SSL 锁定无效证书

SSL 锁定无效证书

因此,我在 Windows 上安装了一个自签名根证书,然后使用 https 访问我的域,chrome 承认来自我的域的证书,但仍然出现不安全错误,而不是显示绿色锁。

知道为什么会发生这种情况吗?更不用说我的服务器在 AWS 上,并且我已将其配置为仅接受使用端口 443 上的 HTTPS 的连接。

非常感谢任何建议或想法!

这是证书文件:

服务器证书:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            71:3b:54:71:75:c7:6e:cc:e8:4e:b2:3a:36:7f:08:0c:ad:f8:fd:a7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights Root CA
        Validity
            Not Before: Aug  8 21:03:04 2019 GMT
            Not After : Aug  5 21:03:04 2029 GMT
        Subject: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = files.bossinsights.com, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:c8:29:17:a6:b3:8a:cb:52:0a:7b:c5:d9:d9:a8:
                    1f:2f:f2:41:4d:cc:7b:01:f2:4e:5a:55:ac:49:5a:
                    ff:9f:a0:df:8b:96:8c:2c:86:2b:25:d5:be:2f:38:
                    01:40:d9:6c:92:01:a3:c0:01:fc:d2:e4:ed:a8:28:
                    55:c2:60:2e:ad:40:3b:d4:b2:0a:6c:54:37:a2:ae:
                    94:51:8f:89:46:f8:a6:78:c0:ec:80:ea:a8:07:f8:
                    b8:d2:0d:c0:0b:78:e4:e8:1d:56:09:a6:d0:e8:a0:
                    b6:4b:dc:96:21:92:1b:d7:6b:9d:e6:1c:1a:9c:97:
                    54:ef:83:8e:69:27:32:d7:b2:ea:ec:12:55:76:34:
                    76:ca:87:4b:3d:7a:8f:19:a8:98:21:29:11:37:3f:
                    dc:18:c2:ed:c5:7f:56:b4:b6:20:a6:03:53:86:e1:
                    a9:be:36:e6:a7:a1:37:f9:ad:8c:76:7d:f5:4a:d5:
                    03:fb:30:2e:56:f5:b0:83:47:d6:5e:c1:44:92:17:
                    91:51:b0:90:55:8b:99:39:c3:c6:77:a6:5e:20:42:
                    4f:5b:ad:c9:98:7f:56:e7:ae:26:fe:9a:6d:82:90:
                    ce:91:16:96:19:a4:30:82:ee:21:0b:0b:75:51:cd:
                    00:b2:34:5d:24:8f:f2:27:5b:0e:ed:0c:d3:ee:b8:
                    97:15:b9:97:86:cc:59:79:da:63:ac:a2:b1:27:f3:
                    49:f5:1b:37:f0:11:4a:58:dd:46:47:3a:85:06:f8:
                    45:a4:98:64:80:d0:aa:69:14:b1:72:9f:65:90:67:
                    8c:9e:c0:58:e9:70:c3:9b:02:92:b6:b7:b1:5e:f9:
                    3d:55:94:40:f9:4a:fb:f8:b0:9b:b5:3f:63:30:60:
                    1c:cb:bf:3f:6f:ab:cd:a2:c4:50:b9:d1:ee:44:6e:
                    57:09:4a:96:54:62:36:e0:d2:b2:b1:37:dc:d4:64:
                    8d:5b:52:7b:a6:24:23:08:67:a4:0d:58:80:0f:13:
                    13:ea:d9:95:f3:f0:04:26:0a:45:a2:31:fb:b7:41:
                    c3:cd:3e:99:d4:7c:bf:1e:61:29:4f:ac:92:b0:bb:
                    10:e6:25:9c:d8:4c:61:7f:92:ad:8d:2b:5e:7c:b4:
                    e8:02:4d:69:5a:f1:5c:a5:d3:85:8e:ca:f1:c9:d1:
                    f3:8f:2c:4b:99:6c:af:47:86:87:da:0e:5a:b7:ab:
                    97:bf:ae:25:0b:bd:ea:f0:15:04:f8:43:1c:e3:7e:
                    0d:b1:f4:3e:2f:25:6a:21:eb:eb:0b:d8:8e:0e:85:
                    fd:15:62:23:00:d3:64:a9:99:8c:0a:e0:75:a5:1d:
                    26:f0:4f:ed:a2:94:ab:f9:52:9a:d5:04:b4:25:9f:
                    e5:bf:e7

                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         86:5c:c2:58:34:f1:96:98:ca:d7:d6:7b:f5:d1:dd:c0:c7:7b:
         f5:bb:79:a6:eb:ed:63:3d:3f:b7:c8:64:25:d1:53:d9:2d:97:
         b5:71:03:6c:dd:46:9d:45:92:9e:94:e8:b2:c5:1f:19:2a:24:
         39:68:97:67:e0:d6:bc:3d:ee:88:38:a3:e3:33:37:6a:71:83:
         4f:15:73:11:a3:58:93:d7:56:e9:11:ac:5f:35:7f:8b:72:85:
         3a:a5:98:f2:86:93:2e:3f:68:0b:f9:29:86:59:7a:98:15:19:
         76:a9:32:9c:89:a8:52:dd:fb:4d:a7:fd:33:8f:4c:4a:21:7b:
         be:8e:5f:f6:6c:dd:f9:14:99:ea:18:17:dc:a4:6c:6d:56:20:
         ee:77:49:4c:99:4f:9f:ff:df:9d:e2:cf:93:49:c2:a7:fd:af:
         c7:5f:40:c7:e7:87:ae:32:1b:e9:fb:6c:4b:8c:37:c5:09:22:
         5d:dc:87:b7:a4:8f:3e:9a:29:8d:5b:a7:cd:e5:3e:04:06:c4:
         62:84:0a:b7:95:06:c2:a6:ab:b9:39:26:d4:39:f6:08:a0:57:
         58:e8:a5:14:c1:1b:6c:5b:2a:95:1d:4d:9e:35:6b:8f:4c:27:
         de:8d:9a:b5:67:de:36:73:48:3d:ac:3b:fe:d5:d5:d6:70:5b:
         94:d5:8e:63:2c:49:1c:ef:cb:9e:1e:c2:d6:68:bb:98:01:ed:
         d3:28:f5:b7:df:20:5d:0a:ff:5d:04:9d:cd:e1:c7:38:f6:26:
         23:a0:22:da:51:ca:23:c3:f7:32:f1:ef:34:0d:fa:a4:ad:df:
         c0:fd:8d:21:94:1e:99:62:42:6c:d3:1b:95:4f:bc:07:a9:d9:
         e2:14:9c:0f:d4:17:8b:79:ce:ba:51:76:63:81:65:9f:70:dd:
         74:67:18:3e:29:ea:ce:1e:f6:29:0a:e8:46:34:88:44:6b:d8:
         62:79:ea:f8:7d:79:25:0d:af:da:2f:66:32:9a:27:05:88:ab:
         d0:d2:0f:86:d1:d7:2a:f7:f4:c2:91:6b:81:f2:c0:f9:dd:4c:
         88:33:6a:f7:6e:9f:44:8a:e8:3a:7f:42:fa:87:95:4c:1d:53:
         ac:31:68:98:64:49:04:17:e6:2d:fe:b1:12:d3:a0:85:96:48:
         2f:d3:9e:e4:a9:e1:cc:9d:49:55:1b:c2:0f:af:3a:d1:55:f0:
         a0:d9:ec:8a:4d:62:18:d1:d6:3d:41:2c:39:0c:49:7b:cc:7e:
         0e:cb:16:75:75:2f:64:04:64:a4:6d:04:d6:8b:16:a2:25:5e:
         4e:c0:48:88:d6:c4:ab:0a:55:7e:a2:d3:80:ed:64:f9:28:5c:
         9d:3e:69:3a:e8:21:8e:e8

根证书:

X509 Certificate:
Version: 3
Serial Number: 57becf8af1e115a8f36642cd0291ada2c1121147
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=Boss Insights Root CA
    OU=DevOps
    O=Boss Insights
    L=Toronto
    S=ON
    C=CA
  Name Hash(sha1): 4e1e7b6a76121a5aa58b7de85033f3196739004a
  Name Hash(md5): f44c7e94941e6c8130b3e3156a51be03

 NotBefore: 8/8/2019 12:45 PM
 NotAfter: 8/5/2029 12:45 PM

Subject:
    CN=Boss Insights Root CA
    OU=DevOps
    O=Boss Insights
    L=Toronto
    S=ON
    C=CA
  Name Hash(sha1): 4e1e7b6a76121a5aa58b7de85033f3196739004a
  Name Hash(md5): f44c7e94941e6c8130b3e3156a51be03

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 4096 bits
Public Key: UnusedBits = 0
    0000  30 82 02 0a 02 82 02 01  00 b6 75 9d dd 1b 92 01
    0010  5c 65 c3 ed c0 fc e9 03  b5 2b fa 7c 38 58 07 18
    0020  0d 4c 05 e8 48 03 b8 a6  cc 46 c8 bb 64 95 7b db
    0030  61 e4 83 16 ca 4d 15 99  8d 3e 2f ed fe 35 ab dc
    0040  27 5f ea b5 7a f0 13 18  ec ed 59 04 2f f8 0b 72
    0050  3c b6 95 d1 ea 03 01 54  99 d8 95 ba 41 77 13 e5
    0060  a4 ac 48 2a 83 e0 dd 7e  41 b8 b3 4b 40 ab 9c c5
    0070  43 41 b2 f1 ab 49 4e 57  a1 38 3a b0 b8 f9 af 06
    0080  b0 ce e2 b4 7d 10 32 1c  d2 a1 0d 29 ee 01 96 c3
    0090  bb 77 3f 6a 7b 7f d0 57  d2 63 8d 7e 3c 73 f0 92
    00a0  67 5e e3 4a 05 e0 22 c1  d3 79 e3 51 f2 5b 9c 48
    00b0  93 37 28 68 6c 92 0c d5  6f f4 75 b5 c3 a8 e4 fa
    00c0  2f 6c 48 6d 70 18 be af  1f 5a 04 14 9a 0f 83 56
    00d0  f9 a1 bf 9d f7 40 40 66  6d 84 31 cb 9a e1 9d 2c
    00e0  e6 e6 4b 3c ab 36 7f fa  46 1b e3 43 ff 89 e9 57
    00f0  84 a9 89 8f ad 77 84 04  a8 57 bb 7b 54 66 8d f2
    0100  3a 34 c0 20 66 9f 35 6a  96 e4 0a 42 ba 5a 89 73
    0110  54 97 f0 42 d9 b7 28 bf  b3 09 08 93 48 32 10 3b
    0120  b2 89 48 74 a0 c2 8c 07  c6 58 77 48 1a f7 3d 94
    0130  92 4b 43 fc a9 1a ed 9a  e2 ff f5 95 88 af 85 96
    0140  f7 43 27 d5 03 cb c9 5a  20 53 f2 8c 36 2f 98 12
    0150  ac f2 f9 23 99 c5 6c f5  73 8f 51 1c aa d9 95 67
    0160  87 e9 aa e0 55 14 72 3d  62 e9 31 ee 73 a8 9d 88
    0170  02 48 1e a9 b3 ae 75 d0  8e 83 ba 11 de d4 a0 e5
    0180  db c5 8a 4c f1 dd d0 65  66 c6 f5 8c 78 09 25 91
    0190  30 84 32 ed 65 f2 9a 66  ec 31 d6 7e 5a 4f 67 a7
    01a0  98 63 44 b3 ed ce 58 e3  98 a8 2d 87 b9 fa 2c 07
    01b0  bb 6f 7e cb 69 f7 30 2c  23 5b 05 26 78 15 3d 92
    01c0  19 4e 56 19 43 e0 dd 37  ba a0 8c ef 1c 97 4b 90
    01d0  6c 48 63 11 d7 ca a4 9d  e1 dc 25 b2 25 a6 c5 e9
    01e0  7f b4 e2 8a 6e ac f7 44  8e a2 83 26 39 59 bd e2
    01f0  93 e1 d8 5a 93 4f 09 b0  23 15 82 80 f2 78 17 af
    0200  cc 62 93 48 f7 a9 83 b5  43 02 03 01 00 01
Certificate Extensions: 3
    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        26 e5 f8 57 3b c8 98 f9 be d9 f4 8f d9 90 83 84 96 8a d0 5a

    2.5.29.35: Flags = 0, Length = 18
    Authority Key Identifier
        KeyID=26 e5 f8 57 3b c8 98 f9 be d9 f4 8f d9 90 83 84 96 8a d0 5a

    2.5.29.19: Flags = 1(Critical), Length = 5
    Basic Constraints
        Subject Type=CA
        Path Length Constraint=None

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  6d e3 04 de 0b 9b 65 d6  3c d2 32 26 b0 7d 6f 87
    0010  e8 7a 55 04 e2 8c db d8  24 10 f8 77 29 7b 9c e7
    0020  52 b9 12 38 52 26 7a bc  7e 65 9e 71 f9 fe 47 85
    0030  43 b8 c3 ed 6f 8a f0 e1  e4 91 45 e4 b4 a1 c5 69
    0040  2c 1f 14 6b ae a4 6b 95  cd 22 37 f3 24 54 74 0e
    0050  16 f9 df 03 ed dd 44 a8  8a be c5 76 1e 12 da 90
    0060  1d 7f 74 92 8a 0f 45 e2  87 4d ed e7 3b 54 94 de
    0070  78 6b 27 3a 97 d4 54 09  13 45 7a 7e a1 19 67 d1
    0080  d1 b6 dd 2e f7 87 46 7e  0e d4 77 6d e3 87 6e 93
    0090  8e bd 2b bc e3 84 66 d1  6b 75 56 8a 00 e5 42 4a
    00a0  42 63 06 ae d6 89 89 9d  41 9d 9e 49 70 3c 53 cb
    00b0  38 fa 38 45 75 57 1d e7  1f d5 1d 0e 18 98 e1 4f
    00c0  b2 ed 60 4d 3c ef f6 24  5d ce bf 2a 34 d6 ad de
    00d0  68 6b 0a 9f cf a2 fa 89  20 76 88 5c 59 e2 8d c2
    00e0  3e 7d 44 2e 19 9f 6e 63  0c 27 97 c4 4e bb 32 3b
    00f0  11 f7 fb 8c c8 2e 92 4e  6c 9c cd fd 72 dd e8 e7
    0100  d4 be 25 df c8 ed 7d 12  57 80 fd f4 30 cb d4 d5
    0110  e3 05 b0 56 33 0e 6b eb  ab 7b 32 26 b6 28 ce 31
    0120  80 4b 79 e4 4a 19 3a 0c  c7 43 1a ea 18 db 9e a4
    0130  cd d7 1e ab 60 bf 47 9b  79 3b a3 4d 51 c6 8f f9
    0140  e1 2a b6 f0 82 07 3b f4  65 a6 0e e4 18 56 ef 52
    0150  52 fd d8 65 f0 33 78 dc  e7 17 f0 15 61 54 0a 03
    0160  2a ce 37 76 c0 20 6b 21  e9 7e 31 fa c2 d9 87 23
    0170  40 52 26 63 6b 61 dc 21  cf ef 12 7e 07 81 ee 44
    0180  aa 35 ae ef 6c 44 2d 68  66 52 0e b4 9b b6 45 94
    0190  8f e2 da 93 25 5e 66 a2  08 bf 32 b8 d6 1f fd 93
    01a0  24 5a 82 6e 87 59 97 21  d1 54 48 a5 14 7f 80 71
    01b0  f9 1e 92 b8 d8 a3 31 26  18 86 8e a6 4c a0 3a 8e
    01c0  c6 9a b0 f5 3e 00 18 cb  5a 97 e8 17 e1 fb 01 2d
    01d0  6c 8c a5 06 77 ba 67 58  bf dd ae 04 6c 0f 61 11
    01e0  58 e2 cf 4d 55 34 9f 4a  dd 4b 5d 2b 37 b9 f9 4b
    01f0  ef eb 30 03 d9 41 f9 fe  e4 62 06 46 36 e2 21 57
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): 26e5f8573bc898f9bed9f48fd9908384968ad05a
Key Id Hash(sha1): 0b50d92545830c832b9b00d0e3559da055aab019
Key Id Hash(md5): 8ea83fec1129b5b87ef9ef3b3a6ee165
Key Id Hash(sha256): 579e00427dd91039daa1f1598784dea40ea1c430213be7dcde41080c52f150a9
Cert Hash(md5): 4a01f3141a1ac6b6a94b607aa4ccdb60
Cert Hash(sha1): 310856669aadc1ad943a45c177f192e48e5d665a
Cert Hash(sha256): dae2dc47ff2393115cac0e76a9a08ae2d38c1864d8ce25140c1e9c3ef1ccf90d
Signature Hash: 07431f8ecbddc725e78532cd1bf15076013ad53c63c522a11ef714bd2cc0ae8f
CertUtil: -dump command completed successfully.

答案1

您的服务器证书缺失,很重要扩展让现代浏览器满意。事实上,它缺少所有扩展,因为它是版本 1 证书(第 3 行),其日期早于扩展。

如果你查看任何网站的证书,你都会看到证书中的扩展名。在这种情况下,最重要的是主题备用名称扩展,其中列出了证书有效的所有 DNS 域。由于您没有这个,浏览器不知道证书是否对您的域有效。以下是此站点的 Let's Encrypt 证书:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:4a:72:43:1b:35:86:e7:d1:f9:22:2b:03:f6:9e:15:3e:54
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Jul 26 14:38:33 2019 GMT
            Not After : Oct 24 14:38:33 2019 GMT
        Subject: CN = *.stackexchange.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9a:32:f8:05:bf:e1:14:7c:7c:39:f4:ce:37:c6:
                    ab:27:e2:7f:6d:73:68:8a:87:a2:c6:1e:f1:bd:39:
                    a3:52:86:99:a8:2d:45:91:e3:f6:ee:ea:ed:0b:ce:
                    6a:a9:30:94:97:83:5e:78:d9:8c:db:1a:e2:bc:e0:
                    ee:b2:b9:f9:b6:80:5a:e3:45:16:b2:fb:42:b7:ca:
                    e9:57:6d:87:fa:4a:44:6b:0b:5c:b4:12:63:17:a9:
                    13:2e:fd:85:0c:09:dd:43:c7:78:60:c6:d1:c2:b7:
                    56:61:d4:9e:72:b7:ea:64:5b:68:0f:d1:b4:5e:73:
                    08:6d:a5:ee:49:4f:e1:e6:d7:83:bd:4e:19:1a:e4:
                    4c:86:11:30:3a:a5:60:e9:fe:32:40:e1:be:8d:04:
                    80:28:a0:7a:7f:37:85:84:29:46:d3:93:8c:21:a1:
                    f6:cf:00:bd:dc:96:df:0c:94:c8:a3:b0:41:6d:1e:
                    4a:86:c0:51:c3:9a:7a:8c:55:e3:de:86:7d:1f:3d:
                    fb:0d:1f:83:ef:23:f6:f3:2a:a2:ff:47:87:a9:cd:
                    8e:d5:f2:3c:84:1b:88:34:86:63:15:a6:5d:c3:5b:
                    e8:04:65:20:88:d9:70:4d:d2:31:45:04:38:fa:b9:
                    3d:04:69:70:19:91:ef:65:79:18:a6:63:50:27:df:
                    87:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                F0:61:88:B2:8F:1D:EB:1E:FF:68:BC:BD:7A:D0:AF:9C:0C:34:09:18
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stacksnippets.net, DNS:superuser.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
                                C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
                    Timestamp : Jul 26 15:38:33.994 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:7D:17:02:B0:E0:A5:DF:17:47:8A:7E:BA:
                                3F:62:2A:6F:16:12:27:BC:8A:A7:9E:A4:A7:1C:1B:28:
                                7C:13:0F:C0:02:20:52:E6:59:81:92:45:C3:43:CD:D4:
                                23:60:25:F5:62:A6:8E:A7:6F:15:65:55:C7:C0:B4:B1:
                                68:39:5A:D3:42:E3
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Jul 26 15:38:34.021 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:BE:8C:78:FB:03:2A:48:6A:41:7D:EA:
                                CC:C2:C8:D7:AB:11:0C:66:2B:E1:89:C9:51:ED:B5:D3:
                                6B:77:B0:2B:6C:02:20:63:F3:CE:77:16:A4:0B:E6:42:
                                0C:8F:B1:E1:4D:AA:0E:62:D1:DB:41:0E:65:A5:C1:B2:
                                D0:DD:15:2D:07:98:BE
    Signature Algorithm: sha256WithRSAEncryption
         1c:83:57:15:ad:f4:d5:2a:c1:51:c0:ab:cb:29:42:83:ab:19:
         53:88:ea:9b:a9:21:cf:e6:0a:e4:c7:b8:06:9f:c1:a7:3d:6d:
         b6:b2:83:d6:34:2c:0d:5f:6b:f0:10:a0:1a:75:31:fa:54:54:
         6e:46:ee:2c:b6:23:3f:f0:77:f1:ed:06:33:c1:91:83:55:c4:
         99:4b:04:46:83:b9:d3:26:5a:30:f0:c5:32:08:1b:d6:7a:7c:
         dd:d5:9b:24:68:37:70:79:d3:70:2f:a2:81:fa:88:72:1d:69:
         eb:67:d6:53:2b:25:0c:46:23:ab:9b:39:fe:06:bc:38:a4:a8:
         b9:59:05:31:c7:f3:0f:a2:91:98:86:b6:d2:a1:37:04:72:ca:
         9c:78:78:a3:20:62:81:6a:a7:a9:a9:ff:8e:7d:69:4c:ef:97:
         9d:a8:a3:66:88:1a:37:2e:74:4b:5e:42:cd:07:96:cb:b2:4d:
         fd:3f:ae:cf:ad:88:ed:50:86:e0:b8:d0:75:7c:75:cb:17:97:
         7e:5e:09:98:0b:4c:ce:53:c6:2b:ef:d0:47:84:2d:56:5d:6c:
         82:92:0b:89:e1:54:0f:36:eb:56:7f:05:1f:b4:44:32:3c:c8:
         37:d6:11:c2:36:13:eb:f3:de:ba:99:2a:b7:f0:26:73:6a:fc:
         37:ea:73:76

刚过一半的是:

X509v3 Subject Alternative Name:
    DNS:*.askubuntu.com, DNS:*.blogoverflow.com, DNS:*.mathoverflow.net, DNS:*.meta.stackexchange.com, DNS:*.meta.stackoverflow.com, DNS:*.serverfault.com, DNS:*.sstatic.net, DNS:*.stackexchange.com, DNS:*.stackoverflow.com, DNS:*.stackoverflow.email, DNS:*.superuser.com, DNS:askubuntu.com, DNS:blogoverflow.com, DNS:mathoverflow.net, DNS:openid.stackauth.com, DNS:serverfault.com, DNS:sstatic.net, DNS:stackapps.com, DNS:stackauth.com, DNS:stackexchange.com, DNS:stackoverflow.blog, DNS:stackoverflow.com, DNS:stackoverflow.email, DNS:stacksnippets.net, DNS:superuser.com

列出了证书有效的所有站点。您的服务器证书中也需要类似的内容。

现代 CA 应用程序将始终添加此扩展,除非您特意将其删除。证书是否使用 OpenSSL 生成?:-) 如果是,以下 OpenSSL 配置文件将允许您使用更合适的扩展创建证书签名请求:

# OpenSSL configuration

[ req ]

prompt             = no
string_mask        = default

# The size of the keys in bits:
default_bits       = 2048
distinguished_name = req_dn
req_extensions     = req_ext

[ req_dn ]

# Note that the following are in 'reverse order' to what you'd expect to see in
# Windows

# Locality style:
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = DevOps
commonName = Boss Insights

[ req_ext ]

subjectKeyIdentifier    = hash

keyUsage = critical, digitalSignature

extendedKeyUsage=serverAuth

subjectAltName = @alt_names

[alt_names]
DNS.1 = files.bossinsights.com
# DNS.2 = www.bossinsights.com
# DNS.3 = bossinsights.com
# Add more DNS entries here, but make sure the number following 'DNS'
# are unique.  No need to be sequential, just unique.
#
# For a wildcard certificate, you will need just:
# DNS.1 = bossinsight.com
# DNS.2 = *.bossinsight.com

使用以下命令创建请求:

openssl req -new -keyout BossInsight.key -out BossInsight.req -config BossInsight.cnf -nodes

注意:这-nodes会停止 OpenSSL 密码保护私钥。如果您需要受保护的密钥,请将其删除。

最后,传递BossInsight.req给您的 CA。

相关内容