みんな地獄、
だから私は私のドメインの自己署名証明書を作成しようとしています、そして何らかの理由でopensslはV3の代わりに私のサーバーのV1証明書を作成し続けており、それが原因でブラウザが私に「グリーンロック」を与えない原因になっています。
なぜこれが起こっているのでしょうか。
これが私のserver.crtファイルです:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
30:61:e6:70:fd:e4:c9:f6:23:ed:e1:1c:cd:8c:c9:9e:68:7b:01:cf
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights, emailAddress = [email protected]
Validity
Not Before: Aug 13 14:33:12 2019 GMT
Not After : Aug 10 14:33:12 2029 GMT
Subject: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:95:61:7c:ff:6d:61:12:fa:1d:a9:e0:93:31:ca:
c6:dc:3f:96:73:a2:37:92:1c:eb:00:69:40:0d:09:
75:ec:7c:3d:ea:30:74:0c:30:87:a7:d8:42:e3:bd:
8c:8c:9a:bc:61:9e:fb:ba:bd:2a:75:a3:42:a1:6c:
d0:12:7c:68:01:1b:e1:ca:e4:43:f6:c4:de:b3:40:
4e:23:7e:a2:3c:59:d2:cd:01:65:f5:07:54:a9:56:
f6:d3:56:03:09:cd:ee:7a:48:77:7d:0d:52:20:ab:
c4:7e:e3:11:de:88:67:04:01:09:f3:fc:fc:ab:22:
4e:a5:7a:fe:59:5a:66:89:b2:45:e3:e7:f9:ea:16:
0e:96:12:9b:fc:74:0b:e2:69:b9:9e:72:36:00:27:
0f:76:c3:d2:e4:45:c1:a7:dd:b5:d4:1b:cc:12:ea:
3e:75:0a:36:6a:83:0a:f8:4f:33:3f:be:a0:d7:22:
17:16:b8:aa:36:78:fd:d7:06:b2:24:d9:7e:a3:93:
52:53:c9:c4:01:fb:37:94:75:ec:a3:e9:2b:93:59:
38:98:a1:7c:0c:01:c5:76:ab:a7:9e:0e:1d:40:1c:
ad:44:47:6a:52:9a:48:bb:31:26:8d:74:9f:b9:ab:
13:02:38:a5:0c:0c:d6:f9:f5:41:58:94:6f:45:c8:
80:a1
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
a1:e2:82:3d:57:34:50:14:8b:40:6a:bd:9f:b6:ad:98:0c:c6:
7f:44:9d:0a:e7:e7:0e:c3:1d:3d:13:0a:66:1d:e5:2c:eb:a0:
3e:a4:b1:d5:63:66:8e:83:b6:38:0a:06:29:f0:1c:2e:71:56:
db:3f:d4:86:8a:ec:72:25:38:1a:e4:91:7b:72:e2:16:0e:bc:
d3:53:a8:84:65:f2:e6:67:c9:4f:6c:1b:23:e5:f7:6a:8f:fc:
6a:0a:c6:bc:d7:f7:d5:12:72:63:d9:73:27:ed:d6:16:78:66:
a4:07:64:1a:99:b6:a2:c4:8a:15:2e:78:d4:ac:95:09:5c:1d:
e2:d8:a7:ef:79:99:c7:68:5c:21:e4:1d:f0:7d:a9:f9:5f:28:
88:1f:a8:9d:1f:d4:9b:b8:52:25:e4:79:29:32:db:12:a5:5f:
d2:fb:9f:45:91:af:ae:2c:87:0e:23:4f:2d:25:26:4d:0f:9d:
ee:85:86:e8:9f:c2:f6:ad:31:ad:40:f4:3f:6d:4c:dc:9c:71:
2b:4e:88:2e:28:33:68:26:66:10:c9:54:1e:8a:79:70:3e:7b:
ed:1f:bb:39:e6:7a:30:90:3f:ae:f1:11:28:0f:41:b6:f5:e4:
cf:d9:40:b7:15:7d:ab:94:97:56:f3:9f:9f:ce:b2:8a:0b:5c:
26:53:00:19
そして、これが私の設定ファイルです:
# OpenSSL configuration
[ req ]
Prompt = no
string_mask = default
# The size of the keys in bits:
default_bits = 2048
distinguished_name = req_dn
req_extensions = req_ext
[ req_dn ]
# Note that the following are in 'reverse order' to what you'd expect to see in
# Windows
# Locality style:
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = DevOps
commonName = Boss Insights
[ req_ext ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature
extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = files.bossinsights.com
問題を解決するために他の情報が必要な場合は、ヘルプを確認してくださいIS非常に感謝しています!
CAは、CSRで要求された拡張機能を署名済み証明書に追加していません。 OpenSSLが拡張なしの証明書を作成すると、それはバージョン1証明書としてマークされます。
copy_extensions
オプションを参照してください。これは、default_ca
オプションが指すセクションに配置する必要があります。具体的には、copy
またはcopyall
(前者が望ましい)に設定します。これにより、openssl ca
は要求された拡張機能をCSRから署名付き証明書にコピーし、バージョン3としてマークします。
動作するはずの例を次に示します。
OpenSSL構成ファイルを作成し、それをroot_create.cnf
と呼びます。
################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request
[ req ]
# Don't Prompt for the DN, use configured values instead
# This saves having to type in your DN each time.
Prompt = no
string_mask = default
distinguished_name = req_dn
# The size of the keys in bits:
default_bits = 4096
# The extensions added when generating a CSR
#req_extensions = req_ext
[ req_dn ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = CA
commonName = Boss Insights Certification Authority
[ req_ext ]
# Extensions added to the request
################ CA Section ################
# This is used with the 'openssl ca' command
# to sign a request
[ ca ]
default_ca = CA
[ CA ]
# Where OpenSSL stores information
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
new_certs_dir = $certs
database = $dir/index
certificate = $certs/rootcrt.pem
private_key = $dir/rootprivkey.pem
crl = $crldir/crl.pem
serial = $dir/serial.txt
RANDFILE = $dir/.Rand
# How OpenSSL will display certificate after signing
name_opt = ca_default
cert_opt = ca_default
# How long the CA certificate is valid for
default_days = 3650
# default_startdate = 180517000000Z
# default_enddate = 181231235959Z
# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Subjects don't have to be unique in this CA's database
unique_subject = no
# What to do with CSR extensions
copy_extensions = copy
# Rules on mandatory or optional DN components
policy = simple_policy
# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext
[ simple_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
domainComponent = optional
emailAddress = optional
name = optional
surname = optional
givenName = optional
dnQualifier = optional
[ x509_ext ]
# These extensions are for a CA certificate
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical, CA:TRUE
# basicConstraints = critical, CA:TRUE, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
CAとして動作するときにOpenSSLに必要な2つのファイルを作成します。
touch index
echo 01 > serial.txt
(元のrootCA.key
を使用して)CA証明書リクエストを作成します。
openssl req -new -key rootCA.key -out rootCA.req -nodes -config root_create.cnf
以下を使用してCA証明書に自己署名します。
openssl ca -out rootCA.pem -keyfile rootCA.key -selfsign -config root_create.cnf -in rootCA.req
これでCA証明書(rootCA.pem
)が作成され、次のように表示できます。
openssl x509 -noout -text -in rootCA.pem
証明書(rootCA.pem
)は、すべての依存パーティ(クライアント)のトラストアンカーストアに配布する必要があるものです。
これは、サーバー証明書(CSR)の署名に使用する証明書と秘密鍵でもあります。
root_sign.cnf
というCSRに署名するための別のOpenSSL構成ファイルを作成します。
# OpenSSL config for CA signing only (not for CA cert generation)
[ ca ]
default_ca = CA
[ CA ]
# Where OpenSSL stores information
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
new_certs_dir = $certs
database = $dir/index
certificate = $certs/rootCA.pem
private_key = $dir/rootCA.key
crl = $crldir/crl.pem
serial = $dir/serial.txt
RANDFILE = $dir/.Rand
# How OpenSSL will display certificate after signing
name_opt = ca_default
cert_opt = ca_default
# How long the certificate is valid for
default_days = 365
# default_startdate = 180517000000Z
# default_enddate = 181231235959Z
# The message digest for signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256
# Subjects don't have to be unique in this CA's database
unique_subject = no
# What to do with CSR extensions
copy_extensions = copy
# Rules on mandatory or optional DN components
policy = simple_policy
# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext
[ simple_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
domainComponent = optional
emailAddress = optional
name = optional
surname = optional
givenName = optional
dnQualifier = optional
[ x509_ext ]
#Default extensions
# These extensions are for an end-entity certificate
# Extensions added when using the `openssl ca` command.
# This section is pointed to by `x509_extensions` above.
# These will override any requested extensions in the CSR:
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth
CSRに署名する:
openssl ca -in BossInsight.req -cert rootCA.pem -keyfile rootCA.key -out BossInsight.pem -config root_sign.cnf
新しい証明書を表示するには:
openssl x509 -noout -text -in BossInsight.pem
すべて正しく実行した場合、証明書はサブジェクトの別名の拡張子を持つバージョン3になります。
提示されたCSRを使用して、この最後のセクションを繰り返すことができます。