-1

我按照此说明创建了一个自签名证书 http://apetec.com/support/GenerateSAN-CSR.htm。但是,始终无法验证证书,并且我的 tls 连接程序无法使用此证书设置连接。

知道为什么以及如何解决它吗?

以下是生成证书的命令和验证结果。

$ openssl genrsa -out private.key 2048
$ openssl req -new -out public.csr -key private.key -config openssl.conf
$ openssl req -text -noout -in public.csr 
$ openssl x509 -req -days 365 -in public.csr -signkey private.key -out public.crt -extensions v3_req -extfile openssl.conf
$ openssl verify -CAfile public.crt public.crt 
public.crt: O = My Company, L = My Town, ST = State or Providence, C = US
error 20 at 0 depth lookup:unable to get local issuer certificate

以下是openssl.conf。ip 地址被部分划掉。

#
# OpenSSL configuration file.
#

# Establish working directory.

dir                 = .

[ ca ]
default_ca              = CA_default

[ policy_match ]
countryName             = match
stateOrProvinceName         = match
organizationName            = match
organizationalUnitName          = optional
commonName              = supplied
emailAddress                = optional

[ req ]
default_bits                = 1024          # Size of keys
default_keyfile             = key.pem       # name of generated     keys
default_md              = md5               # message digest    algorithm
string_mask             = nombstr       # permitted characters
distinguished_name          = req_distinguished_name
req_extensions              = v3_req

[ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName          = Organization Name (company)
organizationalUnitName          = Organizational Unit Name (department, division)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name (city, district)
stateOrProvinceName         = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max              = 64

# Default values for the above, for consistency and less typing.
# Variable name             Value
#------------------------     ------------------------------
0.organizationName_default      = My Company
localityName_default            = My Town
stateOrProvinceName_default     = State or Providence
countryName_default         = US

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier            = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 1xx.1x.1xx.xxx
4

1 回答 1

0

您正在生成的是一个自签名的根证书。OpenSSL 尝试通过将证书链接到其证书存储中存在的受信任根来验证证书。由于您的(显然)不在该商店中,因此它总是会失败。

以下是消除警告的三种方法:

禁用证书验证

这通常是一个坏主意,因为如果没有证书验证,您就完全禁用了 TLS 握手的身份组件。仅在开发中使用它(永远不要让它泄漏到生产中!)

将您的根证书添加到信任库

如果您愿意在需要与此端点通信的每台机器上安装证书,这将起作用。(对于 OpenSSL,这是一个位于发行版特定位置的 ca_bundle 文件)

从 CA 购买证书

最简单的,但也是花费 $$$ 的。如果您这样做,那么您安装此证书的站点将在全球范围内受到信任。

于 2013-05-22T22:19:06.330 回答