web-dev-qa-db-ja.com

opensslがv3ではなくv1証明書を作成し続ける

みんな地獄、

だから私は私のドメインの自己署名証明書を作成しようとしています、そして何らかの理由でopensslはV3の代わりに私のサーバーのV1証明書を作成し続けており、それが原因でブラウザが私に「グリーンロック」を与えない原因になっています。

なぜこれが起こっているのでしょうか。

これが私のserver.crtファイルです:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            30:61:e6:70:fd:e4:c9:f6:23:ed:e1:1c:cd:8c:c9:9e:68:7b:01:cf
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights, emailAddress = [email protected]
        Validity
            Not Before: Aug 13 14:33:12 2019 GMT
            Not After : Aug 10 14:33:12 2029 GMT
        Subject: C = CA, ST = ON, L = Toronto, O = Boss Insights, OU = DevOps, CN = Boss Insights
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:95:61:7c:ff:6d:61:12:fa:1d:a9:e0:93:31:ca:
                    c6:dc:3f:96:73:a2:37:92:1c:eb:00:69:40:0d:09:
                    75:ec:7c:3d:ea:30:74:0c:30:87:a7:d8:42:e3:bd:
                    8c:8c:9a:bc:61:9e:fb:ba:bd:2a:75:a3:42:a1:6c:
                    d0:12:7c:68:01:1b:e1:ca:e4:43:f6:c4:de:b3:40:
                    4e:23:7e:a2:3c:59:d2:cd:01:65:f5:07:54:a9:56:
                    f6:d3:56:03:09:cd:ee:7a:48:77:7d:0d:52:20:ab:
                    c4:7e:e3:11:de:88:67:04:01:09:f3:fc:fc:ab:22:
                    4e:a5:7a:fe:59:5a:66:89:b2:45:e3:e7:f9:ea:16:
                    0e:96:12:9b:fc:74:0b:e2:69:b9:9e:72:36:00:27:
                    0f:76:c3:d2:e4:45:c1:a7:dd:b5:d4:1b:cc:12:ea:
                    3e:75:0a:36:6a:83:0a:f8:4f:33:3f:be:a0:d7:22:
                    17:16:b8:aa:36:78:fd:d7:06:b2:24:d9:7e:a3:93:
                    52:53:c9:c4:01:fb:37:94:75:ec:a3:e9:2b:93:59:
                    38:98:a1:7c:0c:01:c5:76:ab:a7:9e:0e:1d:40:1c:
                    ad:44:47:6a:52:9a:48:bb:31:26:8d:74:9f:b9:ab:
                    13:02:38:a5:0c:0c:d6:f9:f5:41:58:94:6f:45:c8:
                    80:a1
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         a1:e2:82:3d:57:34:50:14:8b:40:6a:bd:9f:b6:ad:98:0c:c6:
         7f:44:9d:0a:e7:e7:0e:c3:1d:3d:13:0a:66:1d:e5:2c:eb:a0:
         3e:a4:b1:d5:63:66:8e:83:b6:38:0a:06:29:f0:1c:2e:71:56:
         db:3f:d4:86:8a:ec:72:25:38:1a:e4:91:7b:72:e2:16:0e:bc:
         d3:53:a8:84:65:f2:e6:67:c9:4f:6c:1b:23:e5:f7:6a:8f:fc:
         6a:0a:c6:bc:d7:f7:d5:12:72:63:d9:73:27:ed:d6:16:78:66:
         a4:07:64:1a:99:b6:a2:c4:8a:15:2e:78:d4:ac:95:09:5c:1d:
         e2:d8:a7:ef:79:99:c7:68:5c:21:e4:1d:f0:7d:a9:f9:5f:28:
         88:1f:a8:9d:1f:d4:9b:b8:52:25:e4:79:29:32:db:12:a5:5f:
         d2:fb:9f:45:91:af:ae:2c:87:0e:23:4f:2d:25:26:4d:0f:9d:
         ee:85:86:e8:9f:c2:f6:ad:31:ad:40:f4:3f:6d:4c:dc:9c:71:
         2b:4e:88:2e:28:33:68:26:66:10:c9:54:1e:8a:79:70:3e:7b:
         ed:1f:bb:39:e6:7a:30:90:3f:ae:f1:11:28:0f:41:b6:f5:e4:
         cf:d9:40:b7:15:7d:ab:94:97:56:f3:9f:9f:ce:b2:8a:0b:5c:
         26:53:00:19

そして、これが私の設定ファイルです:

# OpenSSL configuration

[ req ]

Prompt             = no
string_mask        = default

# The size of the keys in bits:
default_bits       = 2048
distinguished_name = req_dn
req_extensions     = req_ext

[ req_dn ]

# Note that the following are in 'reverse order' to what you'd expect to see in
# Windows

# Locality style:
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = DevOps
commonName = Boss Insights

[ req_ext ]

subjectKeyIdentifier    = hash

keyUsage = critical, digitalSignature

extendedKeyUsage=serverAuth

subjectAltName = @alt_names

[alt_names]
DNS.1 = files.bossinsights.com

問題を解決するために他の情報が必要な場合は、ヘルプを確認してくださいIS非常に感謝しています!

1
Ghaith Haddad

CAは、CSRで要求された拡張機能を署名済み証明書に追加していません。 OpenSSLが拡張なしの証明書を作成すると、それはバージョン1証明書としてマークされます。

copy_extensionsオプションを参照してください。これは、default_caオプションが指すセクションに配置する必要があります。具体的には、copyまたはcopyall(前者が望ましい)に設定します。これにより、openssl caは要求された拡張機能をCSRから署名付き証明書にコピーし、バージョン3としてマークします。


動作するはずの例を次に示します。

証明機関を作成します。

OpenSSL構成ファイルを作成し、それをroot_create.cnfと呼びます。

################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request

[ req ]

# Don't Prompt for the DN, use configured values instead
# This saves having to type in your DN each time.

Prompt             = no
string_mask        = default
distinguished_name = req_dn

# The size of the keys in bits:
default_bits       = 4096

# The extensions added when generating a CSR
#req_extensions     = req_ext

[ req_dn ]

countryName = CA
stateOrProvinceName = ON
localityName = Toronto
organizationName = Boss Insights
organizationalUnitName = CA
commonName = Boss Insights Certification Authority

[ req_ext ]

# Extensions added to the request

################ CA Section ################
# This is used with the 'openssl ca' command
# to sign a request

[ ca ]

default_ca = CA

[ CA ]

# Where OpenSSL stores information

dir             = .                             # Where everything is kept
certs           = $dir                          # Where the issued certs are kept
crldir          = $dir                          # Where the issued crl are kept

new_certs_dir   = $certs
database        = $dir/index
certificate     = $certs/rootcrt.pem
private_key     = $dir/rootprivkey.pem
crl             = $crldir/crl.pem   
serial          = $dir/serial.txt
RANDFILE        = $dir/.Rand

# How OpenSSL will display certificate after signing
name_opt    = ca_default
cert_opt    = ca_default

# How long the CA certificate is valid for
default_days = 3650
# default_startdate  = 180517000000Z
# default_enddate    = 181231235959Z

# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256

# Subjects don't have to be unique in this CA's database
unique_subject    = no
# What to do with CSR extensions
copy_extensions    = copy

# Rules on mandatory or optional DN components
policy      = simple_policy

# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext

[ simple_policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
domainComponent         = optional
emailAddress            = optional
name                    = optional
surname                 = optional
givenName               = optional
dnQualifier             = optional

[ x509_ext ]

# These extensions are for a CA certificate

subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

basicConstraints            = critical, CA:TRUE
# basicConstraints          = critical, CA:TRUE, pathlen:1

keyUsage = critical, keyCertSign, cRLSign

CAとして動作するときにOpenSSLに必要な2つのファイルを作成します。

touch index
echo 01 > serial.txt

(元のrootCA.keyを使用して)CA証明書リクエストを作成します。

openssl req -new -key rootCA.key -out rootCA.req -nodes -config root_create.cnf

以下を使用してCA証明書に自己署名します。

openssl ca -out rootCA.pem -keyfile rootCA.key -selfsign -config root_create.cnf  -in rootCA.req

これでCA証明書(rootCA.pem)が作成され、次のように表示できます。

openssl x509 -noout -text -in rootCA.pem

証明書(rootCA.pem)は、すべての依存パーティ(クライアント)のトラストアンカーストアに配布する必要があるものです。

これは、サーバー証明書(CSR)の署名に使用する証明書と秘密鍵でもあります。

証明機関を構成します。

root_sign.cnfというCSRに署名するための別のOpenSSL構成ファイルを作成します。

# OpenSSL config for CA signing only (not for CA cert generation)

[ ca ]

default_ca = CA

[ CA ]

# Where OpenSSL stores information

dir             = .                             # Where everything is kept
certs           = $dir                          # Where the issued certs are kept
crldir          = $dir                          # Where the issued crl are kept

new_certs_dir   = $certs
database        = $dir/index

certificate     = $certs/rootCA.pem
private_key     = $dir/rootCA.key

crl             = $crldir/crl.pem   
serial          = $dir/serial.txt
RANDFILE        = $dir/.Rand

# How OpenSSL will display certificate after signing
name_opt    = ca_default
cert_opt    = ca_default

# How long the certificate is valid for
default_days = 365
# default_startdate  = 180517000000Z
# default_enddate    = 181231235959Z

# The message digest for signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256

# Subjects don't have to be unique in this CA's database
unique_subject    = no

# What to do with CSR extensions
copy_extensions    = copy

# Rules on mandatory or optional DN components
policy      = simple_policy

# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext

[ simple_policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
domainComponent         = optional
emailAddress            = optional
name                    = optional
surname                 = optional
givenName               = optional
dnQualifier             = optional

[ x509_ext ]
#Default extensions
# These extensions are for an end-entity certificate

# Extensions added when using the `openssl ca` command.
# This section is pointed to by `x509_extensions` above.

# These will override any requested extensions in the CSR:

subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth

証明機関を運用します。

CSRに署名する:

openssl ca -in BossInsight.req  -cert rootCA.pem -keyfile rootCA.key -out BossInsight.pem -config root_sign.cnf

新しい証明書を表示するには:

openssl x509 -noout -text -in BossInsight.pem

すべて正しく実行した場合、証明書はサブジェクトの別名の拡張子を持つバージョン3になります。

提示されたCSRを使用して、この最後のセクションを繰り返すことができます。

3
garethTheRed