具有自签名证书链的无效CA证书 [英] Invalid CA certificate with self signed certificate chain

问题描述

我具有包含这些命令的自签名证书链，并在Apache服务器上对其进行了配置

I have a self signed certificate chain with these commands and configured them on an Apache server

但是当我尝试 openssl s_client -showcerts -servername server -connect my-host.local:443 -CAfile all.crt

我从openssl收到错误消息验证返回码:24(无效的CA证书)

I get an error from openssl Verify return code: 24 (invalid CA certificate)

用于生成证书的命令或配置文件是否存在问题?

Is there something wrong with the commands used to generate the certificates or with the configuration files?

# self signed root cert
openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3000 -key ca.key -out ca.crt -config ca.conf

# intermediate cert signed with the root cert
openssl genrsa -aes256 -out int.key 4096
openssl req -new -key int.key -out int.csr -config int.conf
openssl x509 -req -days 3000 -in int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out int.crt

# leaf cert signed with the intermediate cert

openssl genrsa -aes256 -out leaf.key 4096
openssl req -new -key leaf.key -out leaf.csr -config leaf.conf
openssl x509 -req -days 3000 -in leaf.csr -CA int.crt -CAkey int.key -set_serial 01 -out leaf.crt

 cat ca.crt int.crt leaf.crt > all.crt

这些是我使用过的配置文件

ca.conf

[req]
专有名称= req_distinguished_name
x509_extensions = v3_ca
dirstring_type = nobmp
[req_distinguished_name]
commonName =常用名(例如，您的姓名)
commonName_default =根
[v3_ca]
keyUsage = critical，keyCertSign
subjectKeyIdentifier =哈希
AuthorityKeyIdentifier = keyid:总是，发出者:总是
basicConstraints = critical，CA:TRUE，pathlen:1
extendedKeyUsage = serverAuth

ca.conf

[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = root
[ v3_ca ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:1
extendedKeyUsage=serverAuth

[req]
专有名称= req_distinguished_name
x509_extensions = ext
[req_distinguished_name]
commonName =常用名(例如，您的姓名)
commonName_default = int
[ext]
keyUsage = critical，keyCertSign
subjectKeyIdentifier =哈希
AuthorityKeyIdentifier = keyid:总是，发出者:总是
basicConstraints = CA:TRUE，pathlen:0
extendedKeyUsage = serverAuth

[ req ]
distinguished_name = req_distinguished_name
x509_extensions = ext
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = int
[ ext ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE,pathlen:0
extendedKeyUsage=serverAuth

[req]
专有名称= req_distinguished_name
dirstring_type = nobmp
[req_distinguished_name]
commonName =常用名(例如，您的姓名)
commonName_default =叶子

[ req ]
distinguished_name = req_distinguished_name
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = leaf

推荐答案

CA根证书

CA证书必须包括CA的basicConstraints值字段设置为TRUE.最终用户证书必须将CA设置为FALSE或完全排除扩展名.某些软件可能需要将最终实体的CA设置为FALSE的basicConstraints包括在内证书.

A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.

这是通过基本约束标准扩展来完成的.要检查您的根证书是否设置了 CA 属性，请运行 openssl x509 -text -noout -in ca.crt 并查找 CA:True 在输出中.请注意，OpenSSL实际上会让您使用非CA根证书签署其他证书(或至少曾经使用过)，但需要进行验证这样的证书将失败(因为CA检查将失败).

This is done through the basic constraints standard extension. To check whether your root cert has the CA attribute set, run openssl x509 -text -noout -in ca.crt and look for CA:True in the output. Note that OpenSSL will actually let you sign other certs with a non-CA root cert (or at least used to) but verification of such certs will fail (because the CA check will fail).

对于您的配置文件，只需在命令中包含 -extensions v3_ca 即可生成根证书，就足够了:

With your config file, simply including -extensions v3_ca in the command to generate the root cert should suffice:

openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf

这篇关于具有自签名证书链的无效CA证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！