Google Chrome 中“导入证书时私钥丢失或无效”

Question 1

我认为您可能试图将其添加到错误的证书存储中。如果您尝试将其添加到“您的证书”下，那么您将遇到麻烦。该选项卡用于添加身份证书；您的浏览器向服务器提供该证书以建立浏览器的身份。

根据您的描述，我认为您想要做的是让浏览器信任服务器端的自签名证书。如果是这种情况，您需要将其添加到“权限”选项卡中。

Answer

我认为您可能试图将其添加到错误的证书存储中。如果您尝试将其添加到“您的证书”下，那么您将遇到麻烦。该选项卡用于添加身份证书；您的浏览器向服务器提供该证书以建立浏览器的身份。

根据您的描述，我认为您想要做的是让浏览器信任服务器端的自签名证书。如果是这种情况，您需要将其添加到“权限”选项卡中。

Question 2

对我有用的是

建立 CA
使用此 CA 签署我自己的证书，然后
将 CA 密钥导入 Chrome（当局）。

我从这就 SO 回答。

由于我的具体问题是满足多级子域名的需求，因此我将从这个角度来看待它。

子域名：

bar.fooz.mydomain.com
foo.fooz.mydomain.com

成为证书颁发机构

export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA

# generate private key
openssl genrsa -des3 -out $CA.key 2048

# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem

创建 CA 签名的证书

export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME

# generate private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = 192.168.0.13 # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)
EOF

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

下载$CA.pem文件并在浏览器中作为授权机构导入：

    1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
    2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites

重新启动浏览器（Firefox 无需重新启动即可运行）

Answer

对我有用的是

建立 CA
使用此 CA 签署我自己的证书，然后
将 CA 密钥导入 Chrome（当局）。

我从这就 SO 回答。

由于我的具体问题是满足多级子域名的需求，因此我将从这个角度来看待它。

子域名：

bar.fooz.mydomain.com
foo.fooz.mydomain.com

成为证书颁发机构

export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA

# generate private key
openssl genrsa -des3 -out $CA.key 2048

# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem

创建 CA 签名的证书

export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME

# generate private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = 192.168.0.13 # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)
EOF

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

下载$CA.pem文件并在浏览器中作为授权机构导入：

    1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
    2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites

重新启动浏览器（Firefox 无需重新启动即可运行）

Question 3

Chrome 需要一个 PKCS12 格式的文件，该文件用于将证书、任何中间证书和私钥存储到单个可加密文件中。这些文件通常具有.p12和.pfx扩展名。

要生成一个，请使用以下命令

openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12

此命令将要求输入密码，我们需要记住该密码并在将生成的p12文件导入 chrome 时使用该密码。

Answer

Chrome 需要一个 PKCS12 格式的文件，该文件用于将证书、任何中间证书和私钥存储到单个可加密文件中。这些文件通常具有.p12和.pfx扩展名。

要生成一个，请使用以下命令

openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12

此命令将要求输入密码，我们需要记住该密码并在将生成的p12文件导入 chrome 时使用该密码。

Google Chrome 中“导入证书时私钥丢失或无效”

答案1

答案2

答案3

相关内容