在 Linux 系统上,我使用以下命令生成了我的根 CA 和客户端证书:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 20000 -out rootCA.pem
openssl genrsa -out myserver.key 2048
openssl req -new -key myserver.key -out myserver.csr
openssl x509 -req -in myserver.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out myserver.crt -days 365 -sha256
我已通过 MMC 控制台在 Windows 7 机器上成功安装了 rootCA.pem 文件;没有报告错误;根证书在受信任的根证书颁发机构区域下列出。
当我访问该网站时,Internet Explorer 10 没有给我“继续访问此网站”的选项,但我有一个 2048 位的 RSA 密钥。
为了澄清问题,如果帖子标题不清楚的话:“如何让 IE10 接受具有 2048 位 RSA 的自签名根 CA(使用所述方法生成)?”
Win7 系统上的 Firefox 和 Linux 系统上的 Chrome 均未出现任何问题,因为我已将 rootCA.pem 文件添加到它们的受信任机构列表中。
但是,Win7 系统上的 Chrome 和 IE 都出现了问题,因为它们使用 Windows 证书颁发机构列表。
rootCA 很好,因为 Linux 上的 Chrome 和 Windows 上的 Firefox 都没有问题。而且它与 RSA 强度小于 1024 位这一众所周知的问题无关。
我还将服务器添加到了 IE10 中的“受信任”站点列表中,但问题仍然存在。
当然,根据 Windows SOP,需要多次重启。
rootCA 的实际内容:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14306283983041559779 (0xc68a217c110d7ce3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Validity
Not Before: Mar 11 22:41:43 2016 GMT
Not After : Dec 13 22:41:43 2070 GMT
Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ef:2a:75:c1:e1:a4:07:c3:27:46:94:49:2f:2a:
27:0c:6d:33:d7:4c:84:ee:59:d0:83:18:10:c8:f9:
7e:8f:4e:19:ef:c3:6f:04:a7:a3:b2:9f:6f:03:de:
fb:9a:f6:17:4e:87:8c:29:93:9b:a3:52:63:19:29:
93:1e:cc:a0:22:fe:4e:7c:00:83:8f:82:c3:83:f1:
65:9d:2b:5e:b4:9e:4f:cc:29:62:a6:5f:5e:11:51:
99:2b:55:55:6b:17:13:6c:30:14:44:6f:a7:42:d0:
16:2b:02:76:5c:ae:76:4a:2b:60:b2:ea:1f:64:61:
09:8a:c6:9f:23:ef:85:82:c6:fb:f6:7d:ce:b4:c2:
a3:89:f8:98:79:f8:6a:df:6a:c5:44:75:41:f2:11:
7c:94:32:82:00:fd:ae:d4:ef:51:0f:7f:bc:2a:25:
d6:b3:53:fd:3f:13:21:7c:e0:d6:b7:87:5f:09:19:
79:7c:2f:cc:b1:c1:a2:49:bb:17:62:8f:e3:cd:db:
99:6a:2b:fc:d3:f8:9a:58:2d:0c:d0:bd:21:a1:2e:
64:f7:c0:84:7d:48:53:94:62:79:c4:bf:51:ba:04:
9e:1a:15:3e:a8:ec:3d:c2:c9:05:ed:67:dc:c0:ef:
6d:e0:fa:a7:0e:56:51:f7:7b:dd:1c:a4:88:f0:f4:
50:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1
X509v3 Authority Key Identifier:
keyid:E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
78:68:8d:e6:13:35:ba:60:05:7c:e5:c6:0e:2b:83:5c:3c:5d:
ec:12:c2:6e:b5:a9:40:56:51:79:b2:50:75:5b:c5:88:05:71:
27:3b:49:b0:de:16:9c:71:d2:9d:a2:84:6a:e3:91:4f:65:99:
d3:e9:67:87:de:32:c9:d0:71:b1:8b:33:49:52:bd:be:63:bb:
cf:7c:09:df:1e:a2:c4:62:c5:a3:74:b4:1e:13:b7:8a:7b:db:
b7:76:36:d8:14:2c:07:b7:00:ba:9b:65:d3:22:9e:19:41:ee:
b9:df:f5:bf:bf:76:8a:0f:68:b3:8a:09:69:ed:24:65:cc:95:
1d:4f:05:91:20:9e:9c:7d:66:4f:57:2b:c4:c7:47:97:64:de:
9c:10:93:30:8b:61:ea:49:5b:a7:98:fd:b7:cc:c8:8f:25:1c:
9b:0a:49:b3:69:dc:20:dc:92:9a:01:a9:ed:9b:df:c6:65:c4:
87:cb:07:f7:b1:53:f0:27:00:e5:d8:17:b7:0c:17:eb:6b:86:
20:0a:97:dd:69:55:5e:02:cc:29:96:eb:64:3e:53:8c:4c:13:
fb:10:01:e1:19:47:70:b8:54:34:b9:f1:fd:74:14:6f:e9:88:
fb:18:13:99:31:21:f0:94:e0:b3:a1:92:ed:46:57:85:e6:33:
b1:1d:5b:9f
服务器证书的实际内容:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 11316521565276697315 (0x9d0c5c67f75d72e3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Validity
Not Before: Mar 11 22:43:35 2016 GMT
Not After : Mar 11 22:43:35 2017 GMT
Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c8:4d:ab:c9:62:b2:a8:ab:56:30:b7:26:da:d4:
1a:e5:9e:eb:77:81:3e:04:62:cd:a9:d7:65:1a:f4:
0b:8c:b0:c4:e4:c6:e4:4c:0e:43:3f:3f:a7:67:2d:
a2:4b:96:54:16:b0:cc:a2:91:f0:df:f9:6c:7f:1d:
49:bf:8d:0b:0a:ce:1c:0b:30:8a:2a:c6:85:07:b8:
4e:3d:a1:52:ab:cd:7e:fa:86:b2:21:e0:f3:90:f1:
78:a1:96:6e:53:17:82:bb:fd:10:48:cc:87:7f:4c:
22:d1:79:4f:77:fe:c7:48:9b:80:b3:c9:c6:46:87:
1d:01:6e:ae:47:14:fd:84:ac:bd:06:44:68:17:16:
b5:05:76:d4:e1:76:49:65:87:bd:05:61:05:3f:5b:
2c:7a:e5:43:a8:89:58:95:35:ec:68:6f:66:b8:29:
34:ff:77:cf:2b:26:99:0e:44:d3:94:24:bd:a2:fd:
ed:c3:df:f4:23:31:bf:48:0c:49:1a:95:07:11:29:
de:1f:c3:93:e2:99:60:a5:1e:e1:3e:a1:a2:f6:41:
17:f8:c5:e0:3f:98:87:b2:bb:07:9b:aa:73:b0:94:
c3:ab:27:bb:76:5c:57:f4:3e:36:02:80:92:af:ed:
e0:8e:f2:61:f6:22:ba:99:d4:35:a7:40:ac:4f:e0:
93:2b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
c1:99:9b:b5:b2:d6:d9:c5:0d:1f:6d:db:73:34:f5:61:ea:b6:
27:c5:d9:72:56:87:1a:60:8c:af:a4:b4:46:5c:b1:4d:cb:d6:
21:a5:32:17:48:ea:ee:d6:cb:1e:78:cd:03:aa:16:57:09:cc:
d2:d9:fa:b1:c1:7c:71:e2:cf:dd:32:e6:f0:cb:ca:1a:72:b0:
79:9a:de:45:f9:f2:36:4c:d1:f4:78:e7:0c:b8:02:ac:71:07:
d5:2a:22:90:62:ba:13:bc:2f:70:b2:b8:94:ce:e5:e3:46:b3:
81:ac:05:25:05:76:d7:f5:74:f7:e8:11:05:ed:f0:22:1f:a5:
a0:e7:81:2a:88:eb:5b:d3:1e:a5:bc:5b:2b:0e:b9:b1:c7:10:
0a:d6:ec:23:a0:d5:4f:54:f8:08:e5:5a:9d:2c:3d:e6:bd:17:
fa:7d:46:b2:33:96:5c:d7:84:47:a3:04:cf:be:e2:16:1f:f3:
d9:df:1a:22:4a:80:ec:8b:30:72:62:2d:00:04:db:21:85:a8:
57:7d:ff:f8:95:c9:6e:4a:d3:d8:32:f0:62:55:a1:b2:8e:88:
dd:13:1c:ef:18:17:da:46:8b:3e:f7:cb:91:1a:84:2f:02:8a:
8f:af:21:86:c3:f8:5c:67:ed:8d:c4:55:7c:7f:6b:98:ae:7b:
f3:41:a7:e3
答案1
您的服务器证书格式不正确:
Version: 1 (0x0)
Serial Number: 11316521565276697315 (0x9d0c5c67f75d72e3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., CN=server1.widgets.com
首先,版本 1 不常见,应该是版本 3。基本约束和都需要版本 3 CA=false。
其次,它没有经过您内部 CA 的认证。根据专有名称,它似乎是自签名的。
第三,它缺少服务器名称主题备用名称 (SAN)。浏览器遵循CA/浏览器基本要求,并且所有服务器名称都放置在SAN中。
您永远不会将服务器名称放在通用名称 (CN)。CN 显示给用户,因此它应该是一个友好名称“Widgets Web Service”(并且 CA 的 CN 将是“Widgets, Inc.”)。
另请参阅 Stack Overflow 上的以下内容:
这两个答案都详细研究了 IETF 和 CA/B 的颁发规则和政策。它们还解释了如何创建可能被最多用户代理接受的证书。
关于此声明:
您永远不会将服务器名称放置在通用名称 (CN) 中。
网络上充斥着有关 CN 和 SAN 的不良建议。不要听从这些建议。
始终遵循:
- CN - 友好名称(“Widgets Web Services”)
- SAN - 服务器名称(widgets.example.com、ftp.example.com、mail.example.com 等)
如果您遵循这两条规则,浏览器和证书的大多数问题都会消失。问题通常会减少到信任问题(而不是无法解释的名称匹配失败)。
答案2
我通过创建 rootCA 来实现这一点不同的名字而不是服务器证书中标识的服务器。server1.widgets.com我没有将其用作 rootCA 中的 CN,而是Widgets Dev将其用作 CN。我通过 MMC 控制台在 Windows 7 框中安装了该 rootCA。然后我将其用作server1.widgets.comCN 创建了服务器证书并将其安装在服务器上。
请注意,为了在 Windows 系统上成功导入,我不需要将 rootCA 从 .pem 格式转换。
修改后的 rootCA 的完整内容如下:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11541727865071105011 (0xa02c7457b3ca73f3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=New York, L=New York, O=Widgets, Inc., OU=Widgets Dev, CN=Widgets Dev
Validity
Not Before: Mar 12 14:47:54 2016 GMT
Not After : Dec 14 14:47:54 2070 GMT
Subject: C=US, ST=New York, L=New York, O=Widgets, Inc., OU=Widgets Dev, CN=Widgets Dev
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ef:2a:75:c1:e1:a4:07:c3:27:46:94:49:2f:2a:
27:0c:6d:33:d7:4c:84:ee:59:d0:83:18:10:c8:f9:
7e:8f:4e:19:ef:c3:6f:04:a7:a3:b2:9f:6f:03:de:
fb:9a:f6:17:4e:87:8c:29:93:9b:a3:52:63:19:29:
93:1e:cc:a0:22:fe:4e:7c:00:83:8f:82:c3:83:f1:
65:9d:2b:5e:b4:9e:4f:cc:29:62:a6:5f:5e:11:51:
99:2b:55:55:6b:17:13:6c:30:14:44:6f:a7:42:d0:
16:2b:02:76:5c:ae:76:4a:2b:60:b2:ea:1f:64:61:
09:8a:c6:9f:23:ef:85:82:c6:fb:f6:7d:ce:b4:c2:
a3:89:f8:98:79:f8:6a:df:6a:c5:44:75:41:f2:11:
7c:94:32:82:00:fd:ae:d4:ef:51:0f:7f:bc:2a:25:
d6:b3:53:fd:3f:13:21:7c:e0:d6:b7:87:5f:09:19:
79:7c:2f:cc:b1:c1:a2:49:bb:17:62:8f:e3:cd:db:
99:6a:2b:fc:d3:f8:9a:58:2d:0c:d0:bd:21:a1:2e:
64:f7:c0:84:7d:48:53:94:62:79:c4:bf:51:ba:04:
9e:1a:15:3e:a8:ec:3d:c2:c9:05:ed:67:dc:c0:ef:
6d:e0:fa:a7:0e:56:51:f7:7b:dd:1c:a4:88:f0:f4:
50:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1
X509v3 Authority Key Identifier:
keyid:E9:F3:EC:16:D9:48:85:EC:29:E8:DB:8A:CD:1E:76:F2:37:9F:AA:F1
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
d0:e1:08:6b:4a:19:3e:29:06:27:fd:79:00:ed:a3:31:50:24:
be:99:67:c7:a7:d3:4a:fa:6e:f0:a0:b6:97:67:b2:c0:ce:a9:
4a:8c:d4:de:ee:be:9e:cb:53:33:c3:4e:ee:7a:21:e2:3d:5a:
8d:f8:23:77:65:34:9f:f1:f7:1a:d3:c5:4b:b2:80:eb:06:22:
4a:8c:94:86:b5:1b:db:2f:48:ab:55:5f:d3:7c:74:22:8e:dd:
b1:64:1b:5a:ce:f5:ee:f3:10:d7:8e:28:d7:6a:35:e7:1f:9a:
a9:9e:56:54:93:2e:a1:fb:e4:6c:88:57:56:73:f9:94:c4:96:
bc:b7:08:4b:df:e8:80:a4:25:01:0e:07:c1:1b:68:d6:51:3f:
5f:4e:0f:a9:22:f4:22:38:a8:d5:8b:fe:2a:19:2e:ed:0e:c0:
c9:bd:b3:1a:49:a5:69:32:ad:54:2c:19:17:57:0d:9c:93:86:
3e:51:77:e7:15:38:d3:90:13:7b:0e:db:75:45:1f:28:9d:ab:
5a:90:3f:3d:6c:34:37:ca:e0:ac:fd:8e:33:03:42:00:03:c7:
5b:9c:c1:ce:55:57:b4:67:f8:81:55:2c:9d:e6:2a:c9:44:74:
22:4a:87:0f:fd:bf:a9:57:d5:88:79:b7:a9:a8:57:14:00:e3:
16:af:0a:e1
答案3
使用“管理用户证书”或“管理计算机证书”(搜索控制面板)并将其导入“受信任的根证书”
我认为您不能直接导入 .pem 文件,如果您想导入密钥,请尝试将其转换为 .crt 或 PKCS12。