在OPENSSL中更新证书颁发机构验证失败

时间:2016-11-10 17:34:10

标签: security ssl openssl certificate certificate-authority

我正在重新发布ROOT CA(证书颁发机构)以修复其字段中的某些信息,但您可以想象如果根证书接近衰老时间它可能是相同的。

当然,在生产之前,我在测试环境中使用简单的命令行测试(在linux中)。

我使用了我在Certification authority root certificate expiry and renewal找到的非常好的信息。

我修改过程以使其与我自己的过程更相似。

我创建了一个openssl_root.cnf文件。我添加了一些字段,如

 countryName             = optional 
 organizationName        = optional
 organizationalUnitName  = optional
 localityName            = optional
 stateOrProvinceName     = optional
 telephoneNumber         = optional
 mail                    = optional
 serialNumber            = optional
 commonName              = optional

当然还有要问的参数(例如)

 [ req_distinguished_name ]
 mail                    = Email Address
 mail_max                = 60
 telephoneNumber         = Please submit yor Telf. Number
 telephoneNumber_max     = 13
 ...

对我来说更重要的部分,扩展名

 [root_ca]
 # Extensions for a typical CA RAIZ
 # It's a CA certificate
 basicConstraints       = critical, CA:true,  pathlen:1
 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid
 keyUsage               = cRLSign, keyCertSign
 subjectAltName         = DNS.1:mycompany.com,
 issuerAltName          = issuer:copy

 # CRLs & OCSP
 crlDistributionPoints  = @root_section
 authorityInfoAccess    = @ocsp_root
 certificatePolicies    = @PCs

 [ root_section ]
 URI.1                  = https://$root_ip/crl/cacrl.crl

 [ ocsp_root ]
 caIssuers;URI.0         = http://$root_ip/certificates/cacert.pem
 OCSP;URI.1              = http://$root_ip/ocsp

 [ PCs ]   #Certifification Policy section
 policyIdentifier        = 1.3.5.8                  #fake OID
 CPS.1                   = http://$ip_local/dpc
 CPS.2                   = http://$ip_local/policy
 userNotice.1            = @notice

之后我使用此命令执行请求

 openssl genrsa -out ca.key 4096
 openssl req -new -key ca.key -out ca.csr -config openssl_root.cnf -extensions root_ca -sha384

这里我填写DN的字段和信息.. 所以,我用

签署了root权限 
 openssl ca -days 3650 -in ca.csr -keyfile ca.key -selfsign -create_serial -config openssl_root.cnf -extensions root_ca -out ca.pem

我现在有ca.pem(证书)和ca.key(私钥) 现在我创建了一个从属证书颁发机构

 openssl genrsa -out subca1.key 4096

显然,我在cnf文件中为下属权限创建了一个新部分,名称为v3_ca 

openssl req -new -key subca1.key -out subca1.csr -config openssl_root.cnf -extensions v3_ca -sha384

填写字段并按

进行签名 
 openssl ca -days 3650 -in subca1.csr -keyfile ca.key -cert ca.pem -config openssl_root.cnf -extensions v3_ca -out

我现在有subca1.pem和subca1.key

如果我测试它

openssl verify -CAfile ca.pem -verbose subca1.pem
subca1.pem: OK

现在,我要做新的(重新新的)权威。 我必须使用相同的私钥ca.key ... 

openssl req -new -key ca.key -out newca.csr -config openssl_root.cnf -extensions root_ca -sha384

填写问号时,我在字段中添加了一些“已更新”的信息,然后签名

openssl ca -days 3650 -in newca.csr -keyfile ca.key -selfsign -create_serial -config openssl_root.cnf -extensions root_ca -out newca.pem

如果我现在测试

 subca1.pem: C = VE, O = empresa 1, OU = Gerencia Criptografia, L = La Urbina, ST = Miranda, telephoneNumber = 02129889977, mail = pki@empresa1.com, serialNumber = J123453450, CN = PSC Subordinado Empresa 1 PRUEBA
 error 20 at 0 depth lookup:unable to get local issuer certificate

我查看公钥并且是相同的, SubjectKeyIdentifier AuthorityKeyIdentifier 

openssl x509 -in ca.pem -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxxG1bEsUyDU1X31qJJNC
7uBYQhRsNi0dgsvcrIruPiQAcg3pH8Pu/WdnDmIdn/OUV9IvMPa22BPm1zaLZ/HF
EkHJxGdThEpcCtsd2ET0KhqYQ21s78lCyQGMdJvmh/FBLuVBsd7IvxgARqTl2402
4HXv+PavFaANM5AO+UnEjXDHXI0ce560l8s+rivlDjoSZRNGBLEla0wl0Jf6oo8l
fV+m9zMbKsLvScXWsoq+aO6I5BY8WhJtU4vXRRjDVp5t4L6PCnHJpOFL6+jLxeJH
N83FEeNkjw681ZFoB6pFG2QdndzKK0hcRJb1+526GRY97sKBfCOkQgNsTjHoF2ST
SudbWarWmFZg4ofF6wNCt205q6siMJiNM9h67xFUwDFoUTav6m5GdCdgFdgBvODN
zSwc5e4V56bgh5Iyz7CZmTdAVxncy74EqJNV+PjcYnxei2Xb1BaenLyiLzZdk+OY
Wlp+6CQtebeU3nTZfNFpyV3XjkXpZJs5CGAgNTr9wRbtQxKbK/R+DOQoIk/b+g6s
3WfTJ8V7fktIX+vrdOe7vBayXh/Q5AEuNvGH4h0v+ziGZrIL68iTuQdDy/qrivtp
0AB4fVknp+q4ZOXGoLmWFDQjFBmzFFS7aZHCMhwRevp3F3jsWTgYDYEag6IeJVc/
ZH8VjHsthnkI6T/OlBVI3DsCAwEAAQ==
-----END PUBLIC KEY-----

openssl x509 -in newca.pem -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxxG1bEsUyDU1X31qJJNC
7uBYQhRsNi0dgsvcrIruPiQAcg3pH8Pu/WdnDmIdn/OUV9IvMPa22BPm1zaLZ/HF
EkHJxGdThEpcCtsd2ET0KhqYQ21s78lCyQGMdJvmh/FBLuVBsd7IvxgARqTl2402
4HXv+PavFaANM5AO+UnEjXDHXI0ce560l8s+rivlDjoSZRNGBLEla0wl0Jf6oo8l
fV+m9zMbKsLvScXWsoq+aO6I5BY8WhJtU4vXRRjDVp5t4L6PCnHJpOFL6+jLxeJH
N83FEeNkjw681ZFoB6pFG2QdndzKK0hcRJb1+526GRY97sKBfCOkQgNsTjHoF2ST
SudbWarWmFZg4ofF6wNCt205q6siMJiNM9h67xFUwDFoUTav6m5GdCdgFdgBvODN
zSwc5e4V56bgh5Iyz7CZmTdAVxncy74EqJNV+PjcYnxei2Xb1BaenLyiLzZdk+OY
Wlp+6CQtebeU3nTZfNFpyV3XjkXpZJs5CGAgNTr9wRbtQxKbK/R+DOQoIk/b+g6s
3WfTJ8V7fktIX+vrdOe7vBayXh/Q5AEuNvGH4h0v+ziGZrIL68iTuQdDy/qrivtp
0AB4fVknp+q4ZOXGoLmWFDQjFBmzFFS7aZHCMhwRevp3F3jsWTgYDYEag6IeJVc/
ZH8VjHsthnkI6T/OlBVI3DsCAwEAAQ==
-----END PUBLIC KEY-----

完全一样......

但它不匹配!

我想问题可能出在 SubjectKeyIdentifier AuthorityKeyIdentifier 中,但如果我查看这两个证书就会匹配,

有任何帮助吗?感谢

0 个答案:

没有答案
相关问题
最新问题