我创建了自己的CA来签署localhost证书。为什么Chromium会拒绝它?我已将证书导入Chromium。
签名证书上的openssl x509 -text输出:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Tennessee, L = Knoxville, O = Demi Obenour, OU = Demi Obenour, CN = localhost, emailAddress = demiobenour@gmail.com
Validity
Not Before: Jun 4 03:19:59 2017 GMT
Not After : Jun 4 03:19:59 2018 GMT
Subject: C = US, ST = Tennessee, O = Demi Obenour, OU = Demi Obenour, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d1:7f:58:b7:e8:d2:ea:31:29:bd:89:f8:ce:23:
9a:39:63:f5:67:7f:93:a9:35:cf:d7:8e:c7:0e:58:
90:28:f3:95:f8:a1:24:72:b5:36:9b:3a:e5:72:35:
f5:6a:6a:22:20:1b:35:6c:25:43:84:fa:fa:b0:0c:
a6:23:79:55:48:41:de:2f:17:16:51:8c:3a:20:69:
ce:56:35:61:bf:35:2f:8f:dc:d1:5f:ca:56:86:b8:
0f:df:56:0a:2b:a0:21:e8:76:fe:59:f1:65:63:04:
63:eb:42:19:bc:30:aa:e9:67:cc:95:c3:74:43:62:
ba:2d:18:54:bd:68:c9:a4:59:03:98:ba:f4:d4:ab:
7b:9d:8a:36:dc:14:a9:d7:26:46:c3:c3:4b:9d:95:
8c:5b:0e:3d:b9:81:dd:b5:f8:37:b3:a8:9f:1c:93:
9a:37:d8:e1:ac:6d:a6:59:15:60:94:58:16:8b:18:
41:c6:1f:3a:f6:ce:e6:13:15:8d:54:63:ef:ad:32:
1f:21:a6:7b:05:6d:56:db:5f:a6:65:92:bd:ca:a8:
79:e1:5f:95:2b:1c:d3:15:cf:4d:0e:f0:be:2f:de:
47:e9:ca:b6:f6:85:a0:0a:af:f6:58:00:f2:9b:08:
47:4b:84:26:ba:1c:f8:93:8f:55:d7:31:5b:24:87:
a7:61:ef:f3:48:c9:cc:26:e3:37:3e:10:db:be:f4:
8a:8f:27:ff:35:76:ef:0b:11:c6:61:94:d3:e5:d2:
28:bf:2d:64:f0:75:9a:df:08:08:d4:1f:49:b8:9d:
66:64:43:86:50:01:0e:19:96:cf:89:3e:83:ca:40:
92:9c:d1:3f:d9:c9:ce:43:05:0b:0c:ce:4f:8e:3f:
6e:66:65:bc:1d:c7:26:81:93:5b:4b:29:97:4e:ca:
21:86:31:98:93:3b:9b:c7:11:0e:d5:6a:67:6a:48:
4c:62:c5:99:ae:41:a1:d2:8c:0e:25:50:dd:b4:6e:
00:8a:99:a6:e7:4c:2b:4d:ca:21:13:b6:fa:78:4b:
b7:12:fa:bb:70:c9:f0:5a:c5:dd:b5:fa:35:9c:10:
cd:6e:74:ce:97:12:07:e1:30:9f:f2:f3:bc:9f:5e:
41:40:66:e3:e2:95:d9:3c:76:80:8e:57:cf:7c:1e:
ba:2d:24:f0:a1:7e:c5:6f:aa:de:6c:1c:89:ac:7c:
3a:d5:10:72:82:67:b2:31:a0:c3:e3:7a:50:61:81:
80:44:1c:c7:fc:ed:bd:4b:38:42:87:a0:1e:db:d9:
c2:61:f8:95:78:9a:05:2a:5b:a9:4d:bf:81:e2:d0:
4e:5d:9e:98:29:0d:6f:d2:1e:12:17:05:43:93:82:
1d:0c:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8A:A9:62:8B:12:CE:43:8E:FB:36:60:90:C3:C9:26:91:B2:3E:7A:C6
X509v3 Authority Key Identifier:
keyid:43:6F:BC:BE:10:86:DE:AF:A9:39:65:5D:29:3C:10:47:F3:30:34:B4
X509v3 Subject Alternative Name:
DNS:localhost, DNS:localhost
Signature Algorithm: sha256WithRSAEncryption
c3:bc:ee:e2:de:64:53:2b:3a:54:4f:ba:dd:45:14:a2:99:f6:
00:95:3e:d5:05:b1:97:27:0b:40:d0:95:51:72:63:c4:89:22:
d9:3d:1d:0a:77:ec:82:93:93:45:43:81:b1:3e:3e:6c:9c:60:
b8:00:c1:c1:7c:07:f0:e4:79:6f:d9:14:1d:e6:61:62:c6:32:
00:15:63:60:6b:ab:58:7c:8e:6f:5e:a9:38:c4:4b:2c:ae:bb:
35:b8:53:e1:d7:88:96:35:b7:f5:d8:3a:cd:b2:bf:6f:32:0f:
f5:ea:36:85:60:fa:24:b6:f1:ed:2f:af:fc:af:51:65:2f:b0:
e6:cd:28:22:26:27:ec:2d:e5:f4:fd:b1:55:3f:2d:4c:03:2a:
65:a4:4c:af:d1:4c:d0:0f:52:d0:54:c5:5a:0c:28:3e:69:19:
7b:40:a2:e4:fd:55:57:f7:0d:2e:3f:a4:2f:48:97:55:df:21:
f9:c8:8a:44:63:e4:c8:8b:5e:2b:87:07:a3:a6:df:b4:77:26:
bf:bf:76:00:32:99:87:dc:c5:8c:b2:28:3a:62:e3:8d:f4:4e:
34:e0:7d:89:f6:d6:93:03:df:05:73:86:d6:43:e7:db:be:66:
de:cd:3b:72:99:a7:cd:b7:e6:a7:86:75:5d:c1:dc:80:ba:b0:
50:86:21:1a
CA证书上openssl x509 -text的输出
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
db:5f:d9:ca:98:3e:71:43
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Tennessee, L = Knoxville, O = Demi Obenour, OU = Demi Obenour, CN = localhost, emailAddress = demiobenour@gmail.com
Validity
Not Before: Jun 2 14:46:38 2017 GMT
Not After : May 31 14:46:38 2027 GMT
Subject: C = US, ST = Tennessee, L = Knoxville, O = Demi Obenour, OU = Demi Obenour, CN = localhost, emailAddress = demiobenour@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:7d:fe:44:3b:04:d0:57:f3:44:1f:49:2e:d1:
a6:10:df:cb:98:e2:6a:b3:e7:5e:8a:6e:58:a8:5f:
23:8d:40:53:cf:bc:3d:9d:e7:7d:db:59:16:0c:53:
0e:f1:56:4f:b0:9a:bb:64:f4:be:76:e2:fc:79:5f:
c8:2d:eb:0b:ec:a9:58:b6:4a:17:57:6d:1d:d4:c6:
d8:e4:3b:4c:24:7b:ba:fa:4f:c5:95:af:c8:cc:38:
81:08:3a:09:d6:98:88:27:9f:9f:4f:ac:36:bd:4c:
fa:8c:65:43:f6:57:03:78:2c:c0:b1:69:2c:6a:76:
a3:e4:fc:f7:0c:c7:2c:79:7e:0e:1e:c9:c4:88:65:
60:27:78:ca:02:32:04:03:ab:1a:de:42:c7:d1:58:
89:31:af:f2:47:ac:e7:e4:c4:47:2f:22:91:16:64:
dc:b8:34:5f:6f:24:6e:e8:80:ed:ca:1a:7c:7a:81:
6a:fe:a6:6c:27:af:7e:4e:92:76:81:fd:d0:32:a4:
7b:ca:19:21:c6:a1:ad:4a:ca:52:60:00:70:14:82:
eb:22:74:d4:d6:a2:6d:c8:2b:cd:9a:cb:7a:03:74:
7e:f6:85:1e:03:29:34:1f:c5:32:bf:c1:e0:0e:b0:
1b:41:56:10:a0:1f:5f:b8:2d:b0:16:fb:aa:81:f6:
cf:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
43:6F:BC:BE:10:86:DE:AF:A9:39:65:5D:29:3C:10:47:F3:30:34:B4
X509v3 Authority Key Identifier:
keyid:43:6F:BC:BE:10:86:DE:AF:A9:39:65:5D:29:3C:10:47:F3:30:34:B4
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
02:0f:a6:1b:bb:89:dd:7f:15:5a:65:a9:f1:ed:19:07:db:63:
6e:f5:68:d0:10:97:8d:9c:86:94:ba:5b:e7:a5:43:7a:65:fc:
0c:88:03:ec:7e:be:25:bc:82:56:bb:a5:ce:a2:82:21:42:4e:
db:58:d3:d4:62:67:cd:86:18:3d:ca:af:de:7a:e8:13:53:b7:
61:0c:0c:b8:01:54:1e:58:67:54:0e:e8:d8:cd:25:5b:01:94:
00:28:5c:80:02:f1:56:53:9e:32:de:d8:73:6f:e2:b1:2e:b5:
f1:15:f9:c4:8b:b2:54:0d:59:79:b0:d3:d8:b8:3b:03:47:b4:
c5:55:38:19:b6:d8:cc:a8:5e:10:42:5e:a7:e3:cf:8d:bb:e4:
ff:c8:e0:2f:2b:67:3e:95:db:10:0f:7f:7b:83:51:2c:c4:f3:
49:ff:3c:21:33:14:aa:cf:77:28:29:91:04:3c:d8:49:e9:00:
82:f2:51:5e:da:74:3f:b8:99:8f:b8:54:b4:11:d6:4c:1e:98:
84:a5:e0:91:85:90:0d:95:3f:94:b2:a4:d3:d5:31:ec:f7:3d:
88:dd:54:3c:26:1a:35:12:b7:14:ce:86:7b:0a:a5:f3:eb:1a:
05:49:ad:b0:2e:ca:6c:65:b8:bd:59:76:82:2a:49:7f:79:99:
01:b1:c5:cb
编辑:错误为NET::ERR_CERT_INVALID
答案 0 :(得分:-1)
服务器证书 :
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
Key Encipherment 是RSA密钥传输。密钥传输现在不受欢迎,而且这一举措是针对具有前向保密性的算法。 Chrome可能遇到问题。
服务器的证书也缺少服务器身份验证的扩展密钥用法(EKU)。我似乎记得CA / B基线要求需要它。 Chrome可能遇到问题。
这看起来很不寻常,但我认为它不会导致失败:
X509v3 Subject Alternative Name: DNS:localhost, DNS:localhost
CA证书 :
CA证书缺少密钥用法,因此问题可能是CA不允许颁发证书。实际上,您有一个无法执行任何操作的CA.
将主机名放在CA的主题公用名中是不常见的。我猜你的openssl.conf文件中有一些不太正确的东西:
Issuer: C = US, ST = Tennessee, ..., CN = localhost, emailAddress = demiobenour@gmail.com
另请参阅How do you sign Certificate Signing Request with your Certification Authority和How to create a self-signed certificate with openssl?。答案详细说明了证书中所需的位以及它们的标准。