我使用自签名通配符证书。它由我们自己的 CA 颁发,并且 CA 根证书安装在 Firefox 中。
Chrome 接受它,但 Firefox 不接受:
网站通过证书证明其身份。Firefox 不信任此网站,因为它使用的证书对 test.ds-1804lts-02.ds.lan 无效。该证书仅对以下名称有效:*.ds-1804lts-02、*.ds-1804lts-02.ds.lan
错误代码:SSL_ERROR_BAD_CERT_DOMAIN
如您所见,主机名与通配符定义匹配。
证书如下所示
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
45:d9:dd:d0:7c:7d:dc:2d:08:ac:03:57:c6:9a:e7:74:ed:6b:22:10
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CH, ST = Solothurn, L = Solothurn, O = Dynasoft AG, CN = dynasoft.ch, emailAddress = [email protected]
Validity
Not Before: Dec 2 10:07:25 2020 GMT
Not After : Dec 20 10:07:25 2088 GMT
Subject: C = CH, ST = Solothurn, L = Solothurn, O = Dynasoft AG, CN = *.ds-1804lts-02.ds.lan
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9c:5c:64:47:86:e4:0b:46:86:82:b9:89:8a:d4:
01:ec:e1:25:6d:49:5d:ae:61:35:02:b9:e3:18:a6:
13:0b:32:73:40:c9:91:ba:9b:9a:80:63:46:42:54:
84:37:14:38:38:da:e9:73:4e:34:03:78:ca:4f:58:
54:12:bb:be:e7:f1:da:dc:fb:a0:9c:9b:71:8f:e0:
d7:fd:b9:d2:da:5e:5c:1e:b7:f4:e2:b2:43:5e:62:
2d:96:d5:cb:87:ae:28:b5:a1:ce:bc:e7:81:f0:1b:
aa:26:9c:65:eb:8e:3e:56:d4:3a:13:28:5c:c6:52:
d2:e9:22:c8:97:5a:d8:ec:c1:ed:f8:cf:2a:39:fe:
e8:1a:b1:5b:02:ae:0a:cf:73:6d:39:9c:5f:7d:2d:
bf:99:3e:41:1d:5d:51:18:eb:d5:d8:74:25:68:87:
bc:d7:ed:d8:8d:04:87:51:a5:9d:ff:91:c1:25:3c:
ea:bb:a0:75:d9:e5:12:56:1b:90:f2:51:3e:07:c7:
18:23:83:34:4e:81:7d:b4:98:3e:14:5d:59:ae:80:
f8:73:4a:69:7c:25:90:3a:5b:34:5f:bd:cd:56:2f:
1b:9f:47:49:d5:1b:d4:1d:6b:b1:52:99:30:52:6c:
13:c1:cf:db:10:67:05:26:3a:a8:33:9e:61:0e:09:
5b:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:CD:83:3D:FB:E3:9A:14:7F:28:51:10:D3:D1:C8:2A:38:B6:C7:E7:92
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:*.ds-1804lts-02, DNS:*.ds-1804lts-02.ds.lan
Signature Algorithm: sha256WithRSAEncryption
34:63:b6:9f:bd:1d:3d:a6:bd:a3:9b:29:6c:7c:10:f7:7e:b6:
e0:81:7b:fa:f3:82:09:ef:92:40:f3:3d:b0:cb:1d:2b:da:e4:
a0:b8:d8:26:3b:7c:57:f1:6c:8f:77:85:cd:22:6b:3a:b7:1e:
07:6c:e3:f5:ce:6a:61:dd:63:fa:e2:f1:5b:39:f6:94:42:54:
cb:4e:04:a1:bc:ac:11:ef:d0:64:29:47:cd:39:9d:28:a8:d6:
d0:6e:8a:8f:32:5a:ed:7c:fd:c3:d5:c8:cc:4a:81:e0:a5:36:
01:b2:cf:51:6d:0b:f6:e6:87:2d:ee:b0:01:1d:a9:f9:d9:bf:
19:b9:12:e6:51:50:1a:ee:3b:07:b3:fd:c1:c9:c4:60:5c:32:
77:f7:0b:52:b2:22:05:3a:ed:f2:25:3d:ab:ff:6e:1d:70:f0:
c6:59:60:75:0b:43:8f:85:93:61:8b:da:cb:22:61:25:bc:30:
93:3f:1c:88:31:ed:0e:a8:a2:1f:b2:2b:24:cb:e1:27:42:ff:
e0:03:82:0f:f1:1a:75:e9:d4:d4:08:a9:cc:49:36:40:fc:d3:
bc:03:3a:6a:37:de:02:e1:58:b2:d0:16:13:b8:c0:86:f0:36:
0a:31:a2:5b:93:9c:24:81:6e:65:7d:fb:cb:cc:c3:be:07:c7:
80:60:3d:9b
这是我尝试在 Firefox 中访问的 URLhttps://test.ds-1804lts-02.ds.lan/
openssl s_client -connect test.ds-1804lts-02.ds.lan:443 -CAfile dynasoftCA.pem
返回
CONNECTED(00000005)
depth=1 C = CH, ST = Solothurn, L = Solothurn, O = Dynasoft AG, CN = dynasoft.ch, emailAddress = [email protected]
verify return:1
depth=0 C = CH, ST = Solothurn, L = Solothurn, O = Dynasoft AG, CN = *.ds-1804lts-02.ds.lan
verify return:1
---
Certificate chain
0 s:C = CH, ST = Solothurn, L = Solothurn, O = Dynasoft AG, CN = *.ds-1804lts-02.ds.lan
i:C = CH, ST = Solothurn, L = Solothurn, O = Dynasoft AG, CN = dynasoft.ch, emailAddress = [email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID8TCCAtmgAwIBAgIURdnd0Hx93C0IrANXxprndO1rIhAwDQYJKoZIhvcNAQEL
BQAwgYUxCzAJBgNVBAYTAkNIMRIwEAYDVQQIDAlTb2xvdGh1cm4xEjAQBgNVBAcM
CVNvbG90aHVybjEUMBIGA1UECgwLRHluYXNvZnQgQUcxFDASBgNVBAMMC2R5bmFz
b2Z0LmNoMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QGR5bmFzb2Z0LmNoMCAXDTIw
MTIwMjEwMDcyNVoYDzIwODgxMjIwMTAwNzI1WjBsMQswCQYDVQQGEwJDSDESMBAG
A1UECAwJU29sb3RodXJuMRIwEAYDVQQHDAlTb2xvdGh1cm4xFDASBgNVBAoMC0R5
bmFzb2Z0IEFHMR8wHQYDVQQDDBYqLmRzLTE4MDRsdHMtMDIuZHMubGFuMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnFxkR4bkC0aGgrmJitQB7OElbUld
rmE1ArnjGKYTCzJzQMmRupuagGNGQlSENxQ4ONrpc040A3jKT1hUEru+5/Ha3Pug
nJtxj+DX/bnS2l5cHrf04rJDXmItltXLh64otaHOvOeB8BuqJpxl644+VtQ6Eyhc
xlLS6SLIl1rY7MHt+M8qOf7oGrFbAq4Kz3NtOZxffS2/mT5BHV1RGOvV2HQlaIe8
1+3YjQSHUaWd/5HBJTzqu6B12eUSVhuQ8lE+B8cYI4M0ToF9tJg+FF1ZroD4c0pp
fCWQOls0X73NVi8bn0dJ1RvUHWuxUpkwUmwTwc/bEGcFJjqoM55hDglbYwIDAQAB
o28wbTAfBgNVHSMEGDAWgBTNgz3745oUfyhRENPRyCo4tsfnkjAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIE8DAyBgNVHREEKzApgg8qLmRzLTE4MDRsdHMtMDKCFiouZHMt
MTgwNGx0cy0wMi5kcy5sYW4wDQYJKoZIhvcNAQELBQADggEBADRjtp+9HT2mvaOb
KWx8EPd+tuCBe/rzggnvkkDzPbDLHSva5KC42CY7fFfxbI93hc0iazq3Hgds4/XO
amHdY/ri8Vs59pRCVMtOBKG8rBHv0GQpR805nSio1tBuio8yWu18/cPVyMxKgeCl
NgGyz1FtC/bmhy3usAEdqfnZvxm5EuZRUBruOwez/cHJxGBcMnf3C1KyIgU67fIl
Pav/bh1w8MZZYHULQ4+Fk2GL2ssiYSW8MJM/HIgx7Q6ooh+yKyTL4SdC/+ADgg/x
GnXp1NQIqcxJNkD807wDOmo33gLhWLLQFhO4wIbwNgoxoluTnCSBbmV9+8vMw74H
x4BgPZs=
-----END CERTIFICATE-----
subject=C = CH, ST = Solothurn, L = Solothurn, O = Dynasoft AG, CN = *.ds-1804lts-02.ds.lan
issuer=C = CH, ST = Solothurn, L = Solothurn, O = Dynasoft AG, CN = dynasoft.ch, emailAddress = [email protected]
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1569 bytes and written 407 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 48278139A0F25DA8EC04BC794ACAAD2A9202530356AF0FC9EB0F354BB4B683C2
Session-ID-ctx:
Resumption PSK: B1DC07B6C36224970A02EFF051E893A1C7DDE55904DBE77F87148A44228DB0CF79AAA2C5A5B14E59A0F2E67AB4F994B6
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - dd fe 2c d0 f7 75 0e 70-50 f0 ab 95 c7 a4 44 14 ..,..u.pP.....D.
0010 - f4 19 71 68 84 61 cb 4f-87 b9 3e 0e d6 9d 8f 2f ..qh.a.O..>..../
0020 - 7e f4 cb aa 93 26 31 6d-5e 01 d8 3d 4e 29 dd 34 ~....&1m^..=N).4
0030 - 98 a7 78 1e d2 ef 3d bd-f8 74 d0 02 2e a5 2d ac ..x...=..t....-.
0040 - 74 8a 54 99 58 09 d5 1e-d2 9c 43 b7 cd dc ce d9 t.T.X.....C.....
0050 - 38 54 a5 78 73 71 37 5c-14 92 14 0d b9 63 14 07 8T.xsq7\.....c..
0060 - 1d c5 9e a2 a2 24 0c 3a-19 1f 94 c5 e0 ce f0 a2 .....$.:........
0070 - 76 21 d4 0d 99 54 0c 76-5b 33 14 c2 6f 23 c2 9b v!...T.v[3..o#..
0080 - 3b ;
Start Time: 1606920412
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK