我创建了根证书和服务器证书,并用 root 签名。如何安装根证书以消除有关不受信任连接的警告?更新、dpkg 重新配置不工作。我在 Kali Linux v.1.1.0 上使用 OpenSSL、Iceweasel 浏览器
编辑
步骤:创建根CA的密钥:
dd if=/dev/random of=.rnd count=64 bs=32
openssl genrsa -rand .rnd -out org.key 2048
创建证书请求:
openssl req -new -key org.key -config org.cnf -out org.csr
和:
org.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
extensions = v3_req
x509_extensions = usr_cert
[ req_distinguished_name ]
countryName = US
countryName_default = US
stateOrProvinceName = City
stateOrProvinceName_default = City
localityName = City
localityName_default = City
organizationName = Company
organizationName_default = Company
organizationalUnitName = CA
organizationalUnitName_default = CA
commonName = CAuthority
commonName_default = CAuthority
emailAddress = [email protected]
emailAddress_default = [email protected]
[ v3_req ]
basicConstraints = CA:TRUE
nsComment = "CA certificate of PTI"
nsCertType = sslCA
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=critical,CA:TRUE
创建根CA:
openssl x509 -req -signkey org.key -in org.csr -extfile org.cnf -out org.crt -days 1830
这就是 root 的全部内容,现在我需要创建服务器证书,将其安装在 Apache 上。创建密钥:
dd if=/dev/urandom of=.rnd count=64 bs=32;
openssl genrsa -rand .rnd -out httpd.key 2048;
创建证书请求:
openssl req -new -key httpd.key -config httpd.cnf -out httpd.csr
和:
httpd.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
extensions = v3_req
x509_extensions = usr_cert
[ req_distinguished_name ]
countryName = country [US]
countryName_default = US
stateOrProvinceName = province [City]
stateOrProvinceName_default = City
localityName = locality [City]
localityName_default = City
organizationName = organization [Company]
organizationName_default = Company
organizationalUnitName = OU_name
organizationalUnitName_default = Webserver
commonName = commonName
commonName_default = "localhost"
emailAddress = email
emailAddress_default = [email protected]
[ v3_req ]
basicConstraints = CA:false
nsComment = "Apache Server Certificate"
nsCertType = server
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=critical,CA:TRUE
毕竟我签了httpd.csr用这个命令:
openssl ca -notext -in httpd.csr -cert org.crt -keyfile org.key -out httpd.crt -md sha1 -days 90 -verbose;
然后我安装我的httpd.crt和httpd.key到阿帕奇,所以,当我试图得到https 本地主机,它说“连接不受信任”。添加httpd.crt对 Iceweasel 当局来说,没有任何影响。仍然是“不受信任的连接”。
答案1
您需要将CA:True其设置为root.crt.
浏览器不允许您将非 CA 证书添加到Authorities列表中,这就是您收到错误消息的原因。
您可以使用以下命令检查此扩展是否在证书中:
openssl x509 -noout -text -in root.crt
这将打印您证书的文本表示形式,您可以搜索以下摘录:
X509v3 Basic Constraints: critical
CA:TRUE
如果不存在,您需要修改openssl配置文件并将以下内容添加到 指向的块中x509_extensions:
basicConstraints = critical, CA:TRUE
男人x509v3_configopenssl.cnf将为您提供所有详细信息,但以下是Fedora 23 机器上的文件中的示例:
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
您会注意到它x509_extensions指向名为的文件中更下方的部分,usr_cert其中包含以下内容:
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:TRUE
请注意,该名称user_cert只是一个名称,因此您的证书是 CA 证书这一事实并不重要。如果你患有强迫症,那么你可以同时改变usr_cert两者CA_cert。
上述内容应添加到您正在使用的配置文件中。也就是说,如果您没有将选项添加-config到openssl命令中,那么它将使用发行版的默认配置文件。这通常位于 OpenSSL 的默认目录中,可以通过以下方式找到:
openssl version -d