各位,
因此,我尝试为我的域名创建一个自签名证书,但出于某种原因,openssl 一直为我的服务器创建 V1 证书而不是 V3 证书,这导致浏览器在我使用时不给我“绿色锁”。
知道为什么会发生这种情况吗?
这是我的 server.crt 文件:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
30:61:e6:70:fd:e4:c9:f6:23:ed:e1:1c:cd:8c:c9:9e:68:7b:01:cf
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights, emailAddress = [email protected]
Validity
Not Before: Aug 13 14:33:12 2019 GMT
Not After : Aug 10 14:33:12 2029 GMT
Subject: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:95:61:7c:ff:6d:61:12:fa:1d:a9:e0:93:31:ca:
c6:dc:3f:96:73:a2:37:92:1c:eb:00:69:40:0d:09:
75:ec:7c:3d:ea:30:74:0c:30:87:a7:d8:42:e3:bd:
8c:8c:9a:bc:61:9e:fb:ba:bd:2a:75:a3:42:a1:6c:
d0:12:7c:68:01:1b:e1:ca:e4:43:f6:c4:de:b3:40:
4e:23:7e:a2:3c:59:d2:cd:01:65:f5:07:54:a9:56:
f6:d3:56:03:09:cd:ee:7a:48:77:7d:0d:52:20:ab:
c4:7e:e3:11:de:88:67:04:01:09:f3:fc:fc:ab:22:
4e:a5:7a:fe:59:5a:66:89:b2:45:e3:e7:f9:ea:16:
0e:96:12:9b:fc:74:0b:e2:69:b9:9e:72:36:00:27:
0f:76:c3:d2:e4:45:c1:a7:dd:b5:d4:1b:cc:12:ea:
3e:75:0a:36:6a:83:0a:f8:4f:33:3f:be:a0:d7:22:
17:16:b8:aa:36:78:fd:d7:06:b2:24:d9:7e:a3:93:
52:53:c9:c4:01:fb:37:94:75:ec:a3:e9:2b:93:59:
38:98:a1:7c:0c:01:c5:76:ab:a7:9e:0e:1d:40:1c:
ad:44:47:6a:52:9a:48:bb:31:26:8d:74:9f:b9:ab:
13:02:38:a5:0c:0c:d6:f9:f5:41:58:94:6f:45:c8:
80:a1
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
a1:e2:82:3d:57:34:50:14:8b:40:6a:bd:9f:b6:ad:98:0c:c6:
7f:44:9d:0a:e7:e7:0e:c3:1d:3d:13:0a:66:1d:e5:2c:eb:a0:
3e:a4:b1:d5:63:66:8e:83:b6:38:0a:06:29:f0:1c:2e:71:56:
db:3f:d4:86:8a:ec:72:25:38:1a:e4:91:7b:72:e2:16:0e:bc:
d3:53:a8:84:65:f2:e6:67:c9:4f:6c:1b:23:e5:f7:6a:8f:fc:
6a:0a:c6:bc:d7:f7:d5:12:72:63:d9:73:27:ed:d6:16:78:66:
a4:07:64:1a:99:b6:a2:c4:8a:15:2e:78:d4:ac:95:09:5c:1d:
e2:d8:a7:ef:79:99:c7:68:5c:21:e4:1d:f0:7d:a9:f9:5f:28:
88:1f:a8:9d:1f:d4:9b:b8:52:25:e4:79:29:32:db:12:a5:5f:
d2:fb:9f:45:91:af:ae:2c:87:0e:23:4f:2d:25:26:4d:0f:9d:
ee:85:86:e8:9f:c2:f6:ad:31:ad:40:f4:3f:6d:4c:dc:9c:71:
2b:4e:88:2e:28:33:68:26:66:10:c9:54:1e:8a:79:70:3e:7b:
ed:1f:bb:39:e6:7a:30:90:3f:ae:f1:11:28:0f:41:b6:f5:e4:
cf:d9:40:b7:15:7d:ab:94:97:56:f3:9f:9f:ce:b2:8a:0b:5c:
26:53:00:19
这是我的配置文件:
# OpenSSL configuration
[ req ]
prompt = no
string_mask = default
# The size of the keys in bits:
default_bits = 2048
distinguished_name = req_dn
req_extensions = req_ext
[ req_dn ]
# Note that the following are in 'reverse order' to what you'd expect to see in
# Windows
# Locality style:
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = DevOps
commonName = Boss Insights
[ req_ext ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature
extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = files.bossinsights.com
如果您需要任何其他信息来帮助解决我的问题,请让我知道,我将不胜感激!
答案1
您的 CA 未将 CSR 中请求的扩展添加到已签名的证书中。当 OpenSSL 创建没有扩展的证书时,它会将其标记为版本 1 证书。
查看copy_extensions选项,它应该放在选项指向的部分中default_ca。具体来说,将其设置为copy或copyall(最好是前者)。这将导致将openssl ca任何请求的扩展从 CSR 复制到签名证书,并将其标记为版本 3。
这是一个可以正常工作的示例:
创建证书颁发机构:
创建一个 OpenSSL 配置文件,并将其命名为root_create.cnf:
################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request
[ req ]
# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_dn
# The size of the keys in bits:
default_bits = 4096
# The extensions added when generating a CSR
#req_extensions = req_ext
[ req_dn ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = CA
commonName = Boss Insights Certification Authority
[ req_ext ]
# Extensions added to the request
################ CA Section ################
# This is used with the 'openssl ca' command
# to sign a request
[ ca ]
default_ca = CA
[ CA ]
# Where OpenSSL stores information
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
new_certs_dir = $certs
database = $dir/index
certificate = $certs/rootcrt.pem
private_key = $dir/rootprivkey.pem
crl = $crldir/crl.pem
serial = $dir/serial.txt
RANDFILE = $dir/.rand
# How OpenSSL will display certificate after signing
name_opt = ca_default
cert_opt = ca_default
# How long the CA certificate is valid for
default_days = 3650
# default_startdate = 180517000000Z
# default_enddate = 181231235959Z
# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Subjects don't have to be unique in this CA's database
unique_subject = no
# What to do with CSR extensions
copy_extensions = copy
# Rules on mandatory or optional DN components
policy = simple_policy
# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext
[ simple_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
domainComponent = optional
emailAddress = optional
name = optional
surname = optional
givenName = optional
dnQualifier = optional
[ x509_ext ]
# These extensions are for a CA certificate
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical, CA:TRUE
# basicConstraints = critical, CA:TRUE, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
使OpenSSL作为CA运行时需要两个文件:
touch index
echo 01 > serial.txt
创建 CA 证书请求(使用您的原始证书rootCA.key):
openssl req -new -key rootCA.key -out rootCA.req -nodes -config root_create.cnf
使用以下方式对 CA 证书进行自签名:
openssl ca -out rootCA.pem -keyfile rootCA.key -selfsign -config root_create.cnf -in rootCA.req
您现在将拥有一个 CA 证书 ( rootCA.pem),您可以使用以下命令查看它:
openssl x509 -noout -text -in rootCA.pem
您需要将证书(rootCA.pem)分发给所有依赖方(客户端)的信任锚存储区。
这也是您用于签署服务器证书(CSR)的证书和私钥。
配置证书颁发机构:
创建另一个用于签署 CSR 的 OpenSSL 配置文件,文件名为root_sign.cnf:
# OpenSSL config for CA signing only (not for CA cert generation)
[ ca ]
default_ca = CA
[ CA ]
# Where OpenSSL stores information
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
new_certs_dir = $certs
database = $dir/index
certificate = $certs/rootCA.pem
private_key = $dir/rootCA.key
crl = $crldir/crl.pem
serial = $dir/serial.txt
RANDFILE = $dir/.rand
# How OpenSSL will display certificate after signing
name_opt = ca_default
cert_opt = ca_default
# How long the certificate is valid for
default_days = 365
# default_startdate = 180517000000Z
# default_enddate = 181231235959Z
# The message digest for signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Subjects don't have to be unique in this CA's database
unique_subject = no
# What to do with CSR extensions
copy_extensions = copy
# Rules on mandatory or optional DN components
policy = simple_policy
# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext
[ simple_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
domainComponent = optional
emailAddress = optional
name = optional
surname = optional
givenName = optional
dnQualifier = optional
[ x509_ext ]
#Default extensions
# These extensions are for an end-entity certificate
# Extensions added when using the `openssl ca` command.
# This section is pointed to by `x509_extensions` above.
# These will override any requested extensions in the CSR:
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth
操作认证机构:
使用以下方式签署您的 CSR:
openssl ca -in BossInsight.req -cert rootCA.pem -keyfile rootCA.key -out BossInsight.pem -config root_sign.cnf
使用以下方式查看您的新证书:
openssl x509 -noout -text -in BossInsight.pem
如果您正确遵循所有操作,您的证书将是带有主题备用名称扩展的版本 3。
您可以使用任何向您展示的 CSR 重复这最后一部分。
答案2
作为研究后的参考,以防有人正在寻找自签名证书。
- 使用以下命令创建密钥(考虑使用密码保护)
- #openssl genrsa -aes128 -out fd.key 2048
- 创建证书签名请求 (CSR)
- #openssl req-new-key fd.key-out fd.csr
- 将扩展信息放在单独的文本文件中。我将其命名为 fd.ext
- #touch fd.ext
- #nano fd.ext
添加以下行:
- subjectAltName = DNS:*.yourdomain.com, yourdomain.com
- 然后,在使用 x509 命令颁发证书时,使用 -extfile 开关引用该文件:
- #openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt -extfile fd.ext
笔记
- 为了保护密钥,请在此过程中考虑密码问题
- 在重新加载 apache2 之前启动以下命令
- #systemd-tty-询问密码代理
- 输入以前的密码
- 重新加载 apache2 服务
感谢作者 Ivan Ristićhttps://www.feistyduck.com/books/openssl-cookbook/
答案3
你能告诉我你是如何创建以下文件的 BossInsight.req