IIS授予的个人CA签名证书"此证书不适用于所选目的"错误

时间:2015-04-27 22:30:17

标签: iis ssl https openssl ca

我使用OpenSSL创建了一个CA,并使用它为我的localhost签署证书,并在我的localhost,preview-localhost上签署了一个辅助DNS条目。 我已将CA证书安装到我的计算机上的受信任的根证书中,并将我的localhost证书添加到IIS。当我查看签名的localhost证书时,我看到了以下错误:

Signed localhost certificate Signed localhost path

已安装的CA证书表明它适用于其查看器上的所有颁发和应用程序策略。我已经为OpenSSL的两个证书都包含了输出。我已经替换了任何敏感(和一些不敏感的信息) < description text>。

CA证书

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Serial Number
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 16:17:41 2015 GMT
        Not After : Apr 24 16:17:41 2025 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            <Subject Key Identifier>
        X509v3 Authority Key Identifier:
            keyid:<keyid>
        X509v3 Basic Constraints:
            CA:TRUE
        X509v3 Key Usage:
            Digital Signature, Key Encipherment
        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

本地主机证书

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Some Serial Number>
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 18:09:18 2015 GMT
        Not After : Apr 26 18:09:18 2016 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
CN=localhost/emailAddress=<Email Address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Basic Constraints:
            CA:FALSE
        X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
        Netscape Comment:
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
            <SKI>
        X509v3 Authority Key Identifier:
            keyid:<KEY ID>

        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

任何有助于了解我的本地主机证书无法遵循CA路径的帮助将非常感激。 谢谢!

1 个答案:

答案 0 :(得分:1)

创建CA时,您可能需要在openssl.cnf的X509_extensions部分指定以下keyUsage:

keyUsage = keyCertSign, cRLSign

为了澄清,您的配置文件应包含以下内容:

[ CA_default]
...
x509_extensions = ca_extensions
...
[ ca_extensions ]
keyUsage = keyCertSign, cRLSign
...

有关此流程的详细说明,请参阅How do you sign Certificate Signing Request with your Certification Authority?

相关问题
最新问题