安装根 SSL 证书

安装根 SSL 证书

我创建了根证书和服务器证书,并用 root 签名。如何安装根证书以消除有关不受信任连接的警告?更新、dpkg 重新配置不工作。我在 Kali Linux v.1.1.0 上使用 OpenSSL、Iceweasel 浏览器

编辑

步骤:创建根CA的密钥:

dd if=/dev/random of=.rnd count=64 bs=32
openssl genrsa -rand .rnd -out org.key 2048

创建证书请求:

openssl req  -new -key org.key -config org.cnf -out org.csr

和:

org.cnf
[ req ] 
default_bits = 2048 
distinguished_name = req_distinguished_name 
extensions = v3_req 
x509_extensions = usr_cert 
[ req_distinguished_name ] 
countryName = US 
countryName_default = US 
stateOrProvinceName  = City
stateOrProvinceName_default = City
localityName = City
localityName_default = City 
organizationName = Company
organizationName_default = Company
organizationalUnitName = CA 
organizationalUnitName_default = CA 
commonName = CAuthority 
commonName_default = CAuthority 
emailAddress = [email protected]
emailAddress_default = [email protected]
[ v3_req ] 
basicConstraints = CA:TRUE 
nsComment = "CA certificate of PTI" 
nsCertType = sslCA 
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=critical,CA:TRUE

创建根CA:

openssl  x509 -req -signkey org.key -in org.csr -extfile org.cnf -out org.crt -days 1830

这就是 root 的全部内容,现在我需要创建服务器证书,将其安装在 Apache 上。创建密钥:

dd if=/dev/urandom of=.rnd count=64 bs=32;
openssl genrsa -rand .rnd -out httpd.key 2048; 

创建证书请求:

openssl req  -new -key httpd.key -config httpd.cnf -out httpd.csr

和:

httpd.cnf
[ req ] 
default_bits = 2048 
distinguished_name = req_distinguished_name 
extensions = v3_req 
x509_extensions = usr_cert 
[ req_distinguished_name ] 
countryName = country [US] 
countryName_default = US 
stateOrProvinceName  = province [City] 
stateOrProvinceName_default = City 
localityName = locality [City] 
localityName_default = City
organizationName = organization [Company] 
organizationName_default = Company
organizationalUnitName = OU_name 
organizationalUnitName_default = Webserver 
commonName = commonName 
commonName_default = "localhost" 
emailAddress = email 
emailAddress_default = [email protected]
[ v3_req ] 
basicConstraints = CA:false 
nsComment = "Apache Server Certificate" 
nsCertType = server
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=critical,CA:TRUE

毕竟我签了httpd.csr用这个命令:

openssl ca -notext -in httpd.csr -cert org.crt -keyfile org.key -out httpd.crt -md sha1 -days 90 -verbose;

然后我安装我的httpd.crthttpd.key到阿帕奇,所以,当我试图得到https 本地主机,它说“连接不受信任”。添加httpd.crt对 Iceweasel 当局来说,没有任何影响。仍然是“不受信任的连接”。

答案1

您需要将CA:True其设置为root.crt.

浏览器不允许您将非 CA 证书添加到Authorities列表中,这就是您收到错误消息的原因。

您可以使用以下命令检查此扩展是否在证书中:

openssl x509 -noout -text -in root.crt

这将打印您证书的文本表示形式,您可以搜索以下摘录:

X509v3 Basic Constraints: critical
    CA:TRUE

如果不存在,您需要修改openssl配置文件并将以下内容添加到 指向的块中x509_extensions

basicConstraints = critical, CA:TRUE

男人x509v3_configopenssl.cnf将为您提供所有详细信息,但以下是Fedora 23 机器上的文件中的示例:

####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir     = /etc/pki/CA       # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject = no            # Set to 'no' to allow creation of
                    # several ctificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

您会注意到它x509_extensions指向名为的文件中更下方的部分,usr_cert其中包含以下内容:

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

basicConstraints=CA:TRUE

请注意,该名称user_cert只是一个名称,因此您的证书是 CA 证书这一事实并不重要。如果你患有强迫症,那么你可以同时改变usr_cert两者CA_cert

上述内容应添加到您正在使用的配置文件中。也就是说,如果您没有将选项添加-configopenssl命令中,那么它将使用发行版的默认配置文件。这通常位于 OpenSSL 的默认目录中,可以通过以下方式找到:

openssl version -d

相关内容