我正在尝试创建一个自签名证书,以使用 HTTPS 连接访问我的内部网站 (jira.intranet.com)。我已成功遵循此文章https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line(第三个答案),解决 Google Chrome 抱怨没有 subjectAltName。
以下是我用过的命令。
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -subj "/C=UK/ST=State/L=Locality/O=Home/CN=Home Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=UK/ST=State/L=Locality/O=Home/CN=*.intranet.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:jira.intranet.com,DNS:www.jira.intranet.com") -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
openssl x509 -in server.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c6:0f:5d:0d:40:83:18:fb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=UK, ST=State, L=Locality, O=Home, CN=Home Root CA
Validity
Not Before: Jul 27 22:14:13 2018 GMT
Not After : Jul 24 22:14:13 2028 GMT
Subject: C=UK, ST=State, L=Locality, O=Home, CN=*.intranet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f2:a4:2c:56:3e:81:56:fc:78:44:cc:f2:25:31:
b9:56:3d:41:fa:76:5d:b6:e0:f1:8d:3b:d9:ba:f4:
2e:0b:90:2b:9c:69:05:f8:68:4d:d4:b3:97:e4:4b:
c5:82:14:18:38:27:ad:fb:0c:e9:fe:cc:03:ed:49:
27:a0:f1:c7:00:a3:95:70:e9:9a:be:1e:55:3f:2c:
af:d8:e2:a8:1c:28:29:13:2f:b0:41:2c:66:b8:c8:
db:5b:c3:1e:51:bc:f7:53:59:4d:c9:14:42:7b:46:
08:d8:c1:78:5f:cc:92:3d:0c:4d:1e:bc:59:93:86:
0d:41:6f:2b:2e:00:57:ca:b0:a9:8f:ed:6b:f8:95:
d0:5b:f8:da:63:db:e9:05:24:2f:f7:e4:b2:b4:f7:
29:25:77:96:fe:56:18:ab:e9:72:68:b3:7e:eb:6d:
23:ad:63:5c:f5:77:65:42:e6:bf:9c:31:06:65:f0:
59:eb:03:70:c1:00:29:5e:90:9b:6a:c5:34:c6:a5:
bf:77:f9:a9:ae:c0:dc:68:41:45:4e:e1:d3:73:be:
bd:a1:02:ce:bb:2b:e5:55:19:1f:10:93:64:84:4f:
39:d0:86:d0:b4:cc:f4:66:2f:52:2f:44:9a:31:91:
05:69:b0:14:4f:e5:19:a1:c3:c5:3a:33:f1:5f:e5:
9a:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:jira.intranet.com, DNS:www.jira.intranet.com
Signature Algorithm: sha256WithRSAEncryption
20:d4:28:f2:aa:84:83:f2:f9:20:06:0b:1d:2d:cd:d6:ef:d6:
9c:66:fa:55:af:f9:b0:c7:db:06:f7:ff:8d:b6:31:b5:35:03:
36:59:93:59:f1:79:3a:f8:be:6a:6a:21:d1:9f:5c:a3:b4:95:
34:02:22:e9:8b:ba:ac:7e:dd:68:73:17:d3:0d:c8:3f:c2:25:
f9:d8:f0:70:7f:25:5f:cf:6b:84:fd:fe:8b:b0:77:44:4c:0c:
cf:a4:83:35:75:df:3b:46:bd:c0:83:bf:9b:cc:39:fd:69:74:
14:02:1b:c0:92:7f:c7:a0:fe:d2:48:03:04:f5:93:41:77:a2:
e9:b5:fa:c4:f3:79:85:06:4b:55:71:31:29:b1:48:59:20:9e:
1b:c6:08:e8:f0:12:8c:8c:f8:67:02:31:fc:31:5f:76:93:f0:
0e:8f:d2:75:f6:77:42:60:8b:5a:c9:60:33:39:f7:01:0a:09:
1a:ff:3b:94:33:4b:d1:9d:49:b2:63:7d:1d:d0:55:4c:db:8c:
56:65:b5:7f:50:16:ee:ab:05:66:3b:75:7f:80:2c:94:00:1e:
04:39:75:a7:81:89:6c:a0:37:ca:22:a3:7c:95:29:57:b2:b4:
b4:a9:6c:ab:77:81:7d:c3:20:d5:57:43:73:29:b7:e1:ee:6c:
a3:b0:5f:98
如果我在 OS X 上访问 jira.intranet.com,查看证书,将证书拖到桌面,导入到 OS X KeyChain 并将信任设置更改为“全部信任”,那么我就可以访问该网站并且它被标记为安全,如下面的屏幕截图所示。
如果我现在在 Google Chrome 中访问 jira.intranet.com,但这次是在 Windows 上,我会看到以下屏幕,抱怨 ERR_CERT_AUTHORITY_INVALID。
我预料到了这一点,因为在 OS XI 中,我需要添加证书才能在此设备上受信任。但是,我注意到它报告“Windows 没有足够的信息来验证此证书”。我相信这是我的主要问题,我不确定如何解决它。
我继续将我在 OS X KeyChain 中使用的相同证书添加到 Windows‘受信任的根证书颁发机构’中certmgr.msc。
这并没有解决我的问题,截图如下。
因此,当我可以在 OS X 上以“安全”方式访问我的网站时,却无法在 Windows 上访问。我相信这与我用于创建证书的过程有关,但我不是证书专家,不确定如何继续。
任何帮助都将不胜感激。
答案1
好吧,设法让它与下面的行一起工作以创建证书。
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -subj "/C=UK/ST=State/L=Locality/O=Home/OU=IT/CN=jira.intranet.com" -reqexts SAN -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:jira.intranet.com,DNS:www.jira.intranet.com"))