如果我的理解是正确的,CA就像一个父证书,用于验证由该CA证书签名的其他证书,而无需为Web服务(例如FTP服务器、Web服务器、Nextcloud、OpenVPN)安装多个服务器证书服务器等?
我正在尝试创建一个 CA 证书,可以将其分发到我的本地网络以及通过 WAN 分发到朋友的网络,以便当他们尝试访问我的一项服务时可以安全地连接到。例如,我可以只给他们一个 CA 证书,而不是为我托管的每项服务提供多个证书。
每个服务器证书显然都由 CA 签名,因此通过在其计算机上安装一个 CA 证书,这将自动验证服务器证书,因为它首先是使用 CA 签名的。正确的?
问题是今天我尝试将 CA 证书安装到我的 Windows 客户端 PC 上,并尝试通过 HTTPS 访问我的 OpenMediaVault GUI,但仍然收到不安全的警告屏幕。
下面的代码块显示了 CA 和服务器证书的整个创建过程。我将附上目录树的屏幕截图,以便您可以看到所有文件和文件夹。我还将包含配置文件的内容
我的指南
# Make OpenSSL Directory
mkdir ~/Desktop/OpenSSL
# Make Child Directories
mkdir -p ~/Desktop/OpenSSL/{ca,configs,"csr's",keys}
# Change Directory Into OpenSSL Directory
cd ~/Desktop/OpenSSL
# Create CA Certificate
openssl req -x509 -newkey rsa:4096 -keyout ca/cakey.pem -out ca/cacert.pem -days 3650 -sha256 -nodes -config configs/ca_openssl.cnf
# Create serial file
echo '01' > serial
# Create index.txt
touch index.txt
##
### Create server certificates ###
##
# OpenMediaVault
openssl genrsa -out keys/OpenMediaVault.pem 4096
openssl req -new -key keys/OpenMediaVault.pem -config configs/openmediavault_openssl.cnf -out "csr's"/OpenMediaVault.csr
# OpenWrt
openssl genrsa -out keys/OpenWrt.pem 4096
openssl req -new -key keys/OpenWrt.pem -config configs/openwrt_openssl.cnf -out "csr's"/OpenWrt.csr
##
### Sign Server Certificates With CA ###
##
# OpenMediaVault
openssl x509 -req -CA ca/cacert.pem -CAkey ca/cakey.pem -in "csr's"/OpenMediaVault.csr -out certificates/OpenMediaVault.crt -extfile configs/openmediavault_openssl.cnf -extensions v3_req -CAserial serial
# OpenWrt
openssl x509 -req -CA ca/cacert.pem -CAkey ca/cakey.pem -in "csr's"/OpenWrt.csr -out certificates/OpenWrt.crt -extfile configs/openwrt_openssl.cnf -extensions v3_req -CAserial serial
# Convert PEM to CRT
openssl x509 -outform der -in ca/cacert.pem -out "My Custom CA".crt
# Convert PEM to PKCS12
openssl pkcs12 -export -out certificate.pfx -inkey ca/cakey.pem -in ca/cacert.pem -certfile CACert.crt
'ca_openssl.cnf'
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ~/Desktop/"OpenSSL Certificates"
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
cr = $dir/crl.pem
private_key = $dir/private/cakey.pem
[ req ]
# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
# The size of the key in bits
default_bits = 4096
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = SOME_PROVINCE
localityName = SOME_CITY
organizationName = domain
organizationalUnitName = domain
commonName = domain Certificate Authority
emailAddress = [email protected]
[ v3_ca ]
# Extensions added to the request
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
'openmediavault_openssl.cnf'
[ req ]
# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_distinguished_name
req_extensions = v3_req
# The size of the key in bits
default_bits = 4096
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = SOME_PROVINCE
localityName = SOME_CITY
organizationName = OpenMediaVault
organizationalUnitName = OpenMediaVault
commonName = OpenMediaVault.local
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternative_names
[ alternative_names ]
DNS.0 = domain.com
IP.0 = 192.168.1.123
'openwrt_openssl.cnf'
[ req ]
# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_distinguished_name
req_extensions = v3_req
# The size of the key in bits
default_bits = 4096
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = SOME_PROVINCE
localityName = SOME_CITY
organizationName = OpenWrt
organizationalUnitName = OpenWrt
commonName = OpenWrt.local
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternative_names
[ alternative_names ]
DNS.0 = domain.com
IP.0 = 192.168.1.1
我从“/certificates”目录安装了“OpenMediaVault.crt”,从“/keys”目录安装了“OpenMediaVault.pem”。
“certificate.pfx”文件是“我的指南”部分中最后一个命令的结果,并已导入到 Windows certmgr 中。我将“我的自定义 CA.crt”文件与 Firefox 的认证选项结合使用。
我究竟做错了什么?
非常感谢
将要
更新1
我想我已经找到问题的原因了。当我访问时https://openmediavault.local(这是证书中设置的通用名称)我收到此消息“证书仅对以下名称有效:”我的屏幕上显示的两个(其中一个出于隐私原因被模糊化)是我添加的 subjectAltNames。为什么备用名称有效,但 CN 无效?我从https://192.168.1.123我的 Firefox 地址栏中有一个绿色的挂锁。
更新2
只是为了让您知道我将 CN 添加到 subjectAltName 中,一切正常。
作为与 OpenSSL 相关的附带问题,我现在希望制作一些 OpenVPN 证书。使用 OpenSSL 制作的 CA 可以签署我的 OpenVPN 证书吗?
答案1
是的,如果存在 SAN(主题备用名称)扩展名,浏览器将不再查看 CN。这在中指定RFC 2818 节。 3.1,Chrome 大约两年前开始执行此操作(Chrome 58),Firefox 大约三年前对公开颁发的证书执行了相同的操作(Firefox 48)。我不知道 Firefox 是否还有私有 CA 的例外。 (顺便说一句,你自己调试这个问题干得好!)
无论如何,您必须使用您想要在SubjectAltNames 中使用的所有名称重新颁发证书。