自签名SAN证书无法验证

时间:2013-05-22 18:33:37

标签: security ssl openssl certificate

我按照此说明创建了自签名证书 http://apetec.com/support/GenerateSAN-CSR.htm。但是,证书始终无法验证,并且我的tls连接程序无法使用此证书设置连接。

知道为什么以及如何解决它?

以下是生成证书和验证结果的命令。 

$ openssl genrsa -out private.key 2048
$ openssl req -new -out public.csr -key private.key -config openssl.conf
$ openssl req -text -noout -in public.csr 
$ openssl x509 -req -days 365 -in public.csr -signkey private.key -out public.crt -extensions v3_req -extfile openssl.conf
$ openssl verify -CAfile public.crt public.crt 
public.crt: O = My Company, L = My Town, ST = State or Providence, C = US
error 20 at 0 depth lookup:unable to get local issuer certificate

以下是openssl.conf。 IP地址已部分划掉。

#
# OpenSSL configuration file.
#

# Establish working directory.

dir                 = .

[ ca ]
default_ca              = CA_default

[ policy_match ]
countryName             = match
stateOrProvinceName         = match
organizationName            = match
organizationalUnitName          = optional
commonName              = supplied
emailAddress                = optional

[ req ]
default_bits                = 1024          # Size of keys
default_keyfile             = key.pem       # name of generated     keys
default_md              = md5               # message digest    algorithm
string_mask             = nombstr       # permitted characters
distinguished_name          = req_distinguished_name
req_extensions              = v3_req

[ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName          = Organization Name (company)
organizationalUnitName          = Organizational Unit Name (department, division)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name (city, district)
stateOrProvinceName         = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max              = 64

# Default values for the above, for consistency and less typing.
# Variable name             Value
#------------------------     ------------------------------
0.organizationName_default      = My Company
localityName_default            = My Town
stateOrProvinceName_default     = State or Providence
countryName_default         = US

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier            = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 1xx.1x.1xx.xxx

1 个答案:

答案 0 :(得分:0)

您生成的是自签名根证书。 OpenSSL尝试通过将证书链接到其证书存储中存在的受信任根来验证证书。由于你的(显然)不在那个商店,它总会失败。

以下是摆脱警告的三种方法:

禁用证书验证

这通常是一个坏主意,因为没有证书验证,您已完全禁用TLS握手的标识组件。仅在开发中使用它(永远不要让它泄漏到生产中!)

将根证书添加到信任库

如果您愿意在需要与此端点通信的每台计算机上安装证书,这将有效。 (对于OpenSSL,这是一个位于特定于分发位置的ca_bundle文件)

从CA购买证书

最简单,但也是费用为$$$的那个。如果您这样做,那么您正在安装此证书的站点将在全球范围内受到信任。

相关问题
最新问题