我想在我们的测试环境中使用自签名 x509 证书,因此我遵循了 Ivan Ristic 的“OpenSSL 手册“。很棒的资源。我决定也走私人 CA 路线。
但是,Chrome 抱怨我的 site/https 端点不安全,出现“NET::ERR_CERT_AUTHORITY_INVALID”错误。openssl s_client 还引发验证错误:num=48:排除子树违规。Firefox 向我提供了“SEC_ERROR_CERT_NOT_IN_NAME_SPACE”错误页面。
我很困惑为什么会排除子树违规?由于我的知识有限(第一次使用私有 CA 功能),我可能错误地认为我的 host.cnf 具有通过 root-ca.conf 中的 nameConstraints 允许的 SAN 主机名?我非常感谢任何见解,纠正我对 openssl 配置文件的误解。
rfc5280 部分“4.2.1.10。名称约束”指出:
DNS 名称限制表示为 host.example.com。任何可以通过在名称左侧添加零个或多个标签来构造的 DNS 名称都满足名称约束。例如,www.host.example.com 满足约束,但 host1.example.com 则不满足。
但是我看到许多 SAN 示例,nameConstraints 使用前导点符号 - 所以我在 root-ca.conf 中尝试了两个 DNS nameConstraints。我很绝望,所以我假设两者都是正确的......
血腥细节:
我通过以下命令设置了我的 root-ca、sub-ca 配置文件,创建了相应的 CSR、root-ca.crt、sub-ca.crt:
(on the target machine - but I haven't found any docs saying this is required)
openssl genrsa -aes128 -out host-private.key 2048
openssl req -new -key host-private.key -out host.csr -passin pass:XXXX -config host.cnf
将 host.csr 复制到我的 CA 环境。我运行以下命令来创建根 CA 证书:
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
创建中级/从属 CA 证书:
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
然后,创建主机证书:
openssl ca -config sub-ca.conf -in host.csr -out host.crt -extensions server_ext
我创建了一个链证书,用于部署到我的 nginx 环境中。host.csr + sub-ca.crt + root-ca.crt
我还将 root-ca.crt 添加到主机的 CA 信任存储中。我使用 nginx 通过 ngx_http_proxy 模块为多个内部服务提供 SSL/TLS 终止器反向代理。我还将生成的 root-ca.crt 添加到 Chrome 安装的 CE 信任存储中。Chrome 显示的站点信息在证书层次结构中正确包含 root-ca、子 ca 和主机证书。
主机.cnf:
[req]
prompt = no
distinguished_name = dn
req_extensions = ext
# the use of -passin overrides this
input_password = PASSPHRASE
[dn]
CN = rt168openmbee.serc.stevens.edu
emailAddress = [email protected]
O = SERC
L = Hoboken
ST = NJ
C = US
[ext]
subjectAltName = DNS:rt168openmbee.serc.stevens.edu,IP:155.246.39.32
根目录-ca.conf:
[default]
name = root-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Root CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=serc.stevens.edu
permitted;DNS.1=.serc.stevens.edu
permitted;IP.0=155.246.39.0/255.255.255.0
excluded;IP.1=0.0.0.0/0.0.0.0
excluded;IP.2=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
noCheck = yes
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
子ca.conf:
[default]
name = sub-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Sub CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
使用 openssl s_client -showcerts -connect,以下是检索到的证书(通过 openssl x509 -text 运行的已保存的 PEM 证书...)。
主机证书:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:d9:fb:61:7a:0f:ba:c3:51:28:a3:05:14:df:8a:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Sub CA
Validity
Not Before: Jul 18 19:52:13 2019 GMT
Not After : Jul 17 19:52:13 2020 GMT
Subject: C = US, ST = NJ, O = SERC, CN = rt168openmbee.serc.stevens.edu, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b9:19:1f:2b:2a:54:bc:7a:78:1c:13:33:09:8e:
12:e1:b5:f8:7c:58:f8:29:7e:b4:45:45:6b:5a:3f:
ac:41:f6:d6:bf:4a:08:77:a6:a0:94:dd:26:68:ed:
8a:ec:fc:e9:3e:db:98:45:0c:cf:8a:09:d6:46:14:
a7:bb:d2:f0:da:dd:db:7c:ed:31:7b:20:f7:7d:f0:
f9:13:1a:45:1b:ab:90:79:a7:d7:60:d2:94:70:0e:
79:4c:03:23:c0:b6:f7:dc:93:b4:c7:eb:6e:69:f1:
58:6c:14:07:98:4e:56:9d:01:39:d6:a1:be:da:a5:
76:83:aa:68:30:65:51:23:96:99:fe:05:9c:a7:61:
64:30:b1:f6:38:33:70:6d:8b:25:ce:d9:93:6e:b0:
5e:84:e8:71:4b:55:62:64:f1:6b:b4:ed:7b:dd:b7:
d9:b2:4a:24:29:bb:3b:ad:59:cc:4d:fb:84:6a:91:
45:e7:f1:cc:21:48:40:42:83:03:1e:07:6d:3f:c2:
a6:bf:8f:76:db:f8:9c:a2:a9:88:71:81:f5:d6:48:
d9:17:d9:0d:bb:9d:c5:24:bb:d8:58:93:85:1c:5f:
a4:39:df:8f:d6:9a:2a:2f:9c:34:bb:28:f0:87:fe:
df:9d:41:8a:0b:f6:c5:a3:0c:4c:6c:e1:f4:a6:89:
23:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.serc.stevens.edu/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.serc.stevens.edu:9081
X509v3 Authority Key Identifier:
keyid:FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.serc.stevens.edu/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
4F:60:83:45:A3:32:DB:C4:5C:AD:C1:BD:69:09:AF:E2:55:13:1A:6A
X509v3 Subject Alternative Name:
DNS:rt168openmbee.serc.stevens.edu, IP Address:155.246.39.32
Signature Algorithm: sha256WithRSAEncryption
07:d1:b6:ab:5d:b4:8a:f7:77:3c:57:06:f3:7c:69:a9:fa:85:
d0:04:b6:3b:24:2b:32:9f:31:4e:33:3b:a9:ed:d8:3e:8a:cf:
aa:19:be:84:86:42:86:9c:d3:c4:a6:35:2e:87:b5:10:40:d2:
05:92:13:e1:e6:00:cc:42:f9:55:ff:14:ba:3e:0e:d8:3c:9b:
d6:47:19:27:61:d3:c1:a4:9f:a9:80:c7:ae:68:c1:bf:a1:3c:
fd:c6:cc:df:16:4e:0b:ca:22:3e:d1:5f:b6:9f:ee:38:84:3b:
65:4d:86:d5:f3:df:03:7a:e1:13:ad:1e:62:8c:ad:ca:3c:d4:
78:89:8a:91:c9:a8:85:58:fa:78:49:ff:94:b5:37:68:72:89:
18:94:d7:08:ec:62:40:a5:35:1d:93:2c:7b:bf:b7:f1:b4:0f:
57:a7:17:69:8d:fb:a4:7d:1f:7b:bd:8c:f6:32:a9:6a:e4:04:
64:89:05:55:ee:43:cf:a3:51:67:35:6c:84:16:62:d3:6e:57:
de:0b:e9:fb:e3:11:a7:ed:94:9e:1e:ef:ec:5f:c4:03:33:cf:
0c:00:5c:8b:9f:ad:4e:b2:89:01:9f:be:49:9d:51:b8:2f:ba:
f3:9d:70:80:69:e3:bf:95:d6:a3:07:ee:fa:8b:84:ac:78:50:
7c:f3:08:0c
中级 CA 证书:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:49:50 2019 GMT
Not After : Jul 15 19:49:50 2029 GMT
Subject: C = US, O = SERC, CN = Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:90:03:fa:85:91:b7:0a:72:6c:0c:81:aa:6d:
19:c1:d6:40:a5:f9:c5:28:35:ce:d6:e1:70:ea:eb:
80:54:2b:ad:87:e5:67:b1:6c:94:df:14:e7:97:9f:
1d:00:a3:db:96:48:e1:76:6f:06:bf:3d:27:f8:62:
74:90:75:95:3c:f2:5d:40:d4:1b:11:61:f0:52:db:
9a:d9:7f:4e:04:76:7f:fa:4e:c2:f2:00:fc:79:fb:
0c:51:aa:b8:39:5a:9c:73:b5:1f:04:cd:76:5c:7b:
a2:4b:41:3e:14:47:e9:d4:b1:b5:46:3b:05:05:99:
cc:63:1e:d8:1c:3d:4a:5a:b4:23:23:3e:39:8a:78:
05:1a:44:ba:fd:a4:b5:98:05:a4:e0:b8:d8:f1:3a:
0a:09:54:2d:4d:db:09:df:88:1c:b4:73:a5:a7:41:
5d:f8:a8:ec:fc:52:b1:6f:36:22:1c:3e:e7:66:93:
90:a7:dc:32:50:21:60:31:57:51:09:76:50:15:f7:
fc:4e:b9:05:ae:b6:93:2e:f4:b0:44:aa:3c:73:a7:
1c:c5:87:d9:54:81:f3:97:42:df:08:77:0b:5d:dd:
01:04:be:5e:1a:94:57:4b:82:65:71:91:3b:ad:58:
82:b7:55:e7:c9:7e:ed:fd:59:0f:83:48:1a:33:d4:
95:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.serc.stevens.edu/root-ca.crt
OCSP - URI:http://ocsp.root-ca.serc.stevens.edu:9080
X509v3 Authority Key Identifier:
keyid:F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.serc.stevens.edu/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:serc.stevens.edu
DNS:.serc.stevens.edu
IP:155.246.39.0/255.255.255.0
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
Signature Algorithm: sha256WithRSAEncryption
ab:93:26:fa:85:ae:72:fa:e3:2d:65:9a:10:a5:c8:cc:e2:1c:
c6:4d:40:53:80:c2:6f:67:24:4e:29:23:b9:75:6e:2f:7f:ce:
7e:fb:2c:64:e8:e6:90:13:2d:39:da:13:3f:a9:71:5b:72:b1:
3b:11:e5:aa:98:e6:cc:47:a7:95:dc:7a:c0:27:2f:52:1e:08:
1f:34:b5:ab:1d:16:53:89:d4:b4:8a:d9:f7:ca:4d:7a:5a:bc:
9a:16:ed:45:5d:18:2a:50:0b:57:12:ea:23:8a:b8:f1:2b:26:
5b:1a:e8:7b:35:37:de:22:8f:cf:ae:f6:4f:7f:3e:88:0b:21:
40:40:46:53:ad:83:6a:3a:26:ba:0e:28:ba:0c:8d:04:56:e3:
59:d5:7d:13:06:d2:89:b1:5c:50:0c:54:60:09:bc:22:b8:96:
e8:42:8c:a6:dd:47:86:6f:16:bd:a9:45:3f:b6:f1:4d:58:82:
cf:e9:e2:e2:be:2b:2d:97:e5:0d:df:24:09:96:95:1d:1a:08:
94:87:73:6c:61:1a:70:36:ae:55:79:a8:ae:58:66:0d:2a:94:
32:27:91:bb:0a:5c:2f:64:b8:fe:a2:5f:3d:f7:d9:66:a9:2a:
e4:6b:9b:7f:66:ba:7a:61:e6:57:4f:c8:8b:5c:74:d7:0b:db:
a3:cb:d2:97:50:95:6f:34:64:24:ce:7a:0b:c3:dd:3a:7c:81:
d1:48:5e:74:af:7f:9c:fc:73:3b:01:b9:a9:d7:67:87:7b:81:
b0:99:9b:a5:29:1d:97:bb:70:61:48:32:13:e8:20:da:f5:7a:
96:2b:c0:04:1f:b2:27:a3:cb:35:a0:63:08:e3:5b:8e:ae:87:
60:c9:85:9e:b7:4a:a7:12:8f:81:3b:7d:5b:00:05:be:54:bd:
49:4e:1c:73:0e:c7:51:27:40:82:63:e4:48:d5:94:f3:63:53:
a1:84:5c:ca:3a:91:94:ca:23:de:65:48:5b:ff:7e:e6:79:8b:
a1:bf:c0:2d:9f:91:b5:c5:66:3c:58:e8:b8:e9:8f:81:18:cb:
7e:eb:46:4b:59:5d:d1:34:74:3f:92:c4:0d:9e:4a:ec:25:f4:
48:f4:d8:c9:a1:8f:72:2f:a5:8b:a2:14:16:f1:84:41:9b:df:
85:99:62:af:50:ab:c0:4d:4c:a9:7a:d0:31:24:4f:04:00:e3:
16:bb:53:08:fa:66:8b:d5:15:2b:22:62:ac:64:38:c2:2f:c0:
fa:ad:a1:be:b6:67:f6:f6:ac:af:a4:33:ea:4a:a0:8d:49:ad:
35:3c:6f:ae:b3:b6:a0:e6:84:df:32:36:46:73:48:26:28:a2:
10:9a:d2:2c:85:48:d7:d4
根 CA 证书:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:47:30 2019 GMT
Not After : Jul 15 19:47:30 2029 GMT
Subject: C = US, O = SERC, CN = Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:c7:6a:ca:cb:b6:3b:23:63:f4:21:32:37:a6:b8:
ed:34:0a:06:38:06:7a:cf:3a:0a:6e:36:ef:81:d0:
01:2d:e7:ea:dc:d9:46:d7:45:f3:ed:84:ed:7e:20:
6a:e2:00:34:43:4e:2a:fc:2b:53:ef:d2:af:1e:25:
c9:ed:e0:34:d0:9a:03:c2:50:16:46:96:89:cb:6d:
43:b4:17:61:49:07:53:85:62:d6:27:b5:0a:b0:87:
3b:b6:e3:ba:f7:b9:35:77:37:bb:ae:a8:7e:04:0f:
54:e2:b3:26:b0:3f:65:01:27:fc:dc:ac:b6:3a:a4:
d0:ea:6a:d2:f5:c5:7c:be:43:0f:41:d1:9d:1c:1c:
61:e1:ba:af:03:95:30:10:a9:3d:52:64:ce:70:40:
bd:dc:0d:53:35:00:c1:e9:e1:68:fd:f5:d5:d1:a1:
e4:c7:c7:22:fb:56:6f:a6:e1:ea:48:e8:61:fb:8c:
76:28:8a:4e:18:84:ab:f3:9b:d5:49:7c:04:40:15:
83:4d:26:2b:33:92:84:7e:f2:75:1b:0b:4c:d6:54:
c3:f2:4a:9f:13:72:ab:9c:92:a4:42:77:99:00:25:
91:c1:b6:87:bd:fa:f1:07:f0:ce:72:0f:3c:be:bc:
79:58:f6:8b:6e:07:bc:5d:ee:23:be:0d:d5:d6:91:
22:f4:73:1b:4f:5f:cc:82:87:57:61:50:96:8c:69:
0b:ae:f7:40:47:7c:62:4e:2e:77:3e:8c:f1:41:7d:
e8:64:d5:bf:24:36:99:bb:0c:46:0e:28:7b:52:95:
7d:b8:f2:e5:91:0d:07:ea:cb:9c:9d:08:dd:1f:e2:
3a:02:6a:5b:36:d1:ff:b9:0f:a4:08:ed:12:38:7a:
0b:a1:68:7e:be:b1:bb:90:e2:6a:9f:33:8f:d4:d2:
8b:ba:84:db:f9:c6:d7:94:19:d5:cd:db:ce:b3:ba:
53:36:51:9a:16:12:57:f9:16:27:1e:23:3b:09:c0:
2b:d8:f3:cf:d7:d2:ec:2d:b0:fd:bf:dc:85:7d:cb:
9d:cc:e1:70:0d:2a:fd:43:4f:48:3d:89:09:33:2e:
6b:e8:f0:ba:ca:21:9c:32:79:a2:64:e1:dc:75:8b:
ed:0b:32:50:5b:b1:b5:0b:11:7a:d4:f0:d9:df:f7:
61:04:4a:c5:41:c7:0e:cb:e5:c7:1a:3c:6e:7b:63:
8b:bd:e5:f2:99:c8:2e:5c:e4:ed:a0:1d:b4:c1:64:
b8:71:27:23:23:2f:93:54:b4:d8:99:b5:a4:35:7b:
dd:82:ef:b4:ee:d4:fb:f4:91:58:af:5e:f2:8f:37:
9d:5a:9f:62:99:f9:26:31:d8:74:08:71:2f:bc:1d:
40:a6:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
Signature Algorithm: sha256WithRSAEncryption
16:77:4d:7b:ef:89:3d:31:45:07:8f:a3:c4:ad:ed:89:a0:9b:
b6:ab:74:59:1a:fb:7b:48:e1:e0:3c:75:73:dc:e3:e2:1b:a3:
74:a1:0d:37:ea:ac:85:fb:1c:e0:86:f1:86:ee:78:51:fd:4d:
58:04:8b:5c:6b:b3:06:1c:07:04:a1:c5:51:a9:d1:4c:24:42:
7c:ef:1e:35:c5:df:00:79:44:91:a1:f5:cb:71:5b:a7:85:b1:
f3:36:3c:75:e7:f8:d5:29:85:18:2e:ff:79:e1:eb:1f:72:24:
6a:36:a4:17:4e:76:4d:5d:d1:85:c4:18:c3:f4:83:07:10:3f:
7a:e2:36:33:48:1d:da:5d:08:2a:59:4f:3a:97:74:b7:d8:97:
85:b0:b1:82:f8:46:d5:df:75:d9:56:77:34:0e:26:d5:3a:eb:
8b:02:5e:d1:c3:fd:16:22:1f:ab:86:76:c4:cf:5b:d5:d5:bd:
da:70:76:9e:18:bd:2f:16:c0:89:fe:cc:e0:93:63:f0:23:65:
37:4c:6c:f5:e4:a7:fd:b2:02:86:91:6a:f5:31:b2:93:cc:33:
87:38:57:6b:55:59:7e:ed:02:13:5d:6f:4f:15:91:ac:7e:7f:
52:57:35:de:ec:87:38:bf:fe:7e:bd:5d:3c:ef:43:a9:d1:13:
ab:ed:6f:ac:cf:bf:7e:e8:35:0b:92:97:08:05:78:db:68:e0:
b1:05:2a:49:6e:00:34:71:a5:0f:5b:1c:17:47:9e:23:6f:64:
d7:f0:93:60:12:7f:6d:0a:cd:15:e7:de:72:c4:76:86:ef:4d:
65:c6:2a:1a:c4:35:0e:08:07:c5:ee:34:aa:9e:e1:90:d4:66:
87:0f:1f:32:fa:21:7e:4f:01:9b:6d:19:20:ed:e5:9d:1a:ee:
b3:e6:c4:93:4b:a4:cc:62:db:65:c1:b9:3b:05:a8:45:38:87:
29:6d:8c:86:86:7b:c5:3d:89:85:c8:8e:f5:da:7d:c5:89:31:
49:7b:af:9e:ff:03:89:db:ac:65:c5:5f:78:0d:cf:91:6f:19:
6a:e4:eb:b6:d5:46:ff:3b:8c:44:cd:00:7b:3c:ed:6f:f6:79:
61:93:12:08:58:7c:d5:02:9b:a7:4c:a0:c6:1a:f8:d9:b1:b6:
1e:77:75:1d:24:e8:d2:ff:61:ee:a8:85:e5:1b:49:cf:3c:91:
56:ea:e5:0e:6e:39:96:d0:d4:b7:95:25:e3:1a:a3:82:26:c8:
3f:53:47:fe:93:10:c4:bf:91:b5:7d:40:d2:2e:22:8e:7f:e5:
8a:4c:6e:03:04:de:f7:81:95:fc:a9:0f:31:51:ab:21:9d:20:
06:64:c2:9e:41:db:07:86
答案1
您的服务器证书无效,因为您在 CA 证书中排除了其 IP 地址。以下是 RFC5280 中的相关文本:
Any name matching a restriction in the excludedSubtrees
field is invalid regardless of information appearing in the
permittedSubtrees.
只需放下排除您的 CA 证书的一部分,一切都应该正常工作。如果名称约束仅包含允许部分,所有其他名称都将被禁止。
阅读此博客文章以便更好地解释如何处理子树。