Chrome 客户端证书提示未列出我的证书

tag-icon tag-icon openssl certificate chrome
Chrome 客户端证书提示未列出我的证书

我负责我所在组织的证书方案,我正在尝试遵守 Google Chrome 关于 RFC2818(服务器证书中“主题备用名称”的要求)的新要求。

在我的尝试中,我正在使用易用型RSA(使用OpenSSL)来生成我的根 CA 以及我的服务器和用户证书。我成功生成了客户端证书,这些证书在Windows MMC, 然而Chrome 没有列出它们当访问我们的网站时提示输入客户端证书(该网站配置为需要证书)

这些是有效的旧证书的属性(显示在 Chrome 提示窗口中),其预期用途如 MMC 列表视图中所示为 <全部>:

This certificate is intended for the following purpose(s):
   * All application policies

Version: V3
Serial number: a1 ed ...
Signature algorithm: sha1RSA
Signature hash algorithm: sha1
Issuer: MyOrganization
Valid from: Sunday, June 23, 2013 3:35:55 PM
Valid to: Sunday, January 01, 2040 2:59:59 AM
Subject: My Name, [email protected]
Public key: RSA (1024 Bits)
Authority Key Identifier: KeyId=0f d9 ...
Thumbprint algorithm: sha1
Thumbprint: 40 11 ...

这些是未显示的证书的属性,在 MMC 列表视图中显示为预期目的的“客户端身份验证”:

This certificate is intended for the following purpose(s):
   * Proves your identity to a remote computer

Version: V3
Serial number: 07
Signature algorithm: sha256RSA
Signature hash algorithm: sha256
Issuer: MyOrganization2
Valid from: ‎Thursday, ‎April ‎27, ‎2017 7:29:09 PM
Valid to: ‎Sunday, ‎April ‎25, ‎2027 7:29:09 PM
Subject: My Name
Public key: RSA (2048 Bits)
Basic Constraints: Subject Type=End Entity
                   Path Length Constraint=None
Subject Key Identifier: c6 cf ...
Authority Key Identifier: KeyId=0a 21 ...
Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
Key Usage: Digital Signature (80)
Thumbprint algorithm: sha1
Thumbprint: 0a 12 ...

我已经用尽了互联网搜索能力来解决这个问题,如果可以的话请帮忙。或者,请帮忙了解如何使用符合 RFC2818 并被 Google Chrome (v.58) 识别的 OpenSSL(或 EasyRSA)创建有效的证书链(CA、服务器、客户端)。谢谢!

编辑

这是运行到我的服务器的输出openssl s_client

CONNECTED(0000011C)
---
Certificate chain
 0 s:/C=IL/L=*****/O=*****/CN=www.*****.com
   i:/C=IL/O=*****/CN=***** Intermediate CA
 1 s:/C=IL/O=*****/CN=***** Intermediate CA
   i:/C=IL/L=*****/O=*****/CN=***** Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFhz...
-----END CERTIFICATE-----
subject=/C=IL/L=*****/O=*****/CN=www.*****.com
issuer=/C=IL/O=*****/CN=***** Intermediate CA
---
No client certificate CA names sent
---
SSL handshake has read 3006 bytes and written 401 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: B30B0...
    Session-ID-ctx: 
    Master-Key: 3C40F...
    Key-Arg   : None
    Start Time: 1493541902
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

相关内容