为什么我的签名证书不被 IOS 接受(在 Firefox 中有效)

为什么我的签名证书不被 IOS 接受(在 Firefox 中有效)

我尝试使用 TLS 服务器证书生成自己的 CA。在 Firefox 中我也没有遇到问题,导入根证书后证书被接受。但在将根证书导入 IOS 并打开网站后,我收到消息“连接未通过”

我设定了验证时间,添加了 req_cert_extensions 和 v3_req 部分,添加了一个中间 CA,注意了密码算法和密钥长度,但我不知道 IOS 对我的证书有什么问题。

根的公共证书通过配置文件在 IOS 中被添加为受信任。由于它不起作用,我甚至将中间证书和证书本身添加为受信任的配置文件。我还尝试将整个链添加为 IOS 配置文件。

这是服务器证书

[tsu@localhost knas]$ openssl x509 -noout -text -in 20201109_knas_crt.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0e:bc:6e:2f:a4:b8:9d:80:1b:96:e7:45:54:2d:4d:6a:99:00:0f:7b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = Saarland, O = Thomas Sulz private, OU = intermediate, CN = intermediate.wodarz.name, emailAddress = [email protected]
        Validity
            Not Before: Nov  9 20:04:41 2020 GMT
            Not After : Sep  5 20:04:41 2021 GMT
        Subject: C = DE, ST = Saarland, L = Saarbruecken, O = Thomas Sulz private, OU = knas, CN = knas.spdns.org, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ea:40:50:bd:f3:5f:f5:1d:66:8b:c1:01:a0:cd:
                    ...
                    ce:a0:be:8b:77:88:96:e0:0a:d1:8e:7d:58:c4:8b:
                    55:0f:b7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
                CE:1D:6A:CE:4C:B5:F9:DF:ED:1B:57:EF:FF:2D:3D:8C:C2:83:B3:46
            X509v3 Authority Key Identifier:
                keyid:5C:E8:02:D9:44:27:66:20:E2:61:B6:D5:47:46:6B:15:A7:6D:70:C1
                DirName:/C=DE/ST=Saarland/L=Saarbruecken/O=Thomas Sulz private/OU=root/CN=root.thsulz.de/[email protected]
                serial:01

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:knas.spdns.org, DNS:tsulz81.synology.me, IP Address:192.168.1.20, IP Address:192.168.1.21
    Signature Algorithm: sha256WithRSAEncryption
         0e:c4:ba:de:22:1c:4a:13:e7:5c:7f:f2:4b:d1:ff:63:41:7f:
         ...
         3e:ac:a0:4f:61:7b:b5:2d

这是中级证书:

[tsu@localhost intermediate]$ openssl x509 -noout -text -in 20201109_tsulz_intermediate_crt.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = Saarland, L = Saarbruecken, O = Thomas Sulz private, OU = root, CN = root.tsulz.de, emailAddress = [email protected]
        Validity
            Not Before: Nov  9 19:30:32 2020 GMT
            Not After : Nov  7 19:30:32 2030 GMT
        Subject: C = DE, ST = Saarland, O = Thomas Sulz private, OU = intermediate, CN = intermediate.tsulz.de, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:d7:20:3b:a5:06:df:16:ce:8f:d7:a9:b6:07:5a:

                    83:36:3d:87:74:30:b7:80:1e:b1:46:4f:08:cf:c8:
                    09:30:fd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                5C:E8:02:D9:44:27:66:20:E2:61:B6:D5:47:46:6B:15:A7:6D:70:C1
            X509v3 Authority Key Identifier:
                keyid:5E:DE:69:96:9A:33:AC:3D:13:55:4E:FD:5B:AD:30:A8:7D:06:94:94

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         05:58:75:ce:40:6f:86:37:de:e1:b7:f1:5d:2d:17:82:c7:e8:
         
         1a:8e:52:01:6c:b5:91:c7

答案1

我现在开始工作了。我有 3 种方法,这个问题是我第三种方法的结果。

最后,我将根证书作为 IOS 配置文件导入,但我忘记信任它了。为此,我需要进入设置->常规->信息->证书信任设置(最后一个),然后在那里启用我的根证书。

相关内容