openvpn 客户端证书错误,显示“不支持的用途”

openvpn 客户端证书错误,显示“不支持的用途”

我关注本 wiki 说明生成 OpenVPN 客户端证书。这涉及:

easyrsa gen-req client1 nopass

我尝试在我的 OpenVPN 设置中使用此客户端 1 证书。服务器日志显示以下日志(注意:出于192.168.0.2安全原因,IP 地址从公共 IP 更改为):

192.168.0.2:5570 TLS: Initial packet from [AF_INET]192.168.0.2:5570, sid=1e71335b cc13ec8f
192.168.0.2:5570 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client1
192.168.0.2:5570 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
192.168.0.2:5570 TLS_ERROR: BIO read tls_read_plaintext error
192.168.0.2:5570 TLS Error: TLS object -> incoming plaintext read error
192.168.0.2:5570 TLS Error: TLS handshake failed
192.168.0.2:5570 SIGUSR1[soft,tls-error] received, client-instance restarting

因此明显的错误应该是这样的:

VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client1

我使用以下命令检查了证书:

openssl x509 -in client1.crt -text -noout -purpose

还有证书目的部分输出如下所示:

Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

我的问题:

  1. 我的客户证书有什么问题?
  2. 我应该怎么做才能生成正确的证书?

答案1

正确的启用方法nsCertType是通过 easyrsavars文件:

# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature.  If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no".  When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.

#set_var EASYRSA_NS_SUPPORT "no"
 set_var EASYRSA_NS_SUPPORT "yes"

生成的证书具有以下用途:

    X509v3 Extended Key Usage: 
        TLS Web Client Authentication
    X509v3 Key Usage: 
        Digital Signature
    Netscape Comment: 
        Easy-RSA Generated Certificate
    Netscape Cert Type: 
        SSL Client

答案2

结果是默认的客户端配置easy-rsa(v3.0.3)是问题的根源。文件的默认内容x509-types/client是:

# X509 extensions for a client

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature

没有nsCertType定义。要修复此问题,您需要更改此文件(在您使用的 easy-rsa 副本中)并添加以下行:

nsCertType = client

然后相同的客户端证书生成命令就可以发挥作用了。

附言:谢谢@lenniey告诉我去哪里检查。谢谢@安德鲁用于openssl命令替代。

答案3

我的客户证书有什么问题?

生成的证书未配置 SSL 客户端选项,因此配置easy-rsa不正确。

我应该怎么做才能生成正确的证书?

您可以尝试修复该easy-rsa工具,也可以openssl直接使用。您需要访问 CA 签名者的密钥才能使用 执行此操作openssl

openssl x509 -req -in <path to client csr> -CAkey <path to CA key> -CA <path to CA cert> -CAcreateserial -out client1.pem

这将创建一个由 CA 签名的证书(使用 OpenVPN 进行身份验证所需),并且还应提供 SSL 客户端和 SSL 服务器选项的使用。

相关内容