如何创建自己的扩展验证证书以显示绿色条? [英] How do I create my own Extended validation certificate to display a green bar?

问题描述

我创建了一个根，一个中间证书.然后我签署了扩展证书，但没有.

I created one root, one intermediate certificate. Then I signed my Extended Certificate, but it did not.

我在浏览器和计算机的密钥库中添加了根证书和中间证书.

I added root and intermediate certificates to the browser and to the computer' keystore.

我看到安全"一词，但我想在绿色栏中看到我的名字.

I see the word "Secure" but I want to see my name in the green bar.

使用OpenSSL生成一个扩展证书的政策是什么?

What is the policy for generating one extended certificate with OpenSSL?

certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
 [polsect] 
policyIdentifier = 1.3.5.8 
CPS.1="https://jitc.rahmican.com.tr";
userNotice.1=@notice 
[notice] 
explicitText="Explicit Text Here"
 organization="rahmican ltd sti" 
noticeNumbers=1,2,3,4

我在openssl conf文件中使用了以下内容，但没有使用.

I used the following in the openssl conf file but it did not.

你能帮我吗?

推荐答案

首先，您必须遵守 CA Browser EV准则:

• 您的证书需要符合DV(域验证)规则，在这里我们知道可以，因为即使没有显示EV绿色栏，您的浏览器也会显示安全"
• 您需要添加以下EV扩展名:2.23.140.1.1
• 您需要添加扩展名为2.16.840.1.114412.2.1的证书实践声明
• 和其他一些东西，最好在DigiCert的以下文档的EV栏中进行描述: https://www.digicert.com/wp-content/uploads/2018/01/Certificate-Profiles.pdf

• your certificate needs to be compliant with the DV (Domain Validated) rules, and we know here that it’s OK because your browser says "Secure", even if the EV green bar is not displayed
• you need to add the following EV extension: 2.23.140.1.1
• you need to add a Certificate Practice Statement, with extension 2.16.840.1.114412.2.1
• and some other things, that are best described in the EV column of the following document by DigiCert: https://www.digicert.com/wp-content/uploads/2018/01/Certificate-Profiles.pdf

其他一些事情很容易遵循，因为它们要么是DV证书所需的，要么您可以更新openssl配置以添加DV证书不需要的或禁止的那些.

Those other things are easy to comply with, because either they are already needed for DV certificates, or you can update the openssl configuration to add those that are not already needed, or forbidden, for DV certs.

在这些其他内容中，有一些是可选的，但以下有关DN的3项不是必需的，因此您必须将这些信息添加到主题的DN中.您在创建CSR时将它们与openssl一起添加.例如:

Among those additional things, some are optional, but the following 3 ones about the DN are not, so you MUST add those informations in the DN of the Subject. You add them with openssl when creating the CSR. For instance:

openssl req -config openssl-EV.cnf -new -days 365 -pubkey -key key.pem -subj "/businessCategory=Private/serialNumber=5157550/jurisdictionC=US/CN=fenyo.net/O=FenyoNet/C=FR" -nodes > csr.pem

对于EV证书，重要的部分如下:/businessCategory=Private/serialNumber=5157550/jurisdictionC=US

The important part, for EV certificates, is the following: /businessCategory=Private/serialNumber=5157550/jurisdictionC=US

DN中必须存在这3个必需属性(businessCategory，serialNumber和管辖区C).但是openssl可能不知道businessCategory和管辖区C的OID.因此，像这样填写openssl配置文件的new_oids部分:

Those 3 required attributes in the DN (businessCategory, serialNumber and jurisdictionC) MUST be present. But openssl may not know the OID of businessCategory and jurisdictionC. So, fill in the new_oids section of the openssl configuration file like this:

[ new_oids ]
businessCategory = 2.5.4.15
jurisdictionC = 1.3.6.1.4.1.311.60.2.1.3

在CSR中仅具有这些属性是不够的，因为您拥有自己的CA，并且CA根据CA策略过滤并删除了CN的某些属性.您肯定可以运行类似的操作来对证书进行签名:

Having those attributes in the CSR is not sufficient, since you have your own CA, and the CA filters and removes some attributes of the CN, according to the CA policy. You may certainly be running something like that to sign the certificate:

openssl ca -verbose -in csr.pem -extensions v3_ca -out newcert.pem -config openssl-EV.cnf

如果您的openssl配置文件不是专门为EV证书设计的，则此步骤肯定会过滤您在CSR的主题DN中添加的其他属性.因此，您必须更改openssl配置文件以将那些属性保留在签名证书中.为此，请在openssl配置文件的CA部分中找到策略字段，例如policy_match，然后转到相应的部分(在此示例中为[policy_match])，然后在此部分中添加以下条目(不要删除此部分中已有的内容):

This step will certainly filter the additional attributes you added in the DN of the Subject in your CSR, if your openssl configuration file has not been specifically designed for EV certificates. So, you must change the openssl configuration file to keep those attributes in the signed certificate. For this to be done, find the policy field in the CA section of the openssl configuration file, for instance policy_match, and go to the corresponding section ([policy_match] in this example), and add the following entries in this section (do not remove the content that is already in this section):

[ policy_match ]
businessCategory = optional
serialNumber = optional
jurisdictionC = optional

如果在CSR中找到这些属性，这将使"openssl ca"输出这些属性.

This will make "openssl ca" output those attributes, if it finds them in the CSR.

现在，请注意不就足够了.许多浏览器添加了其他需求.例如，《 CA Browser EV指南》验证使用CRL而不是OCSP的EV证书(CA Brower说:如果证书未在AuthorityInformationAccess扩展名中指定OCSP响应者位置，则cRLDistribution Point扩展名必须出现在订户证书中. ).但是相反，Firefox添加了许多其他规则，包括OCSP响应器的可用性.

Now, note that being compliant with those CA Browser EV Guidelines is NOT sufficient. Many browsers add others needs. For instance, the CA Browser EV Guideline validates EV certificats that use CRLs instead of OCSP (the CA Brower says: The cRLDistribution Point extension MUST be present in Subscriber Certificates if the certificate does not specify OCSP responder locations in an authorityInformationAccess extension.). But on the contrary, Firefox adds many other rules, including the availability of an OCSP responder.

Firefox进行了几次测试，以确定服务器的证书是否为有效的EV证书.如果证书通过了这些测试，则Firefox将显示新的EV UI元素.具体来说，该证书必须通过以下所有测试.

Firefox performs several tests to determine if a server's certificate is a valid EV certificate. If the certificate passes these tests, Firefox will display the new EV UI elements. Specifically, the certificate must pass all of the following tests.

这些规则，来自 https://wiki.mozilla.org/CA:EV_Revocation_Checking ，是:

Those rules, from https://wiki.mozilla.org/CA:EV_Revocation_Checking, are:

除了EV特定测试外，服务器证书还必须通过所有 DV证书所需的测试.证书验证 Firefox 3中使用的引擎(NSS加密库)必须能够 查找从服务器延伸的有效证书链 附带的EV批准的根证书之一的证书 火狐浏览器.服务器证书必须仅包含一项EV策略 扩展名(OID).服务器证书可能包含一个或多个策略 扩展，但不得包含多个EV策略扩展. 中间证书必须隐式或显式允许EV 服务器证书中列出的策略OID. Firefox 3将测试 使用OCSP协议的吊销状态的服务器证书.这 服务器证书必须包含授权信息访问(AIA) 使用HTTP协议承载OCSP URI的扩展.火狐浏览器 必须能够完成OCSP请求和响应事务 给定的OCSP服务器.当OCSP服务器连接失败时，Firefox 将服务器证书视为对EV无效.这对于 首先在Firefox会话中检查每个服务器证书.火狐浏览器 使用易失性缓存来减少OCSP事务的数量 执行. Firefox必须能够验证收到的OCSP响应. 该响应必须确认服务器证书未被吊销. OCSP 必须在应用程序中启用，这是默认配置 由Firefox使用.该选项称为security.ocsp.enabled.在这 Firefox不会按需下载CRL. OCSP还必须为 中间证书. 失败的OCSP响应将导致 没有提供电动汽车治疗.

In addition to EV-specific tests, the server certificate must pass all tests required for DV certificates. The certificate verification engine used in Firefox 3 (the NSS crypto libraries) must be able to find a valid certificate chain that extends from the server certificate to one of the EV approved root certificates that ship with Firefox. The server certificate must contain exactly one EV policy extension (OID). The server certificate may contain one or more policy extensions, but it must not contain multiple EV policy extensions. Intermediate certificates must implicitly or explicitly allow the EV policy OID listed in the server certificate. Firefox 3 will test the server certificate for revocation status using the OCSP protocol. The server certificate must contain an Authority Information Access (AIA) extension that carries an OCSP URI using the HTTP protocol. Firefox must be able to complete an OCSP request and response transaction with the given OCSP server. When an OCSP server connection fails, Firefox treats the server certificate as invalid for EV. This is true for the first check for each server certificate in a Firefox session. Firefox uses volatile caching to reduce the number of OCSP transactions performed. Firefox must be able to verify the received OCSP response. The response must confirm the server certificate is not revoked. OCSP must be enabled in the application, which is the default configuration used by Firefox. The option is called security.ocsp.enabled. At this time Firefox will not download CRLs on demand. OCSP must also work for the intermediate certificates. A failed OCSP response will result in EV treatment not being given.

因此，要获得绿色指示条，您必须像以前说的那样更新openssl配置，并修改CA组织以添加OCSP响应器以及需要将您的服务器识别为EV站点的浏览器所期望的其他功能

So, to get the green bar, you must update your openssl configuration like said previously, and modify your CA organization to add OCSP responders and other things that would be expected by the browsers that need to recognize your server as an EV site.

对于拥有CA和PKI的人，Mozilla已创建了一个在线站点来检查所有这些EV要求:

For people in your situation, that own the CA and PKI, Mozilla has created an online site to check all of these EV requirements: https://tls-observatory.services.mozilla.com/static/ev-checker.html

在此站点上:

• 您输入服务器的名称
• 您输入所选的EV扩展名(通常为2.3.140.1.1)
• 您以PEM格式输入签署了EV证书的根证书

该站点将进行测试，并告诉您什么是正确的，什么是错误的. 请注意，截至今天(2018年8月2日)，该网站非常慢.跳起来很快就会结束.

And the site will make tests and tell you what is correct and what is wrong. Note that as of today (Aug, 2, 2018), the site is very slow. Hopping it will be up soon.

这篇关于如何创建自己的扩展验证证书以显示绿色条?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！