我正在尝试为服务器创建 SSL 证书,该证书将在内部运行而不会在 Chrome 中发出警告。我使用 SAN 创建了该证书,其中包含 localhost 和 IP 地址的多个主题备用名称。由于某种原因,它在 localhost 上可以工作,但在curlChrome 和 Chrome 中使用 IP 地址时都会出错。
$ curl https://192.168.1.50
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
$ curl https://localhost
<a href="https://localhost:9090/">Moved Permanently</a>.
在命令行上检查它会显示 SAN 部分下的两个名称,所以我不确定为什么这不起作用:
$ openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:93:a1:be:d1:03:8f:59
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Los Angeles, O=Alt Systems, OU=Internal, CN=Elliott/emailAddress=xxxxxx
Validity
Not Before: Nov 5 21:32:19 2019 GMT
Not After : Mar 19 21:32:19 2021 GMT
Subject: C=US, ST=CA, L=Los Angeles, O=Alt Systems, OU=Internal/emailAddress=xxxxxx, CN=alt-pix-la
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:53:b6:0b:f0:94:c1:a8:26:93:79:5a:45:86:
36:ac:60:c2:40:a2:bf:25:69:90:9f:8b:b9:3f:63:
30:ae:48:cc:f9:f0:9d:d4:15:3d:1c:20:bc:29:6f:
57:8f:7d:e9:a5:db:2b:2c:ac:1a:6f:6d:b9:17:98:
0e:a0:17:1f:3e:28:4e:42:bd:af:2e:54:dd:ec:ff:
7b:00:a5:ed:59:97:8a:6f:95:04:c9:eb:3a:6c:ec:
9e:c9:7e:12:ee:ce:cc:be:b7:c1:d3:fe:f6:cf:1d:
0d:68:07:68:52:7a:30:5f:f1:29:36:64:b2:a5:e8:
5e:a7:f9:75:ab:4b:aa:4b:12:aa:44:59:a3:df:18:
45:81:52:b1:4d:00:a4:f2:eb:7e:0d:3e:05:f9:94:
1a:aa:e4:2e:9a:ee:0c:59:91:b9:63:f3:5d:98:3b:
32:4e:f7:1b:47:e5:a7:54:5c:ba:75:9b:88:09:07:
cc:93:06:c3:8a:76:78:83:98:69:1a:8b:e2:fd:cf:
70:51:35:09:ba:67:ca:c1:81:f4:65:72:0a:15:7a:
12:2d:bc:65:04:7f:b8:c3:22:2b:79:8d:9a:62:54:
d2:89:3f:4a:02:72:36:27:6c:ad:50:4d:96:e5:a1:
df:8b:fe:51:0b:67:1b:44:4e:57:fc:bb:d7:1d:77:
9f:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BC:39:94:F0:DC:DF:5D:8E:12:E1:DA:5F:8F:7C:C8:02:B4:0E:19:19
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:localhost, DNS:192.168.1.50
Signature Algorithm: sha256WithRSAEncryption
54:8e:98:93:53:c2:af:fc:b7:03:5c:6d:d3:7d:9a:d9:2f:99:
ac:29:dc:0f:02:55:36:9e:70:57:68:df:27:5f:5e:a8:43:05:
ff:a4:7e:bd:15:99:ff:aa:67:35:93:90:35:e0:e7:20:b4:77:
7c:bf:6f:29:13:46:fc:56:81:58:60:67:14:ae:a1:1b:44:80:
92:81:7f:ed:5c:bc:75:36:a9:11:52:9b:28:e1:18:d6:a4:17:
35:13:6c:bd:be:64:db:70:a5:d4:7f:3e:16:26:73:f9:27:ed:
7b:03:44:b3:59:2d:53:8d:e2:77:f1:6d:8d:21:c0:d0:2c:96:
27:0c:c6:4e:6f:63:35:61:3e:b5:62:05:88:76:b5:99:ca:7d:
64:f9:6b:f4:9b:18:8e:3a:77:82:59:d2:13:c0:14:3c:0a:dc:
8d:82:38:ca:af:e9:43:06:83:ae:6e:4f:73:29:1d:0a:da:91:
ea:72:f4:26:f3:59:98:8d:ca:1a:ad:19:17:fd:bb:9f:62:bf:
85:e0:12:bd:9b:93:26:73:2b:9a:77:ff:c4:34:29:25:fc:c7:
13:8f:94:b3:28:d7:79:dc:54:57:6c:3d:01:f0:37:5c:a9:28:
23:13:89:7b:c5:63:51:eb:fc:ad:37:d1:31:cf:f4:2f:8c:9c:
5f:35:07:79
答案1
您使用的 SAN 类型错误 – 仅限实际域名称在“DNS”类型的 SAN 中是允许的;对于 IP 地址,有“iPAddress”类型([7] OCTET STRING)。
对于 OpenSSL,您可以使用:
subjectAltName=IP:192.168.1.50
subjectAltName=IP:2001:db8:1234::4567
答案2
您必须将您的 IP 地址添加到 SAN。此代码对我有用。像这样添加您的 IP 地址。
[alternate_names]
IP.1 = 127.0.0.1
答案3
使用 OpenSSL 的端到端示例:您需要创建一个名为 openssl-san.cnf 的配置(取自:https://help.bizagi.com/bpm-suite/en/index.html?subjectaltname_support.htm):
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
# Optionally, specify some defaults.
countryName_default = [Country]
stateOrProvinceName_default = [State]
localityName_default = [City]
0.organizationName_default = [Organization]
organizationalUnitName_default = [Organization unit]
emailAddress_default = [Email]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = [DNS1]
DNS.2 = [DNS2]
IP.1 = [IP Adddress]
然后执行此命令来创建一个密钥和一个证书签名请求(csr):
openssl req -newkey rsa:4096 -keyout key.key -out keycsr.csr -config openssl-san.cnf
要验证您创建的 CSR,请执行以下操作:
openssl req -text -noout -verify -in keycsr.csr
然后,您可以自己签署 CSR,将其传递给 CA 进行签署等等。