/emailAddress=******
        有效性
            不早于:2014 年 5 月 21 日 13:57:32 GMT
            不晚于:2014 年 6 月 20 日 13:57:32 GMT
        主题:C=*****、ST=********、O=*******、CN=*******/emailAddress=*******
        主题公钥信息:
            公钥算法:rsaEncryption
            RSA 公钥:(4096 位)
                模数(4096 位):
                    00:e7:2d:75:38:23:02:8e:b9:8d:2f:33:4c:2a:11:
                    6d:d4:f8:29:ab:f3:fc:12:00:0f:bb:34:ec:35:ed:
                    a5:38:10:1e:f3:54:c2:69:ae:3b:22:c0:0d:00:97:
                    08:da:b9:c9:32:c0:c6:b1:8b:22:7e:53:ea:69:e2:
                    6d:0f:bd:f5:96:b2:d0:0d:b2:db:07:ba:f1:ce:53:
                    8a:5e:e0:22:ce:3e:36:ed:51:63:21:e7:45:ad:f9:
                    4d:9b:8f:7f:33:4c:ed:fc:a6:ac:16:70:f5:96:36:
                    37:c8:65:47:d1:d3:12:70:3e:8d:2f:fb:9f:94:e0:
                    c9:5f:d0:8c:30:e0:04:23:38:22:e5:d9:84:15:b8:
                    31:e7:a7:28:51:b8:7f:01:49:fb:88:e9:6c:93:0e:
                    63:eb:66:2b:b4:a0:f0:31:33:8b:b4:04:84:1f:9e:
                    d5:ed:23:cc:bf:9b:8e:be:9a:5c:03:d6:4f:1a:6f:
                    2d:8f:47:60:6c:89:c5:f0:06:df:ac:cb:26:f8:1a:
                    48:52:5e:51:a0:47:6a:30:e8:bc:88:8b:fd:bb:6b:
                    c9:03:db:c2:46:86:c0:c5:a5:45:5b:a9:a3:61:35:
                    37:e9:fc:a1:7b:ae:71:3a:5c:9c:52:84:dd:b2:86:
                    b3:2e:2e:7a:5b:e1:40:34:4a:46:f0:f8:43:26:58:
                    30:87:f9:c6:c9:bc:b4:73:8b:fc:08:13:33:cc:d0:
                    b7:8a:31:e9:38:a3:a9:cc:01:e2:d4:c2:a5:c1:55:
                    52:72:52:2b:06:a3:36:30:0c:5c:29:1a:dd:14:93:
                    2b:9d:bf:ac:c1:2d:cd:3f:89:1f:bc:ad:a4:f2:bd:
                    81:77:a9:f4:f0:b9:50:9e:fb:f5:da:ee:4e:b7:66:
                    e5:ab:d1:00:74:29:6f:01:28:32:ea:7d:3f:b3:d7:
                    97:f2:60:63:41:0f:30:6a:aa:74:f4:63:4f:26:7b:
                    71:ed:57:f1:d4:99:72:61:f4:69:ad:31:82:76:67:
                    21:e1:32:2f:e8:46:d3:28:61:b1:10:df:4c:02:e5:
                    d3:cc:22:30:a4:bb:81:10:dc:7d:49:94:b2:02:2d:
                    96:7f:e5:61:fa:6b:bd:22:21:55:97:82:18:4e:b5:
                    a0:67:2b:57:93:1c:ef:e5:d2:fb:52:79:95:13:11:
                    20:06:8c:fb:e7:0b:fd:96:08:eb:17:e6:5b:b5:a0:
                    8d:dd:22:63:99:af:ad:ce:8c:76:14:9a:31:55:d7:
                    95:ea:ff:10:6f:7c:9c:21:00:5e:be:df:b0:87:75:
                    5d:a6:87:ca:18:94:e7:6a:15:fe:27:dd:28:5e:c0:
                    广告:d2:91:d3:2d:8e:c3:c0:9f:fb:ff:c0:36:7e:e2:
                    d7:bc:41
                指数:65537(0x10001)
        X509v3 扩展:
            X509v3 主体备用名称:
                DNS:本地主机, DNS:dropbox.com, DNS:*.dropbox.com, DNS:filedropper.com, DNS:*.filedropper.com
            X509v3 主题密钥标识符:
                F3:E5:38:5B:3C:AF:1C:73:C1:4C:7D:8B:C8:A1:03:82:65:0D:FF:45
            X509v3 授权密钥标识符:
                密钥 ID:2B:37:39:7B:9F:45:14:FE:F8:BC:CA:E0:6E:B4:5F:D6:1A:2B:D7:B0
                目录名称:/C=****/ST=******/L=******/O=******/CN=******/emailAddress=******
                序列号:EE:8C:A3:B4:40:90:B0:62

            X509v3基本约束:
                CA:真实
    签名算法:sha1WithRSAEncryption
        46:2a:2c:e0:66:e3:fa:c6:80:b6:81:e7:db:c3:29:ab:e7:1c:
        f0:d9:a0:b7:a9:57:8c:81:3e:30:8f:7d:ef:f7:ed:3c:5f:1e:
        : a5:f6:ae:09:ab:5e:63:b4:f6:d6:b6:ac:1c:a0:ec:10:19:ce:
        dd:5a:62:06:b4:88:5a:57:26:81:8e:38:b9:0f:26:cd:d9:36:
        83:52:ec:df:f4:63:ce:a1:ba:d4:1c:ec:b6:66:ed:f0:32:0e:
        25:87:79:fa:95:ee:0f:a0:c6:2d:8f:e9:fb:11:de:cf:26:fa:
        59:fa:bd:0b:74:76:a6:5d:41:0d:cd:35:4e:ca:80:58:2a:a8:
        5d:e4:d8:cf:ef:92:8d:52:f9:f2:bf:65:50:da:a8:10:1b:5e:
        50:a7:7e:57:7b:94:7f:5c:74:2e:80:ae:1e:24:5f:0b:7b:7e:
        19:b6:b5:bd:9d:46:5a:e8:47:43:aa:51:b3:4b:3f:12:df:7f:
        ef:65:21:85:c2:f6:83:84:d0:8d:8b:d9:6d:a8:f9:11:d4:65:
        7d:8f:28:22:3c:34:bb:99:4e:14:89:45:a4:62:ed:52:b1:64:
        9a:fd:08:cd:ff:ca:9e:3b:51:81:33:e6:37:aa:cb:76:01:90:
        d1:39:6f:6a:8b:2d:f5:07:f8:f4:2a:ce:01:37:ba:4b:7f:d4:
        62:d7:d6:66:b8:78:ad:0b:23:b6:2e:b0:9a:fc:0f:8c:4c:29:
        86:a0:bc:33:71:e5:7f:aa:3e:0e:ca:02:e1:f6:88:f0:ff:a2:
        04:5a:f5:d7:fe:7d:49:0a:d2:63:9c:24:ed:02:c7:4d:63:e6:
        0c:e1:04:cd:a4:bf:a8:31:d3:10:db:b4:71:48:f7:1a:1b:d9:
        eb:a7:2e:26:00:38:bd:a8:96:b4:83:09:c9:3d:79:90:e1:61:
        2c:fc:a0:2c:6b:7d:46:a8:d7:17:7f:ae:60:79:c1:b6:5c:f9:
        3c:84:64:7b:7f:db:e9:f1:55:04:6e:b5:d3:5e:d3:e3:13:29:
        3f:0b:03:f2:d7:a8:30:02:e1:12:f4:ae:61:6f:f5:4b:e9:ed:
        1d:33:af:cd:9b:43:42:35:1a:d4:f6:b9:fb:bf:c9:8d:6c:30:
        25:33:43:49:32:43:a5:a8:d8:82:ef:b0:a6:bd:8b:fb:b6:ed:
        72:fd:9a:8f:00:3b:97:a3:35:a4:ad:26:2f:a9:7d:74:08:82:
        26:71:40:f9:9b:01:14:2e:82:fb:2f:c0:11:51:00:51:07:f9:
        e1:f6:1f:13:6e:03:ee:d7:85:c2:64:ce:54:3f:15:d4:d7:92:
        5f:87:aa:1e:b4:df:51:77:12:04:d2:a5:59:b3:26:87:79:ce:
        ee:是:60:4e:87:20:5c:7f

-----开始证书-----
**一些 base64 内容**
-----证书结束-----

答案1

openssl 配置默认具有中间证书,basicConstraints=CA:TRUE但是在我的例子中,由于我使用中间证书作为最终用户证书,因此我需要这样做basicConstraints=CA:FALSE

在 windows/linux/firefox 上这似乎并不重要,但 mac 上的安全设置使其成为必需。

答案2

我能够使用 OS X 的 Keychain Access 实用程序的“证书助手”功能来查看和验证您的中级 CA 证书,并且它抱怨该证书具有“无效的 BasicConstraints.CA”。

查看我所知道的其他有效的 CA 证书,如果 CA=YES,则基本约束扩展几乎总是 Critical=YES。但是您的证书将该扩展设置为 Critical=NO。因此,您openssl.cnf交给的证书中可能存在缺陷openssl req

尝试调整您需要调整的任何内容,以使 OpenSSL 将该扩展设置为关键,然后重新生成您的证书。请注意,您的根 CA 证书和中间 CA 证书都存在此问题,因此您可能需要重新生成并重新安装两者。

相关内容