生成自签名证书以供 Firefox 接受

生成自签名证书以供 Firefox 接受

我正在设置一个内部测试网络,并希望 FireFox 接受我的自签名证书。具体来说,我正在尝试为 nginx 配置证书,以便我可以使用MyTestNetwork.dev *.MyTestNetwork.dev

以下是我生成证书的方法:

rm rootCA.* MyTestNetwork.dev.*

# Generate rootCA
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -subj="/C=US/ST=CA/O=MyTestNetwork/CN=MyTestNetwork.dev" -addext 'subjectAltName=DNS:MyTestNetwork.dev,DNS:*.MyTestNetwork.dev' -nodes -key rootCA.key -sha256 -days 365 -out rootCA.crt

# Generate Server Certificates
openssl genrsa -out MyTestNetwork.dev.key 2048
openssl req -new -sha256 -key MyTestNetwork.dev.key -subj="/C=US/ST=CA/O=MyTestNetwork/CN=*.MyTestNetwork.dev" -addext 'subjectAltName=DNS:MyTestNetwork.dev,DNS:*.MyTestNetwork.dev' -out MyTestNetwork.dev.csr
openssl x509 -req -in MyTestNetwork.dev.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out MyTestNetwork.dev.crt -days 365 -sha256

以下是 nginx 中的 SSL 设置:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/ssl/certs/MyTestNetwork.dev.crt;
    ssl_certificate_key /etc/ssl/certs/MyTestNetwork.dev.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_dhparam /etc/ssl/certs/dhparam;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    # add_header Strict-Transport-Security "max-age=63072000" always;
    add_header Strict-Transport-Security "max-age=0;";

    # replace with the IP address of your resolver
    resolver 127.0.0.1;

    location / {
        proxy_pass http://$host$request_uri;
    }

}

我面临两个具体问题:

  1. 即使rootCA.crt通过中的“导入证书”设置将其导入 FireFox about:preferences#privacy,我仍然收到错误:

网站通过证书证明其身份。Firefox 不信任此网站,因为它使用的证书对 dns.MyTestNetwork.dev 无效。

错误代码:SSL_ERROR_BAD_CERT_DOMAIN

即使我有该服务器的正确 DNS 记录(该域托管我正在使用的 DNS 服务器的仪表板)。

  1. 我无法 curl MyTestNetwork.dev,因为出现此错误:

curl:(60)SSL:证书主题名称“*.MyTestNetwork.dev”与目标主机名“MyTestNetwork.dev”不匹配更多详细信息:https://curl.se/docs/sslcerts.html

curl 无法验证服务器的合法性,因此无法与其建立安全连接。要了解有关此情况的更多信息以及如何修复它,请访问上面提到的网页。

即使我使用多个 SAN 创建了证书。

任何帮助都将不胜感激!

答案1

问题在于,正如 @jabbson 指出的那样,subjectAltName由于我的语法,我的代码无法从 CSR 传播到证书。正确的语法是:

# Generate rootCA
openssl genrsa -out config/CA/rootCA.key 4096
openssl req -new -x509 -days 365 -key config/CA/rootCA.key -subj="/C=RH/ST=RT/O=MyTestNetwork/CN=MyTestNetwork CA" -out config/CA/rootCA.crt
# Generate server certificate
openssl req -newkey rsa:2048 -nodes -keyout config/CA/${DOMAIN}.key -subj="/C=RH/ST=RT/O=MyTestNetwork/CN=*.mytestnetwork.dev" -out config/CA/${DOMAIN}.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:mytestnetwork.dev,DNS:*.mytestnetwork.dev") -days 365 -in config/CA/${DOMAIN}.csr -CA config/CA/rootCA.crt -CAkey config/CA/rootCA.key -CAcreateserial -out config/CA/${DOMAIN}.crt

相关内容