无效的自签名 SSL 证书 - “缺少主题备用名称" [英] Invalid self signed SSL cert - "Subject Alternative Name Missing"
问题描述
最近,Chrome 已停止使用我的自签名 SSL 证书,并认为它们不安全.当我查看 DevTools | 中的证书时安全
标签,我可以看到它说
Recently, Chrome has stopped working with my self signed SSL certs, and thinks they're insecure. When I look at the cert in the DevTools | Security
tab, I can see that it says
缺少主题备用名称 此站点的证书不存在不包含包含域的主题备用名称扩展名称或 IP 地址.
Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
证书错误站点的证书链存在问题(网络::ERR_CERT_COMMON_NAME_INVALID).
Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
我该如何解决这个问题?
How can I fix this?
推荐答案
要解决这个问题,您需要在创建证书时向 openssl
提供一个额外的参数,基本上
To fix this, you need to supply an extra parameter to openssl
when you're creating the cert, basically
-sha256 -extfile v3.ext
其中 v3.ext
是这样的文件,%%DOMAIN%%
替换为与您使用的 Common Name
.更多信息这里和在这里.请注意,通常您会将 Common Name
和 %%DOMAIN%%
设置为要为其生成证书的域.因此,如果它是 www.mysupersite.com
,那么您可以将其用于两者.
where v3.ext
is a file like so, with %%DOMAIN%%
replaced with the same name you use as your Common Name
. More info here and over here. Note that typically you'd set the Common Name
and %%DOMAIN%%
to the domain you're trying to generate a cert for. So if it was www.mysupersite.com
, then you'd use that for both.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = %%DOMAIN%%
注意:可以找到解决此问题的脚本,以及创建完全受信任的 ssl 证书以在 Chrome、Safari 和 Java 客户端中使用这里
另一个注意事项:如果您只想阻止 Chrome 在查看自签名证书时抛出错误,您可以告诉 Chrome 忽略所有 SSL通过使用特殊的命令行选项启动所有站点的错误,SuperUser 上的详细信息
这篇关于无效的自签名 SSL 证书 - “缺少主题备用名称"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!