我已经生成了自签名证书,Root-CA
由Root-CA
然后,Intermediate-CA
由Root-CA
和Server
签字人签字Intermediate-CA
证书如下:
Root-CA -> Intermediate-CA -> Server
Root-CA:
rootca.key
rootca.crt
rootca.crl
Intermediate-CA:
intermediateca.key
intermediateca.crt
intermediateca.crl
Server:
server.key
server.crt
Nginx 配置:
server {
listen 443 ssl;
listen [::]:443 SSL;
server_name www.example.com;
ssl_certificate /home/user/confs/server+intermediateca.crt;
ssl_certificate_key /home/user/confs/server.key;
ssl_ocsp on;
ssl_crl /home/user/confs/intermediateca+rootca.crl;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/user/confs/intermediateca+rootca.crt;
}
使用此配置,如果我撤销server.crt
OCSP 响应,则显示证书已被撤销,并且 Firefox 浏览器显示证书已撤销的错误,但在 Google Chrome 和 Microsoft Edge 浏览器中没有警告,我可以使用已撤销的证书进行访问,为什么?出了什么问题?Google Chrome 使用CRLsets
,我该如何正确配置?有人可以帮我吗?
Is there any proper way to config that will show error revoked certificate in Google Chrome and Microsoft Edge? How to add revoked certificat in CRLsets?
使用以下命令,我收到错误:
openssl verify -extended_crl -crl_check_all -crl_download -CAfile intermediateca+rootca.pem -verbose server.crt
输出:
Unable to load CRL via CDP
40971A29A97F0000:error:1E80006E:HTTP routines:OSSL_HTTP_REQ_CTX_nbio:missing asn1 encoding:../crypto/http/http_client.c:755:
40971A29A97F0000:error:1E800067:HTTP routines:OSSL_HTTP_REQ_CTX_exchange:error receiving:../crypto/http/http_client.c:874:server=http://www.example.com:80
C = BD, ST = Dhaka, O = Example, CN = www.example.com
error 3 at 0 depth lookup: unable to get certificate CRL
error server.crt: verification failed
What is the above error I am getting? How can I fix that error?
感谢您的时间。