我正在尝试在我的nginx实例上部署由自己的中间CA签名的SSL证书,该证书本身由自己的根CA签名。
我非常仔细地遵循了这个very good OpenSSL guide来创建我的3个证书:根CA,中间CA和我的叶证书。
当我将openssl连接到运行的nginx实例时,我得到:
gradient2D()
这是令人鼓舞的,因为我看到证书链部分包含3个证书。
然而,只提供了一个PEM,这些消息确实证实了信任链的呈现方式存在问题:
我的nginx配置是:
$ openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=2 C = FR, ST = France, L = Paris, O = Maugeri & Co, OU = Maugeri & Co Certificate Authority, CN = Maugeri & Co Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=FR/ST=France/L=Paris/O=Maugeri & Co/OU=Maugeri & Co Web Services/CN=www.example.com
i:/C=FR/ST=France/O=Maugeri & Co/OU=Maugeri & Co Certificate Authority/CN=Maugeri & Co Intermediate CA
1 s:/C=FR/ST=France/O=Maugeri & Co/OU=Maugeri & Co Certificate Authority/CN=Maugeri & Co Intermediate CA
i:/C=FR/ST=France/L=Paris/O=Maugeri & Co/OU=Maugeri & Co Certificate Authority/CN=Maugeri & Co Root CA
2 s:/C=FR/ST=France/L=Paris/O=Maugeri & Co/OU=Maugeri & Co Certificate Authority/CN=Maugeri & Co Root CA
i:/C=FR/ST=France/L=Paris/O=Maugeri & Co/OU=Maugeri & Co Certificate Authority/CN=Maugeri & Co Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF6TCCA9GgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYkxCzAJBgNVBAYTAkZS
MQ8wDQYDVQQIDAZGcmFuY2UxFTATBgNVBAoMDE1hdWdlcmkgJiBDbzErMCkGA1UE
CwwiTWF1Z2VyaSAmIENvIENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGA1UEAwwc
TWF1Z2VyaSAmIENvIEludGVybWVkaWF0ZSBDQTAeFw0xNzA4MjYwNzI1MzRaFw0x
ODA5MDUwNzI1MzRaMIGDMQswCQYDVQQGEwJGUjEPMA0GA1UECAwGRnJhbmNlMQ4w
DAYDVQQHDAVQYXJpczEVMBMGA1UECgwMTWF1Z2VyaSAmIENvMSIwIAYDVQQLDBlN
YXVnZXJpICYgQ28gV2ViIFNlcnZpY2VzMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDITYGnv3hMemKsDwBi
Qr84aFEYURCLHlEDPQ0aF2zn0VdUt5a34Qj4ywTdICW7FFXUbUQPoz0XLtr0OXDu
B7n0uVzU16VIBNper6PBem8Rbyd0lw+z055mVRPDN7ac07STJ6tZsjKIBidQCc7e
weiBXGER30vqWLih7ez1vw7xrYl5iYxAmYKnQsXQNTpaYsSrxPmqQ+tB+uzvCTP4
emr8SyvIpSVqVajdxxBomx5b3m+NiEIiw3IOz9iicwxYeSEU9wgUd21C+lk3x7SV
8jGn5hyFrlFzVbj7M9qA5eyQMMH/KFUaSWW9qnoUUEf0JrMchmfe9Pl/JCBqMBTj
xDxhAgMBAAGjggFdMIIBWTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAz
BglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmlj
YXRlMB0GA1UdDgQWBBSW5SGY1Hwx3tpH/ZOp0sjR2iSJnDCBvwYDVR0jBIG3MIG0
gBTRAfURf9Lsyf0XyMoQGvhtk6zKiqGBl6SBlDCBkTELMAkGA1UEBhMCRlIxDzAN
BgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxFTATBgNVBAoMDE1hdWdlcmkg
JiBDbzErMCkGA1UECwwiTWF1Z2VyaSAmIENvIENlcnRpZmljYXRlIEF1dGhvcml0
eTEdMBsGA1UEAwwUTWF1Z2VyaSAmIENvIFJvb3QgQ0GCAhAAMA4GA1UdDwEB/wQE
AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEApHGF
P/kOxKBjjFs8MG+lxVKK4j2EtJteqQ1Phve9aet0ZLuQvon59dHdc2pcSqX/SGex
CD5iR77E1nifGjsC1pp/7NL65lucpCYY00gCIIXO//BUBV6B6XjeKMdcRgVW2bUJ
kaLMwXMEdOkL2fwoFZtFI4YhzcdOk1gBrlvHslXj4swjrjLST87m6AOweCS5ldSq
/DZ7L4UiCqIGY8frVMXra7Q5I9xrwTRavnhbvp5WyC3IUCqOZ1U2hq6e6EeA3xf6
g6XgU7vf6V8xRYvjaTnUaKoE7cP92tgjfceyJFWRbc9Pt5dWvQa8xUNNcPgPMr6q
AFp6U60hMU5u3eHZoBT26jXmXqR6ZlyP1T4QJF7tQFhvS/+hog7xZZDObwwlPsy5
9/uSKDlDk+J899Pe4hsnOZgKXB0NL2HKIyOhny9eLQWAaHxsrzqr6LqN6KpQAYdI
Dw3MavBawMxfD0bndosauXyGUARybY8fe+MW9EKjkkHpahrWSDJRIN/D59x/5fZL
0lMyvXBDVkspa5iiheEIrHGUFrOo0VibSok+OeNV3IVCLKjA2pko8Vddbssv2Lxw
JuJ2uH2+56RDq+8XD0kIVjImucRIdYsz+9pf4z5sHFI14AcdWLU/hi4piAIHYWjo
8p4KN2OgwKNGbkJVIYyttro9M0fEc30DmDlGZKU=
-----END CERTIFICATE-----
subject=/C=FR/ST=France/L=Paris/O=Maugeri & Co/OU=Maugeri & Co Web Services/CN=www.example.com
issuer=/C=FR/ST=France/O=Maugeri & Co/OU=Maugeri & Co Certificate Authority/CN=Maugeri & Co Intermediate CA
---
No client certificate CA names sent
---
SSL handshake has read 5286 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 282F0F1A393322D5EC760D85B61A3D5316EF7ECA4C22E9EF9CC05FFE82D73259
Session-ID-ctx:
Master-Key: E562CE13B5398E869F7493D1B731506F3B178DAF8AE0142A11A34CD1C88A15496C2BE608129469510EBE083038A8556C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d2 df 91 71 0e b8 a1 df-c4 3f e4 eb fc d9 fa 26 ...q.....?.....&
0010 - 7d 0e 2f c4 93 22 6d 64-19 f0 ba 3e 98 9f 60 4d }./.."md...>..`M
0020 - fe f6 2a 4b dc 39 bc 31-7f 35 d6 da 93 e6 b5 5e ..*K.9.1.5.....^
0030 - f2 19 26 04 62 44 d4 73-9b 95 a8 6e 2e 72 86 94 ..&.bD.s...n.r..
0040 - 7b 5b 8a bc ac ee 09 71-e8 ec c4 96 e3 89 20 f2 {[.....q...... .
0050 - c2 3b 64 c2 bd 03 a2 cb-a1 2e 66 4f 5b 7d f1 0a .;d.......fO[}..
0060 - 19 05 e1 3a 32 22 e9 03-a6 46 a0 6e d6 0b f1 b9 ...:2"...F.n....
0070 - 52 b6 88 88 98 dd 18 a2-37 37 15 7d 86 39 b5 16 R.......77.}.9..
0080 - 35 e9 87 55 3e 23 c2 19-c3 b8 84 de de 10 e3 5b 5..U>#.........[
0090 - 4e eb 68 a2 55 ff f6 88-f4 1b b9 d9 fa c0 77 ad N.h.U.........w.
00a0 - 58 49 ce a6 59 08 4f 22-64 2f 1f 7d a2 2f 48 06 XI..Y.O"d/.}./H.
Start Time: 1503749297
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
文件ca-intermediate-cert-chain.cert.pem按此顺序包含3个PEM(由于nginx启动没有错误,因此应该很好):
server {
listen 443;
server_name www.example.com;
root html;
index index.html index.htm;
ssl on;
ssl_certificate /root/ca/intermediate/certs/ca-intermediate-cert-chain.cert.pem;
ssl_certificate_key /root/ca/intermediate/private/www.example.com.key.pem;
[...]
}
}
本地我可以成功验证我的叶子证书对CA:
-----BEGIN CERTIFICATE-----
[Root CA certificate PEM]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA certificate PEM]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Leaf certificate PEM]
-----END CERTIFICATE-----
您对我的配置有什么问题有任何疑问吗?
提前致谢!
我的配置: