5

Openssl 生成 invalid_purpose 时会查看哪些证书字段?

我正在使用 OpenSSL 生成证书。

首先我生成一个主证书,然后是客户端证书。现在,当我尝试连接服务器时,它会生成 Invalid_Purpose。

4

2 回答 2

12

有一个扩展keyUsage指定可以用证书做什么。请注意,某些程序不使用此字段。

来自 X509 文档:

X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
    the supplied certificate cannot be used for the specified purpose.

手册页x509v3_config(5)列出了参数的可能值以及另一个调用的值extendedKeyUsage

Key Usage.
    Key usage is a multi valued extension consisting of a list of names of
    the permitted key usages.

    The supporte names are: digitalSignature, nonRepudiation,
    keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign,
    encipherOnly and decipherOnly.

    Examples:
     keyUsage=digitalSignature, nonRepudiation
     keyUsage=critical, keyCertSign 

Extended Key Usage.
    This extensions consists of a list of usages indicating purposes for
    which the certificate public key can be used for,

    These can either be object short names of the dotted numerical form of
    OIDs.  While any OID can be used only certain values make sense. In
    particular the following PKIX, NS and MS values are meaningful:

     Value                  Meaning
     -----                  -------
     serverAuth             SSL/TLS Web Server Authentication.
     clientAuth             SSL/TLS Web Client Authentication.
     codeSigning            Code signing.
     emailProtection        E-mail Protection (S/MIME).
     timeStamping           Trusted Timestamping
     msCodeInd              Microsoft Individual Code Signing (authenticode)
     msCodeCom              Microsoft Commercial Code Signing (authenticode)
     msCTLSign              Microsoft Trust List Signing
     msSGC                  Microsoft Server Gated Crypto
     msEFS                  Microsoft Encrypted File System
     nsSGC                  Netscape Server Gated Crypto

    Examples:
     extendedKeyUsage=critical,codeSigning,1.2.3.4
     extendedKeyUsage=nsSGC,msSGC
于 2012-08-09T14:03:43.067 回答
2

在具体细节层面,您使用的 openssl.cnf 值可能还有其他用途,例如电子邮件。这就是为什么它们对您尝试建立的服务器连接无效的原因。

检查您的 openssl.cnf 内容,并查看 OpenSSL 源中提供的示例,以了解可能与连接到传统 Web 浏览器的库存 TLS Web 服务器一起使用的东西。

于 2017-09-03T15:03:47.397 回答