我已通过 VPS 提供商 (1&1) 签署了 Geotrust 的 SSL 证书 (Quick SSL Premium)。我完全按照指示做了这里,我已在子域的虚拟主机文件中添加了所有指令,但 SSL 证书似乎不受信任。可能的原因是什么?
我运行的是 Ubuntu 10.04 Lucid Lynx,启用了 Apache2 和 mod_ssl
答案1
可能的原因有:
客户端的时钟设置不正确。
客户端的浏览器没有将 CA 设置为受信任。
服务器上未正确安装证书或未设置相应的私钥。
需要中间证书,但服务器上未正确安装。
客户端未尝试通过证书中列出的名称访问站点。
证书已被撤销或者已损坏。
如果您分享 URL,我们可以立即缩小问题范围。
答案2
您可以使用在线 sslChecker 测试您的证书安装:
http://www.sslshopper.com/ssl-certificate-tools.html
如果您的 CA 证书或直接证书有问题,它会立即通知您。
but the SSL Certificate seems to be untrusted. What are the possible reasons for that?
最有可能的是,证书签名请求中分配的通用名称与使用该证书的主机名不匹配。您需要确保这些名称匹配,域和子域。在多个子域上使用相同证书的唯一方法是使用通配符证书。但是,这通常与传统的证书服务(单域证书)不同。
使用 openssl 的 Apache CSR 示例:
$ openssl req -new -newkey rsa:2048 -nodes -keyout myPrivatekey.key -out mycsr.csr -config openssl.conf
Generating a 2048 bit RSA private key
.....+++
.....................................+++
writing new private key to 'mykey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:North Carolina
Locality Name (eg, city) []:Raleigh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Somebody,
Inc.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:test.testdomain.com (MUST MATCH HOST)
Email Address []:[email protected]
然后,您将它发送给您的 CA 提供商,他们将生成公共证书、根证书和中间证书。使用通过 CSR 生成的私钥。
Apache httpd.conf 设置:
# Secure (SSL/TLS) connections
<IfModule ssl_module>
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
#CA certificates for root and intermediate
SSLCACertificateFile "C:/certs/Geotrust/caroot.crt"
SSLCertificateChainFile "C:/certs/Geotrust/caIntermediate.crt"
#Generated first via openssl; Server public and private keys.
SSLCertificateFile "C:/development/certs/Geotrust/myPublicKey.crt"
SSLCertificateKeyFile "C:/development/certs/Geotrust/myPrivatekey.key"
</IfModule>
<VirtualHost *:443>
SSLEngine On
DocumentRoot "C:/website"
ServerName test.testdomain.com