Windows 中自签名 CA 的 NET::ERR_CERT_AUTHORITY_INVALID

tag-icon tag-icon windows ssl-certificate https openssl certificate-authority
Windows 中自签名 CA 的 NET::ERR_CERT_AUTHORITY_INVALID

我使用自己用 Java 开发的系统创建了一个(自签名)根证书并签署了一个 Web 服务器证书(该 Web 证书用于 Apache 2.4.41)。

证书在 Linux 和 Mac 上均可正常运行(已在不同的 Webkit 浏览器和 Firefox 中测试)。证书和服务器设置得分A+使用测试sl.sh

CA 证书已正确安装且没有任何警告,但在 Windows 中未被接受(仍然显示红色三角形警告和错误NET::ERR_CERT_AUTHORITY_INVALID)(使用 2 台 Windows 10 设备进行测试,其中一台是全新安装的)。在 Chrome、Edge 和 Firefox 中进行了测试。

我尝试了很多方法:

  • certlm.msc使用、、或双击文件certutil.exe来安装它们settings
  • 本地或用户范围
  • 使用不同的设置重新生成根证书
  • 更改 Apache 设置
  • 重新启动浏览器和电脑
  • 停止防病毒软件

我已经阅读了该网站中的相关问题(似乎都没有解决该问题)并且我也在其他网站上寻找解决方案,但没有成功。

这是一个伪造的由同一系统生成的 CA 证书(使用相同的设置,但为了减小本文的大小,此处的密钥长度为 1024):

密钥和证书:

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJg/x+BCM0xGDiaC
qc5h+83wrjZ/HVxaZ7GHK7g/sca4fvF1KQuADqx+iDfehxNpZ5hCjmAsgBgWkIbc
E0Md/C6srSRWS4/EeoAPRgFJK2k5SNC0L1QII0DKc0xS7y9CRqcoPFWUt7ncUeuw
RZGmDMYbNiqcamgjCWfnIPRB7kgVAgMBAAECgYBD4FuaDamVHb59SM+vpVt/ywfA
YBeU7vE/4oWJVUxKzkI6IAO2jtb77EWKsvkBnIKFDVcwZWaOVrEEjuU/jQS6jvRU
Ozwbvo4o9UhkxzEhNuREE7d0cs3RSzWBJ1u5PMYT8G7GXsIP22HgRD2XP86VBfSf
TWAqKcfNWpNFtlA/wQJBAPAPULdIEvfO2e3VDNB/5Li50Et7jd8fzBU9B7U0Axus
keuS3oer+zeA2nXinfd7rwFEyZN3tSUsU/8oQwlOzCkCQQCiW84xVNccCPcucwWu
2nEagbFcYyouh/Ml5fR00uBgA8K27y8NHLgzNuqob1zqW7TgsmgCYaTnPbol0t/I
29oNAkEAviQTVaiTxY4klTmL1dWHDz22GyN44sLnvebCJSdWUuQkDAgflCyHZZX8
8ySU5EImAoY+dzx40UHEIjT8q/GqyQJAXZMkB/Kp+BKCxFau09Q6k9hj7KeKzD62
uQUMG7jecPg55U19hMUktP/VxzZICxrH6SlqINU+Qbil7N7Y898ikQJAacFKaTdU
2VmKAT1WaO6DPNmwhJ72a4cTAol9y79CFndjrTtGSENJwseqTgPTr+LtRBq3S+nZ
r5a1qsB0bzNGvg==
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIC1zCCAkCgAwIBAgIIX2TQo7pcNcQwDQYJKoZIhvcNAQELBQAwgYsxFzAVBgNV
BAMMDkZha2UgQXV0aG9yaXR5MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ
BgNVBAcMAkxBMRQwEgYDVQQKDAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEk
MCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQGV4YW1wbGUuY29tMB4XDTIxMTExMDIx
MDY1M1oXDTIyMTExMDE1MDAwMFowgYsxFzAVBgNVBAMMDkZha2UgQXV0aG9yaXR5
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAkxBMRQwEgYDVQQK
DAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEkMCIGCSqGSIb3DQEJARYVd2Vi
bWFzdGVyQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCY
P8fgQjNMRg4mgqnOYfvN8K42fx1cWmexhyu4P7HGuH7xdSkLgA6sfog33ocTaWeY
Qo5gLIAYFpCG3BNDHfwurK0kVkuPxHqAD0YBSStpOUjQtC9UCCNAynNMUu8vQkan
KDxVlLe53FHrsEWRpgzGGzYqnGpoIwln5yD0Qe5IFQIDAQABo0IwQDAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQURaB83qfjI0wv+tvJ
myfInKagSgswDQYJKoZIhvcNAQELBQADgYEAYQ2PvvfQSe9WtG6peJ4B52bG1Mzs
U+jE9xc4oWEfvekkpjOkZ4dbk89gBVeAZsSxdffcQfFPyRKE9vubYrd9xuemUAGE
51ZyMqJWMawFRxtXdV1e6a1OTH1qKks61obwtRuRBOweoUW4KrOSgCLB3VhmXKVe
YJiVhpvJCxzi/MI=
-----END CERTIFICATE-----

CA 摘要

Version: 3
         SerialNumber: 6873848332899071428
             IssuerDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,[email protected]
           Start Date: Thu Nov 11 06:06:53 JST 2021
           Final Date: Fri Nov 11 00:00:00 JST 2022
            SubjectDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,[email protected]
           Public Key: RSA Public Key [b8:07:ef:1f:8e:91:c0:ab:12:db:38:3f:76:e7:0a:7f:21:9d:fe:49],[56:66:d1:a4]
        modulus: 983fc7e042334c460e2682a9ce61fbcdf0ae367f1d5c5a67b1872bb83fb1c6b87ef175290b800eac7e8837de8713696798428e602c8018169086dc13431dfc2eacad24564b8fc47a800f4601492b693948d0b42f54082340ca734c52ef2f4246a7283c5594b7b9dc51ebb04591a60cc61b362a9c6a68230967e720f441ee4815
public exponent: 10001

  Signature Algorithm: SHA256WITHRSA
            Signature: 610d8fbef7d049ef56b46ea9789e01e766c6d4cc
                       ec53e8c4f71738a1611fbde924a633a467875b93
                       cf6005578066c4b175f7dc41f14fc91284f6fb9b
                       62b77dc6e7a6500184e7567232a25631ac05471b
                       57755d5ee9ad4e4c7d6a2a4b3ad686f0b51b9104
                       ec1ea145b82ab3928022c1dd58665ca55e609895
                       869bc90b1ce2fcc2
       Extensions: 
                       critical(true) BasicConstraints: isCa(true)
                       critical(true) KeyUsage: 0x6
                       critical(false) 2.5.29.14 value = DER

服务器证书

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCMzMPwSTHQTaxu
rtfnFFVXLXnDOkolG2iuA4H7KkPrizZ24vloFCU353wsT2YVJ9ykIw+Y58vXqEw8
QjlhOHMRMetWeaEMH562uhakb8S+KArQN7SZh9vw7TF7OwiCIg/sWcle87j9ETSn
NtZ4M0HMQ+s+AOX0jDLDWAW08wXk0hXAOHMvaaqnC3NoI94/joQoElctaCpUhrov
kmmDIrJHufplUtMdJrqkzhrUfzKHkslTBLeTHAHHgNdX45JjYibZlqVY3rLns9NI
DIN199ciAnJpqSlvp65SMLJUMFFp2kWK0/S8gnTo41QjcGMBNYR4KiGAPmZPzjaR
QFw9G8mdAgMBAAECggEAWUQhHaBqMpRsNCgpvdmIWaL9RacZBvmfnmOe7uxW72jt
eOZiFXhgOFdMxJL6N4N0QaPw6ZJcDDgpTTL3SgoN+eLaP5MRZaxOZa8JV+t8osqk
QGpw173o1ZCsBGLi/A44ZjJulwKST++uoC0GQGLO3oBZDpBnOmoAbRTLWXOSUwVe
pFyWB/5VYtBKAaTwd8MmoNuTCL9o1CGutBHsaUCglnHv/Z2Ar7JLJaiDPEu2/kSe
H/5YroI6L1FF8X0TsCpcxOiMOW/eFzW6TDrbo/kggHRnVRGjoM+rPr8E7nKYlNks
whQI2aA2pcazWoBBwzYyscD7jXQJfKNNZQ3pun1aQQKBgQDzBeanFuzZmYcVjfq3
QmWydKIIMyn+FuqiXhP1Hs9sRcsFS+FfG4RfZJXJNpJ+4NaAOgTyvofpmZ0g6M6a
M5heae+Hhl/942xzcUqpiK3pJ0YaRy/aluo33O6tyDXAmvPqLBkJO0EfOneBHaAe
KjVm3vK8xvf+fpE022rm36AU+QKBgQCUUXwDAEvWpwhlrWlzT2b1iONKWsZNV3vd
Uy83zqZXJ2P+biaz9xFaNCiKXo5ziZU1XZVPg8+rYv2R3kxtAjgjNUwxr6vF/ZBs
2gpLy0YhoCjk/xcIIAFldna/a7vTUPDSNn4HWxkjEqgMu+GEzyngjZkm8sY7v3bi
oXgPtuBWxQKBgQDkzVt5WQYpYHhj/MZdn2+r8k9TNQiGJwFFWRmlIBrdr2ATXnuT
VY7tWQAE7xJBzmFlXDqoaGYBsxTSlR1e5NDBoy9XA1aA7IuArNtEfmBuMQG5X+hX
/toJOkKk7uhcrAaVJGt124nWYu98am4DuG2KqsESpql5u6Puhd5B+6z10QKBgCT1
hSyOR1eu+dW0d8GHOMXYnaLqqd2d/jyxvONwOF0hcLZ3JmfUGlvbAXsxgtfhoe/R
aSKOWxJ/MWbG+U50rh5/6oO7HdfRjsrBLq2ictBwQ6CEvG2G5DIvafnbU8udsNUB
RTh6B/KIdJ3vt4vLv8i4IEDnYGSFGo/w4qUv0gltAoGACLthSVxyNdZCX/21WRdq
THzdUqV39gkaNVJdT10UQzhzMZSBchoiSDSNha33XEwJqr3UivAuYeAqTeRI6jdr
7BBjXjQ0d3OhtgwqL2AHHzudzYhvSoUmPgfJ1YWeJvUVzGDowz5z6HEjc637GZU4
+ph1ewJMz75BlRZjT7kfi5o=
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIDvTCCAyagAwIBAgIIXETyGvtei7MwDQYJKoZIhvcNAQELBQAwgYsxFzAVBgNV
BAMMDkZha2UgQXV0aG9yaXR5MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ
BgNVBAcMAkxBMRQwEgYDVQQKDAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEk
MCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQGV4YW1wbGUuY29tMB4XDTIxMTExMDIx
MDgzN1oXDTIyMTExMDE1MDAwMFowgYgxGTAXBgNVBAMMEGZha2UuZXhhbXBsZS5j
b20xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCTEExFDASBgNV
BAoMC0V4YW1wbGUgTFREMQ0wCwYDVQQLDAROb25lMR8wHQYJKoZIhvcNAQkBFhBm
YWtlQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
jMzD8Ekx0E2sbq7X5xRVVy15wzpKJRtorgOB+ypD64s2duL5aBQlN+d8LE9mFSfc
pCMPmOfL16hMPEI5YThzETHrVnmhDB+etroWpG/EvigK0De0mYfb8O0xezsIgiIP
7FnJXvO4/RE0pzbWeDNBzEPrPgDl9Iwyw1gFtPMF5NIVwDhzL2mqpwtzaCPeP46E
KBJXLWgqVIa6L5JpgyKyR7n6ZVLTHSa6pM4a1H8yh5LJUwS3kxwBx4DXV+OSY2Im
2ZalWN6y57PTSAyDdffXIgJyaakpb6euUjCyVDBRadpFitP0vIJ06ONUI3BjATWE
eCohgD5mT842kUBcPRvJnQIDAQABo4GmMIGjMAwGA1UdEwEB/wQCMAAwHwYDVR0j
BBgwFoAUx90O8ddg/Fo/lTlIjapK58YMBCEwDgYDVR0PAQH/BAQDAgOoMEMGA1Ud
EQQ8MDqBEGZha2VAZXhhbXBsZS5jb22CEGZha2UuZXhhbXBsZS5jb22CFHd3dy5m
YWtlLmV4YW1wbGUuY29tMB0GA1UdDgQWBBTH3Q7x12D8Wj+VOUiNqkrnxgwEITAN
BgkqhkiG9w0BAQsFAAOBgQCI3Ri0d6W6ETohRaGKLSqH5SDf//g0C9t2rp2ox8po
BjuAMlPHtRn6bfMC6xIsqznjDYZSni2YEMf6YBLivimbo9rYC18E/I5u5KsqvIa+
ze5VZd5U7O8+4+8Uaf+R/Re4gdf7eJ3j02iP4d8wKevfUfD8Vcuddx9mrWqluCEZ
KQ==
-----END CERTIFICATE-----

证书摘要

Version: 3
         SerialNumber: 6648705147606043571
             IssuerDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,[email protected]
           Start Date: Thu Nov 11 06:08:37 JST 2021
           Final Date: Fri Nov 11 00:00:00 JST 2022
            SubjectDN: CN=fake.example.com,C=US,ST=CA,L=LA,O=Example LTD,OU=None,[email protected]
           Public Key: RSA Public Key [2e:cd:8e:16:02:6f:b3:27:16:01:21:cb:1a:2b:9b:27:18:71:86:87],[56:66:d1:a4]
        modulus: 8cccc3f04931d04dac6eaed7e71455572d79c33a4a251b68ae0381fb2a43eb8b3676e2f968142537e77c2c4f661527dca4230f98e7cbd7a84c3c42396138731131eb5679a10c1f9eb6ba16a46fc4be280ad037b49987dbf0ed317b3b0882220fec59c95ef3b8fd1134a736d6783341cc43eb3e00e5f48c32c35805b4f305e4d215c038732f69aaa70b736823de3f8e842812572d682a5486ba2f92698322b247b9fa6552d31d26baa4ce1ad47f328792c95304b7931c01c780d757e392636226d996a558deb2e7b3d3480c8375f7d722027269a9296fa7ae5230b254305169da458ad3f4bc8274e8e354237063013584782a21803e664fce3691405c3d1bc99d
public exponent: 10001

  Signature Algorithm: SHA256WITHRSA
            Signature: 88dd18b477a5ba113a2145a18a2d2a87e520dfff
                       f8340bdb76ae9da8c7ca68063b803253c7b519fa
                       6df302eb122cab39e30d86529e2d9810c7fa6012
                       e2be299ba3dad80b5f04fc8e6ee4ab2abc86becd
                       ee5565de54ecef3ee3ef1469ff91fd17b881d7fb
                       789de3d3688fe1df3029ebdf51f0fc55cb9d771f
                       66ad6aa5b8211929
       Extensions: 
                       critical(true) BasicConstraints: isCa(false)
                       critical(false) 2.5.29.35 value = Sequence
    Tagged [0] IMPLICIT 
        DER Octet String[20] 

                       critical(true) KeyUsage: 0xa8
                       critical(false) 2.5.29.17 value = Sequence
    Tagged [1] IMPLICIT 
        DER Octet String[16] 
    Tagged [2] IMPLICIT 
        DER Octet String[16] 
    Tagged [2] IMPLICIT 
        DER Octet String[20] 

                       critical(false) 2.5.29.14 value = DER

我的设置有什么问题?

答案1

问题中发布的证书有两个问题:

  1. 两个证书都使用一个共享密钥。由于证书应将密钥与其所有者(主体)绑定,因此对两个主体使用一个密钥确实毫无意义。
  2. 因此,两个证书中的主题密钥标识符和权威密钥标识符哈希是相同的。

请注意,最终实体证书中还有一个相当复杂的授权密钥标识符。通常这里只包含哈希值,直接从颁发 CA 证书的主题密钥标识符复制而来。也就是说,省略目录和序列条目。您拥有的可能有效,但为什么要冒这个险呢?

答案2

由您自己的虚构证书颁发机构签名的证书始终会抛出错误,因为您的系统不信任该 CA。要获得绿色锁,您必须将证书颁发机构的自签名证书添加到机器上受信任的根证书颁发机构存储中。

即使您在自己的机器上信任虚构的 CA,互联网上的其他机器也不会信任该 CA 签名的证书。如果您希望其他机器信任您的证书,您必须向合法的证书颁发机构付费,让他们为您签名证书。

如果您的 CA 已在受信任的根 CA 中正确安装,并且您的实际密钥长度为 1024,则它可能太弱而无法信任。尝试使用至少 2048 的长度重新生成它,因为浏览器时不时会弃用较短的密钥长度。

相关内容