SSL证书无法信任(COMODO)

时间:2015-12-03 13:02:13

标签: apache ssl centos certificate

我正在为PCI DSS准备服务器。没有其他问题,但我无法解决。 PCI扫描程序(https://www.hackerguardian.com/)表示无法信任SSL证书:

SSL Certificate Cannot Be Trusted 443 / tcp / www

我已从链中删除了所有其他证书,只留下一个完全为此服务器购买的证书。它由COMODO签署,被认为是值得信赖的。这是证书转储:

openssl x509 -in /usr/local/psa/var/certificates/cert-f1nb7M -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e6:3c:e1:95:56:07:3c:f7:4c:5e:b3:bd:06:6d:37:f0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Secure Server CA
        Validity
            Not Before: Nov 17 00:00:00 2015 GMT
            Not After : Dec  3 23:59:59 2017 GMT
        Subject: serialNumber=04045342/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private Organization, C=GB/postalCode=BN27 2BY,
            ST=East Sussex, L=Hailsham/street=Station Road/street=Unit 10 Swan Business Centre, O=Fuss 3 Solutions Ltd,
            OU=COMODO EV SSL, CN=www.fuss3inkandtoner.co.uk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                ...................
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
            keyid:39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69

            X509v3 Subject Key Identifier:
                D1:C0:72:40:F1:A4:47:A6:FF:32:C4:56:6F:EF:F5:1E:40:6A:72:DC
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.1.5.1
                  CPS: https://secure.comodo.com/CPS

            X509v3 CRL Distribution Points:

                Full Name:
              URI:http://crl.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name:
                DNS:www.fuss3inkandtoner.co.uk, DNS:fuss3inkandtoner.co.uk
            1.3.6.1.4.1.11129.2.4.2:
            ............
    Signature Algorithm: sha256WithRSAEncryption
         ...............

证书是真实的,它没有过期且域名匹配。我尝试了其他在线诊断工具,如https://www.ssllabs.com/ssltest/analyze.html?d=fuss3inkandtoner.co.uk,每个人都说证书很好。除了hackersguardian.com之外的所有人,我需要通过PCI合规性。

我不是系统管理员,而且此证书是由其他人安装的(我认为托管支持的系统管理员)。我需要你就如何解决这个问题提出建议。提前谢谢。

2 个答案:

答案 0 :(得分:0)

这是假阳性。当COMODO(hackerguardian.com)的安全扫描程序报告由COMODO(!)发出的错误证书时,这是一件非常奇怪的事。

答案 1 :(得分:0)

此工具将澄清您遇到的问题:https://decoder.link/sslchecker/?hostname=www.hackerguardian.com&port=443

与证书一起安装的CA捆绑包格式错误(订单不正确)。证书本身良好且有效,但无法根据CA捆绑验证其有效性,因此可以预期。

这是正确的一个包:http://helpdesk.ssls.com/hc/en-us/article_attachments/201576002/COMODO_OV_SHA-256_bundle.crt

您可以将其传递给您的托管,以便他们可以为您重新安装。之后,一切都会好的。相信我:)。

相关问题
最新问题