我尝试使用 TLS 服务器证书生成自己的 CA。在 Firefox 中我也没有遇到问题,导入根证书后证书被接受。但在将根证书导入 IOS 并打开网站后,我收到消息“连接未通过”
我设定了验证时间,添加了 req_cert_extensions 和 v3_req 部分,添加了一个中间 CA,注意了密码算法和密钥长度,但我不知道 IOS 对我的证书有什么问题。
根的公共证书通过配置文件在 IOS 中被添加为受信任。由于它不起作用,我甚至将中间证书和证书本身添加为受信任的配置文件。我还尝试将整个链添加为 IOS 配置文件。
这是服务器证书
[tsu@localhost knas]$ openssl x509 -noout -text -in 20201109_knas_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:bc:6e:2f:a4:b8:9d:80:1b:96:e7:45:54:2d:4d:6a:99:00:0f:7b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = Saarland, O = Thomas Sulz private, OU = intermediate, CN = intermediate.wodarz.name, emailAddress = [email protected]
Validity
Not Before: Nov 9 20:04:41 2020 GMT
Not After : Sep 5 20:04:41 2021 GMT
Subject: C = DE, ST = Saarland, L = Saarbruecken, O = Thomas Sulz private, OU = knas, CN = knas.spdns.org, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ea:40:50:bd:f3:5f:f5:1d:66:8b:c1:01:a0:cd:
...
ce:a0:be:8b:77:88:96:e0:0a:d1:8e:7d:58:c4:8b:
55:0f:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
CE:1D:6A:CE:4C:B5:F9:DF:ED:1B:57:EF:FF:2D:3D:8C:C2:83:B3:46
X509v3 Authority Key Identifier:
keyid:5C:E8:02:D9:44:27:66:20:E2:61:B6:D5:47:46:6B:15:A7:6D:70:C1
DirName:/C=DE/ST=Saarland/L=Saarbruecken/O=Thomas Sulz private/OU=root/CN=root.thsulz.de/[email protected]
serial:01
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:knas.spdns.org, DNS:tsulz81.synology.me, IP Address:192.168.1.20, IP Address:192.168.1.21
Signature Algorithm: sha256WithRSAEncryption
0e:c4:ba:de:22:1c:4a:13:e7:5c:7f:f2:4b:d1:ff:63:41:7f:
...
3e:ac:a0:4f:61:7b:b5:2d
这是中级证书:
[tsu@localhost intermediate]$ openssl x509 -noout -text -in 20201109_tsulz_intermediate_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = Saarland, L = Saarbruecken, O = Thomas Sulz private, OU = root, CN = root.tsulz.de, emailAddress = [email protected]
Validity
Not Before: Nov 9 19:30:32 2020 GMT
Not After : Nov 7 19:30:32 2030 GMT
Subject: C = DE, ST = Saarland, O = Thomas Sulz private, OU = intermediate, CN = intermediate.tsulz.de, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:d7:20:3b:a5:06:df:16:ce:8f:d7:a9:b6:07:5a:
83:36:3d:87:74:30:b7:80:1e:b1:46:4f:08:cf:c8:
09:30:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5C:E8:02:D9:44:27:66:20:E2:61:B6:D5:47:46:6B:15:A7:6D:70:C1
X509v3 Authority Key Identifier:
keyid:5E:DE:69:96:9A:33:AC:3D:13:55:4E:FD:5B:AD:30:A8:7D:06:94:94
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
05:58:75:ce:40:6f:86:37:de:e1:b7:f1:5d:2d:17:82:c7:e8:
1a:8e:52:01:6c:b5:91:c7
答案1
我现在开始工作了。我有 3 种方法,这个问题是我第三种方法的结果。
最后,我将根证书作为 IOS 配置文件导入,但我忘记信任它了。为此,我需要进入设置->常规->信息->证书信任设置(最后一个),然后在那里启用我的根证书。