Security 无法验证自签名SAN证书
我按照此说明创建了一个自签名证书 . 但是,证书始终无法验证,我的tls连接程序无法使用此证书设置连接 知道为什么以及如何解决吗 以下是生成证书和验证结果的命令Security 无法验证自签名SAN证书,security,ssl,openssl,certificate,Security,Ssl,Openssl,Certificate,我按照此说明创建了一个自签名证书 . 但是,证书始终无法验证,我的tls连接程序无法使用此证书设置连接 知道为什么以及如何解决吗 以下是生成证书和验证结果的命令 $ openssl genrsa -out private.key 2048 $ openssl req -new -out public.csr -key private.key -config openssl.conf $ openssl req -text -noout -in public.csr $ openssl x509
$ openssl genrsa -out private.key 2048
$ openssl req -new -out public.csr -key private.key -config openssl.conf
$ openssl req -text -noout -in public.csr
$ openssl x509 -req -days 365 -in public.csr -signkey private.key -out public.crt -extensions v3_req -extfile openssl.conf
$ openssl verify -CAfile public.crt public.crt
public.crt: O = My Company, L = My Town, ST = State or Providence, C = US
error 20 at 0 depth lookup:unable to get local issuer certificate
下面是openssl.conf。ip地址被部分划掉
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 1xx.1x.1xx.xxx
您正在生成的是自签名根证书。OpenSSL试图通过将证书链接到其证书存储中存在的受信任根来验证证书。因为你的(显然)不在那个商店里,所以它总是会失败 以下是消除警告的三种方法: 禁用证书验证 这通常是一个坏主意,因为在没有证书验证的情况下,您已经完全禁用了TLS握手的标识组件。只在开发中使用它(千万不要让它泄漏到生产中!) 将根证书添加到信任存储中 如果您愿意在每台需要与此端点通信的计算机上安装证书,那么这将起作用。(对于OpenSSL,这是一个位于发行版特定位置的ca_bundle文件) 从CA购买证书 最简单的,但也是一个成本$$。如果执行此操作,则安装此证书的站点将受到全局信任