SSL 证书不适用于 SAN 的 IP 地址

tag-icon tag-icon ssl curl
SSL 证书不适用于 SAN 的 IP 地址

我正在尝试为服务器创建 SSL 证书,该证书将在内部运行而不会在 Chrome 中发出警告。我使用 SAN 创建了该证书,其中包含 localhost 和 IP 地址的多个主题备用名称。由于某种原因,它在 localhost 上可以工作,但在curlChrome 和 Chrome 中使用 IP 地址时都会出错。

$ curl https://192.168.1.50 
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

$ curl https://localhost
<a href="https://localhost:9090/">Moved Permanently</a>.

在命令行上检查它会显示 SAN 部分下的两个名称,所以我不确定为什么这不起作用:

$ openssl x509 -text -noout -in server.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8d:93:a1:be:d1:03:8f:59
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Los Angeles, O=Alt Systems, OU=Internal, CN=Elliott/emailAddress=xxxxxx
        Validity
            Not Before: Nov  5 21:32:19 2019 GMT
            Not After : Mar 19 21:32:19 2021 GMT
        Subject: C=US, ST=CA, L=Los Angeles, O=Alt Systems, OU=Internal/emailAddress=xxxxxx, CN=alt-pix-la
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:53:b6:0b:f0:94:c1:a8:26:93:79:5a:45:86:
                    36:ac:60:c2:40:a2:bf:25:69:90:9f:8b:b9:3f:63:
                    30:ae:48:cc:f9:f0:9d:d4:15:3d:1c:20:bc:29:6f:
                    57:8f:7d:e9:a5:db:2b:2c:ac:1a:6f:6d:b9:17:98:
                    0e:a0:17:1f:3e:28:4e:42:bd:af:2e:54:dd:ec:ff:
                    7b:00:a5:ed:59:97:8a:6f:95:04:c9:eb:3a:6c:ec:
                    9e:c9:7e:12:ee:ce:cc:be:b7:c1:d3:fe:f6:cf:1d:
                    0d:68:07:68:52:7a:30:5f:f1:29:36:64:b2:a5:e8:
                    5e:a7:f9:75:ab:4b:aa:4b:12:aa:44:59:a3:df:18:
                    45:81:52:b1:4d:00:a4:f2:eb:7e:0d:3e:05:f9:94:
                    1a:aa:e4:2e:9a:ee:0c:59:91:b9:63:f3:5d:98:3b:
                    32:4e:f7:1b:47:e5:a7:54:5c:ba:75:9b:88:09:07:
                    cc:93:06:c3:8a:76:78:83:98:69:1a:8b:e2:fd:cf:
                    70:51:35:09:ba:67:ca:c1:81:f4:65:72:0a:15:7a:
                    12:2d:bc:65:04:7f:b8:c3:22:2b:79:8d:9a:62:54:
                    d2:89:3f:4a:02:72:36:27:6c:ad:50:4d:96:e5:a1:
                    df:8b:fe:51:0b:67:1b:44:4e:57:fc:bb:d7:1d:77:
                    9f:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:BC:39:94:F0:DC:DF:5D:8E:12:E1:DA:5F:8F:7C:C8:02:B4:0E:19:19

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:192.168.1.50
    Signature Algorithm: sha256WithRSAEncryption
         54:8e:98:93:53:c2:af:fc:b7:03:5c:6d:d3:7d:9a:d9:2f:99:
         ac:29:dc:0f:02:55:36:9e:70:57:68:df:27:5f:5e:a8:43:05:
         ff:a4:7e:bd:15:99:ff:aa:67:35:93:90:35:e0:e7:20:b4:77:
         7c:bf:6f:29:13:46:fc:56:81:58:60:67:14:ae:a1:1b:44:80:
         92:81:7f:ed:5c:bc:75:36:a9:11:52:9b:28:e1:18:d6:a4:17:
         35:13:6c:bd:be:64:db:70:a5:d4:7f:3e:16:26:73:f9:27:ed:
         7b:03:44:b3:59:2d:53:8d:e2:77:f1:6d:8d:21:c0:d0:2c:96:
         27:0c:c6:4e:6f:63:35:61:3e:b5:62:05:88:76:b5:99:ca:7d:
         64:f9:6b:f4:9b:18:8e:3a:77:82:59:d2:13:c0:14:3c:0a:dc:
         8d:82:38:ca:af:e9:43:06:83:ae:6e:4f:73:29:1d:0a:da:91:
         ea:72:f4:26:f3:59:98:8d:ca:1a:ad:19:17:fd:bb:9f:62:bf:
         85:e0:12:bd:9b:93:26:73:2b:9a:77:ff:c4:34:29:25:fc:c7:
         13:8f:94:b3:28:d7:79:dc:54:57:6c:3d:01:f0:37:5c:a9:28:
         23:13:89:7b:c5:63:51:eb:fc:ad:37:d1:31:cf:f4:2f:8c:9c:
         5f:35:07:79

答案1

您使用的 SAN 类型错误 – 仅限实际域名称在“DNS”类型的 SAN 中是允许的;对于 IP 地址,有“iPAddress”类型([7] OCTET STRING)。

对于 OpenSSL,您可以使用:

subjectAltName=IP:192.168.1.50

subjectAltName=IP:2001:db8:1234::4567

答案2

您必须将您的 IP 地址添加到 SAN。此代码对我有用。像这样添加您的 IP 地址。

[alternate_names]
IP.1 = 127.0.0.1

答案3

使用 OpenSSL 的端到端示例:您需要创建一个名为 openssl-san.cnf 的配置(取自:https://help.bizagi.com/bpm-suite/en/index.html?subjectaltname_support.htm):

[ req ]

default_bits           = 4096

distinguished_name     = req_distinguished_name

req_extensions         = req_ext

 

[ req_distinguished_name ]

countryName            = Country Name (2 letter code)

stateOrProvinceName    = State or Province Name (full name)

localityName           = Locality Name (eg, city)

organizationName       = Organization Name (eg, company)

commonName             = Common Name (e.g. server FQDN or YOUR name)

 

# Optionally, specify some defaults.
countryName_default           = [Country]
stateOrProvinceName_default   = [State]
localityName_default           = [City]
0.organizationName_default     = [Organization]
organizationalUnitName_default = [Organization unit]
emailAddress_default           = [Email]

 

[ req_ext ]

subjectAltName = @alt_names

 

[alt_names]

DNS.1   = [DNS1]

DNS.2   = [DNS2]

IP.1    = [IP Adddress]

然后执行此命令来创建一个密钥和一个证书签名请求(csr):

openssl req -newkey rsa:4096 -keyout key.key -out keycsr.csr -config openssl-san.cnf

要验证您创建的 CSR,请执行以下操作:

openssl req -text -noout -verify -in keycsr.csr

然后,您可以自己签署 CSR,将其传递给 CA 进行签署等等。

相关内容