我正在尝试创建一个自签名证书,以localhost
包含subjectAltName
满足Chrome 58+的要求:
createcertificate.sh
:
#!/usr/bin/env bash
filename="$1server"
openssl req -new -sha256 -nodes -out ./../nginx/ssl/${filename}.csr -newkey rsa:2048 -keyout ./../nginx/ssl/${filename}.key -config <( cat ${filename}_csr.txt )
openssl x509 -req -in ./../nginx/ssl/${filename}.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out ./../nginx/ssl/${filename}.crt -days 500 -sha256
server_csr.txt
:
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = localhost
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
致电./createcertificate.sh
:
server_csr.txt
Generating a 2048 bit RSA private key
.........................................................................................................+++
...............................+++
writing new private key to './../nginx/ssl/server.key'
-----
Signature ok
subject=/C=US/ST=New York/L=Rochester/O=End Point/OU=Testing Domain/emailAddress=your-administrative-address@your-awesome-existing-domain.com/CN=localhost
Getting CA Private Key
Enter pass phrase for /home/alexzeitler/ssl/rootCA.key:
但是Chrome 58仍然拒绝该证书:
This server could not prove that it is localhost; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection.
这是输出openssl req -in ../nginx/ssl/server.csr -noout -text
:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=New York, L=Rochester, O=End Point, OU=Testing Domain/emailAddress=your-administrative-address@your-awesome-existing-domain.com, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cf:ec:6d:54:6e:db:e0:9c:cd:17:c2:dd:bf:81:
1e:52:bb:62:27:04:f3:13:8e:01:69:47:fa:93:92:
57:b3:77:be:51:87:9b:c8:40:f1:28:de:df:cb:d2:
fd:87:fb:00:a1:c4:17:30:4c:9a:fd:e0:b6:d0:8c:
a0:c9:01:f4:71:5f:63:ee:6d:4c:5a:b4:4d:ca:60:
d4:0b:dc:6f:c1:2b:62:95:44:76:ec:45:bf:cb:39:
4a:0a:e4:f7:84:56:d0:1b:11:2c:e7:a8:b6:f6:bc:
46:89:bb:4b:44:3c:7d:9d:d8:cc:75:4c:4c:72:15:
b4:58:77:9b:38:61:72:4c:b2:45:55:a2:34:06:aa:
4c:9d:54:cb:a4:bf:58:26:88:11:81:17:a3:52:ab:
c8:38:f7:c5:55:78:af:d3:be:3f:70:95:79:d9:79:
10:45:5f:e9:10:e9:56:6f:b5:fa:b9:36:2e:c8:40:
c5:fa:86:66:12:82:ec:ab:45:75:54:ec:93:40:9f:
d1:cc:8f:18:31:8b:62:1c:20:da:6e:19:17:89:c5:
6f:c5:b9:23:a0:86:6e:70:f9:2a:b1:e3:87:dc:a2:
57:99:16:05:d4:85:01:43:34:48:d5:b4:39:35:63:
46:81:d2:f1:b8:66:e2:21:31:c3:8a:02:f7:8f:a9:
b4:8b
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:localhost
Signature Algorithm: sha256WithRSAEncryption
60:d7:11:95:45:9b:b6:35:ed:b7:31:2b:14:5d:c7:57:bb:cd:
fc:3b:c4:97:01:aa:46:4c:58:9b:f8:4c:44:e2:12:46:2d:69:
5f:95:10:02:fd:79:e1:30:cb:a9:f9:41:b2:a7:b6:fa:e3:2f:
e9:c6:7c:3e:3a:b1:db:64:b9:6e:ab:a1:98:82:0c:df:cf:b5:
e9:7f:17:f0:87:c9:09:15:ab:c8:9b:a2:d8:b3:37:a8:13:2e:
05:f5:ab:18:4c:cf:d9:6d:d0:05:c4:90:b5:0e:a5:c2:24:6d:
12:fb:e1:64:5c:d0:6f:5a:86:a3:d2:1f:b8:73:12:1e:39:28:
a9:50:a4:88:fb:e6:24:95:17:43:76:22:7d:57:48:af:84:36:
66:30:d8:3b:88:3b:4c:c5:44:fc:92:75:16:b6:9a:22:4b:cf:
b2:9b:19:e2:15:d4:9c:04:85:8d:7a:59:f7:13:7c:be:d4:4f:
c5:d8:02:79:ab:98:3f:91:0e:da:ba:8b:68:01:d3:71:cb:f0:
55:22:fe:f8:55:41:ef:ac:f4:55:48:06:ce:75:ba:33:5c:b2:
7b:f3:a7:b4:c3:ec:c0:52:ec:e1:56:64:84:cb:fa:a1:ca:0c:
c0:c3:87:e4:f4:c1:5b:8b:92:00:26:9d:a8:6b:35:58:1f:ad:
9e:91:ba:5b
因此,该Subject Alternative Name
信息似乎存在于csr中。
另一方面,openssl x509 -text -in ../nginx/ssl/server.crt -noout
输出:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 17237690484651272010 (0xef38942aa5c5274a)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=New York, L=Rochester, O=End Point, CN=localhost/emailAddress=your-administrative-address@your-awesome-existing-domain.com
Validity
Not Before: Apr 23 15:42:28 2017 GMT
Not After : Sep 5 15:42:28 2018 GMT
Subject: C=US, ST=New York, L=Rochester, O=End Point, OU=Testing Domain/emailAddress=your-administrative-address@your-awesome-existing-domain.com, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:ee:7c:7a:2c:3c:5c:a6:57:ce:81:cf:22:49:
3c:d3:c4:6d:3a:71:a8:c7:cf:04:cc:68:4a:e6:03:
7c:9d:9d:49:c7:4f:8e:33:09:5b:73:9b:a0:21:51:
27:c6:e6:d0:ac:f5:5e:1d:4f:f8:60:9f:a1:50:1e:
dd:1f:bc:20:44:6f:42:c8:de:2a:6f:04:b7:21:aa:
cb:82:18:5e:fa:d8:68:5d:e5:c6:a0:cb:39:e3:91:
60:99:3f:ae:63:ab:9c:23:e9:03:0c:ca:10:23:8f:
76:e1:5c:55:10:b7:e1:e7:aa:e7:24:4d:49:ff:d0:
c7:67:f6:8a:1d:36:12:15:49:2d:33:c9:39:d4:3f:
7f:b6:a5:9e:ac:b5:55:75:aa:bc:7f:f4:c2:85:b4:
18:f1:76:3c:5e:a3:df:47:00:1c:e6:ac:d5:3c:f3:
ac:ff:f2:f0:7a:43:3f:63:bd:77:86:ea:3f:e5:35:
04:fa:3c:2a:0c:34:b5:36:ee:a0:b2:50:f9:08:31:
b8:76:27:af:c7:c6:5a:af:52:07:6f:c3:d6:6c:97:
6b:9b:cb:cd:c7:01:4f:33:7e:2f:09:06:b0:71:1a:
9a:9f:30:d4:c3:67:89:15:dc:df:ad:68:44:54:29:
26:d0:ca:8e:f6:eb:dd:f3:1a:74:63:89:b4:c5:72:
82:af
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
42:f7:c4:1e:47:dc:e7:81:3a:b0:83:a8:fd:51:53:32:f7:80:
76:b4:ec:a8:44:17:5a:18:29:68:9f:14:4a:1c:35:87:3e:7a:
13:95:0c:8b:5b:2f:f9:f0:42:56:51:9c:a9:9f:7f:77:45:7d:
6c:1d:1c:39:75:99:4a:c5:22:c4:d9:1d:11:bb:bf:7d:56:7b:
a7:18:fc:2a:c3:32:c1:72:3a:17:0e:1d:27:f1:f3:b6:72:91:
5d:38:64:6c:98:03:8b:17:88:ce:2c:a2:dc:2a:86:a0:e8:23:
e8:07:79:ac:05:62:b1:17:10:84:82:02:23:4a:10:9a:2a:b3:
9c:5d:05:71:31:43:f3:28:4e:28:bd:31:49:21:1f:39:b0:6b:
39:27:1c:1a:8e:b8:92:e9:e7:76:a2:e7:3e:6c:ba:fc:56:f1:
78:85:3f:68:ea:db:50:88:b4:8a:fc:ea:73:04:4b:8a:54:86:
5e:0d:fc:b4:70:72:c9:5a:c7:cf:cb:19:e2:9a:b9:af:c6:3e:
55:06:1c:7c:62:44:b3:e6:57:2b:0f:cc:33:9e:28:5f:62:85:
05:27:4c:f0:de:6c:d6:fb:e4:de:2f:41:99:34:b2:b1:7d:12:
b6:d6:96:a5:4b:c4:49:6b:49:bf:c5:86:e6:3c:3e:f3:e3:ef:
a9:d3:21:5e
在.crt
不包含Subject Alternative Name
。
rootCA.crt
Chrome浏览器添加到了受信任的Chrome浏览器中的CA证书(在Ubuntu上)