Security 无法验证自签名SAN证书_Security_Ssl_Openssl_Certificate

Security 无法验证自签名SAN证书

security ssl openssl certificate

Security 无法验证自签名SAN证书,security,ssl,openssl,certificate,Security,Ssl,Openssl,Certificate,我按照此说明创建了一个自签名证书 . 但是，证书始终无法验证，我的tls连接程序无法使用此证书设置连接知道为什么以及如何解决吗以下是生成证书和验证结果的命令 $ openssl genrsa -out private.key 2048 $ openssl req -new -out public.csr -key private.key -config openssl.conf $ openssl req -text -noout -in public.csr $ openssl x509

我按照此说明创建了一个自签名证书 . 但是，证书始终无法验证，我的tls连接程序无法使用此证书设置连接

知道为什么以及如何解决吗

以下是生成证书和验证结果的命令

$ openssl genrsa -out private.key 2048
$ openssl req -new -out public.csr -key private.key -config openssl.conf
$ openssl req -text -noout -in public.csr 
$ openssl x509 -req -days 365 -in public.csr -signkey private.key -out public.crt -extensions v3_req -extfile openssl.conf
$ openssl verify -CAfile public.crt public.crt 
public.crt: O = My Company, L = My Town, ST = State or Providence, C = US
error 20 at 0 depth lookup:unable to get local issuer certificate

下面是openssl.conf。ip地址被部分划掉

#
# OpenSSL configuration file.
#

# Establish working directory.

dir                 = .

[ ca ]
default_ca              = CA_default

[ policy_match ]
countryName             = match
stateOrProvinceName         = match
organizationName            = match
organizationalUnitName          = optional
commonName              = supplied
emailAddress                = optional

[ req ]
default_bits                = 1024          # Size of keys
default_keyfile             = key.pem       # name of generated     keys
default_md              = md5               # message digest    algorithm
string_mask             = nombstr       # permitted characters
distinguished_name          = req_distinguished_name
req_extensions              = v3_req

[ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName          = Organization Name (company)
organizationalUnitName          = Organizational Unit Name (department, division)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name (city, district)
stateOrProvinceName         = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max              = 64

# Default values for the above, for consistency and less typing.
# Variable name             Value
#------------------------     ------------------------------
0.organizationName_default      = My Company
localityName_default            = My Town
stateOrProvinceName_default     = State or Providence
countryName_default         = US

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier            = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 1xx.1x.1xx.xxx

您正在生成的是自签名根证书。OpenSSL试图通过将证书链接到其证书存储中存在的受信任根来验证证书。因为你的（显然）不在那个商店里，所以它总是会失败

以下是消除警告的三种方法：

禁用证书验证

这通常是一个坏主意，因为在没有证书验证的情况下，您已经完全禁用了TLS握手的标识组件。只在开发中使用它（千万不要让它泄漏到生产中！）

将根证书添加到信任存储中

如果您愿意在每台需要与此端点通信的计算机上安装证书，那么这将起作用。（对于OpenSSL，这是一个位于发行版特定位置的ca_bundle文件）

从CA购买证书

最简单的，但也是一个成本$$。如果执行此操作，则安装此证书的站点将受到全局信任