具有排除子樹違規問題的 x509 證書
我想在我們的測試環境中使用自簽名 x509 證書,所以我遵循了 Ivan Ristic 的“ OpenSSL Cookbook ”中描述的過程。很棒的資源。我也決定走私人 CA 路線。
但是,Chrome 抱怨我的站點/https 端點不安全,出現“NET::ERR_CERT_AUTHORITY_INVALID”錯誤。openssl s_client 還會引發驗證錯誤:num=48: exclude subtree violation。Firefox 給了我一個“SEC_ERROR_CERT_NOT_IN_NAME_SPACE”錯誤頁面。
我對為什麼排除子樹違規感到困惑?以我有限的知識(第一次使用私有 CA 功能),我可能錯誤地認為我的 host.cnf 具有通過我的 root-ca.conf 中的 nameConstraints 允許的 SAN 主機名?我感謝任何見解,更正我對 openssl 配置文件的誤解。
rfc5280 部分“4.2.1.10。名稱約束”指出:
DNS 名稱限製表示為 host.example.com。任何可以通過簡單地在名稱左側添加零個或多個標籤來建構的 DNS 名稱都滿足名稱約束。例如,www.host.example.com 會滿足約束,但 host1.example.com 不會。
但是我看到了很多 SAN 的例子,nameConstraints 使用前導點表示法——所以我在我的 root-ca.conf 中嘗試了兩個 DNS nameConstraints。我很絕望,所以我會假設任何一個都是正確的……
血腥細節:
我通過以下命令設置了我的 root-ca、sub-ca 配置文件,創建了相應的 CSR、root-ca.crt、sub-ca.crt:
(on the target machine - but I haven't found any docs saying this is required) openssl genrsa -aes128 -out host-private.key 2048 openssl req -new -key host-private.key -out host.csr -passin pass:XXXX -config host.cnf
將 host.csr 複製到我的 CA 環境中。我執行了以下命令來創建根 CA 證書:
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
創建中間/從屬 CA 證書:
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
然後,創建主機證書:
openssl ca -config sub-ca.conf -in host.csr -out host.crt -extensions server_ext
我創建了一個鏈證書以部署到我的 nginx 環境中。host.csr + sub-ca.crt + root-ca.crt
我還將 root-ca.crt 添加到主機的 CA 信任庫中。我正在使用 nginx 通過 ngx_http_proxy 模組作為多個內部服務的 SSL/TLS 終止反向代理。我還將生成的 root-ca.crt 添加到我的 Chrome 安裝的 CE 信任庫中。Chrome 顯示的站點資訊在證書層次結構中具有正確的 root-ca、sub-ca、主機證書。
主機.cnf:
[req] prompt = no distinguished_name = dn req_extensions = ext # the use of -passin overrides this input_password = PASSPHRASE [dn] CN = rt168openmbee.serc.stevens.edu emailAddress = shespelt@stevens.edu O = SERC L = Hoboken ST = NJ C = US [ext] subjectAltName = DNS:rt168openmbee.serc.stevens.edu,IP:155.246.39.32
根-ca.conf:
[default] name = root-ca domain_suffix = serc.stevens.edu aia_url = http://$name.$domain_suffix/$name.crt crl_url = http://$name.$domain_suffix/$name.crl ocsp_url = http://ocsp.$name.$domain_suffix:9080 default_ca = ca_default name_opt = utf8,esc_ctrl,multiline,lname,align [ca_dn] countryName = "US" organizationName = "SERC" commonName = "Root CA" [ca_default] home = . database = $home/db/index serial = $home/db/serial crlnumber = $home/db/crlnumber certificate = $home/$name.crt private_key = $home/private/$name.key RANDFILE = $home/private/random new_certs_dir = $home/certs unique_subject = no copy_extensions = none default_days = 3650 default_crl_days = 365 default_md = sha256 policy = policy_c_o_match [policy_c_o_match] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 4096 encrypt_key = yes default_md = sha256 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn req_extensions = ca_ext [ca_ext] basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash [sub_ca_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true,pathlen:0 crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth,serverAuth keyUsage = critical,keyCertSign,cRLSign nameConstraints = @name_constraints subjectKeyIdentifier = hash [crl_info] URI.0 = $crl_url [issuer_info] caIssuers;URI.0 = $aia_url OCSP;URI.0 = $ocsp_url [name_constraints] permitted;DNS.0=serc.stevens.edu permitted;DNS.1=.serc.stevens.edu permitted;IP.0=155.246.39.0/255.255.255.0 excluded;IP.1=0.0.0.0/0.0.0.0 excluded;IP.2=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 [ocsp_ext] authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false extendedKeyUsage = OCSPSigning noCheck = yes keyUsage = critical,digitalSignature subjectKeyIdentifier = hash
子ca.conf:
[default] name = sub-ca domain_suffix = serc.stevens.edu aia_url = http://$name.$domain_suffix/$name.crt crl_url = http://$name.$domain_suffix/$name.crl ocsp_url = http://ocsp.$name.$domain_suffix:9081 default_ca = ca_default name_opt = utf8,esc_ctrl,multiline,lname,align [ca_dn] countryName = "US" organizationName = "SERC" commonName = "Sub CA" [ca_default] home = . database = $home/db/index serial = $home/db/serial crlnumber = $home/db/crlnumber certificate = $home/$name.crt private_key = $home/private/$name.key RANDFILE = $home/private/random new_certs_dir = $home/certs unique_subject = no copy_extensions = copy default_days = 365 default_crl_days = 30 default_md = sha256 policy = policy_c_o_match [policy_c_o_match] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 2048 encrypt_key = yes default_md = sha256 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn [server_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth,serverAuth keyUsage = critical,digitalSignature,keyEncipherment subjectKeyIdentifier = hash [client_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth keyUsage = critical,digitalSignature subjectKeyIdentifier = hash [crl_info] URI.0 = $crl_url [issuer_info] caIssuers;URI.0 = $aia_url OCSP;URI.0 = $ocsp_url [ocsp_ext] authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false extendedKeyUsage = OCSPSigning keyUsage = critical,digitalSignature subjectKeyIdentifier = hash
使用 openssl s_client -showcerts -connect,這裡是檢索到的證書(保存的 PEM 證書通過 openssl x509 -text …執行)。
主機證書:
Certificate: Data: Version: 3 (0x2) Serial Number: 29:d9:fb:61:7a:0f:ba:c3:51:28:a3:05:14:df:8a:b1 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = SERC, CN = Sub CA Validity Not Before: Jul 18 19:52:13 2019 GMT Not After : Jul 17 19:52:13 2020 GMT Subject: C = US, ST = NJ, O = SERC, CN = rt168openmbee.serc.stevens.edu, emailAddress = shespelt@stevens.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b9:19:1f:2b:2a:54:bc:7a:78:1c:13:33:09:8e: 12:e1:b5:f8:7c:58:f8:29:7e:b4:45:45:6b:5a:3f: ac:41:f6:d6:bf:4a:08:77:a6:a0:94:dd:26:68:ed: 8a:ec:fc:e9:3e:db:98:45:0c:cf:8a:09:d6:46:14: a7:bb:d2:f0:da:dd:db:7c:ed:31:7b:20:f7:7d:f0: f9:13:1a:45:1b:ab:90:79:a7:d7:60:d2:94:70:0e: 79:4c:03:23:c0:b6:f7:dc:93:b4:c7:eb:6e:69:f1: 58:6c:14:07:98:4e:56:9d:01:39:d6:a1:be:da:a5: 76:83:aa:68:30:65:51:23:96:99:fe:05:9c:a7:61: 64:30:b1:f6:38:33:70:6d:8b:25:ce:d9:93:6e:b0: 5e:84:e8:71:4b:55:62:64:f1:6b:b4:ed:7b:dd:b7: d9:b2:4a:24:29:bb:3b:ad:59:cc:4d:fb:84:6a:91: 45:e7:f1:cc:21:48:40:42:83:03:1e:07:6d:3f:c2: a6:bf:8f:76:db:f8:9c:a2:a9:88:71:81:f5:d6:48: d9:17:d9:0d:bb:9d:c5:24:bb:d8:58:93:85:1c:5f: a4:39:df:8f:d6:9a:2a:2f:9c:34:bb:28:f0:87:fe: df:9d:41:8a:0b:f6:c5:a3:0c:4c:6c:e1:f4:a6:89: 23:c1 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.serc.stevens.edu/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.serc.stevens.edu:9081 X509v3 Authority Key Identifier: keyid:FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.serc.stevens.edu/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 4F:60:83:45:A3:32:DB:C4:5C:AD:C1:BD:69:09:AF:E2:55:13:1A:6A X509v3 Subject Alternative Name: DNS:rt168openmbee.serc.stevens.edu, IP Address:155.246.39.32 Signature Algorithm: sha256WithRSAEncryption 07:d1:b6:ab:5d:b4:8a:f7:77:3c:57:06:f3:7c:69:a9:fa:85: d0:04:b6:3b:24:2b:32:9f:31:4e:33:3b:a9:ed:d8:3e:8a:cf: aa:19:be:84:86:42:86:9c:d3:c4:a6:35:2e:87:b5:10:40:d2: 05:92:13:e1:e6:00:cc:42:f9:55:ff:14:ba:3e:0e:d8:3c:9b: d6:47:19:27:61:d3:c1:a4:9f:a9:80:c7:ae:68:c1:bf:a1:3c: fd:c6:cc:df:16:4e:0b:ca:22:3e:d1:5f:b6:9f:ee:38:84:3b: 65:4d:86:d5:f3:df:03:7a:e1:13:ad:1e:62:8c:ad:ca:3c:d4: 78:89:8a:91:c9:a8:85:58:fa:78:49:ff:94:b5:37:68:72:89: 18:94:d7:08:ec:62:40:a5:35:1d:93:2c:7b:bf:b7:f1:b4:0f: 57:a7:17:69:8d:fb:a4:7d:1f:7b:bd:8c:f6:32:a9:6a:e4:04: 64:89:05:55:ee:43:cf:a3:51:67:35:6c:84:16:62:d3:6e:57: de:0b:e9:fb:e3:11:a7:ed:94:9e:1e:ef:ec:5f:c4:03:33:cf: 0c:00:5c:8b:9f:ad:4e:b2:89:01:9f:be:49:9d:51:b8:2f:ba: f3:9d:70:80:69:e3:bf:95:d6:a3:07:ee:fa:8b:84:ac:78:50: 7c:f3:08:0c
中間 CA 證書:
Certificate: Data: Version: 3 (0x2) Serial Number: 4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:cb Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = SERC, CN = Root CA Validity Not Before: Jul 18 19:49:50 2019 GMT Not After : Jul 15 19:49:50 2029 GMT Subject: C = US, O = SERC, CN = Sub CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:be:90:03:fa:85:91:b7:0a:72:6c:0c:81:aa:6d: 19:c1:d6:40:a5:f9:c5:28:35:ce:d6:e1:70:ea:eb: 80:54:2b:ad:87:e5:67:b1:6c:94:df:14:e7:97:9f: 1d:00:a3:db:96:48:e1:76:6f:06:bf:3d:27:f8:62: 74:90:75:95:3c:f2:5d:40:d4:1b:11:61:f0:52:db: 9a:d9:7f:4e:04:76:7f:fa:4e:c2:f2:00:fc:79:fb: 0c:51:aa:b8:39:5a:9c:73:b5:1f:04:cd:76:5c:7b: a2:4b:41:3e:14:47:e9:d4:b1:b5:46:3b:05:05:99: cc:63:1e:d8:1c:3d:4a:5a:b4:23:23:3e:39:8a:78: 05:1a:44:ba:fd:a4:b5:98:05:a4:e0:b8:d8:f1:3a: 0a:09:54:2d:4d:db:09:df:88:1c:b4:73:a5:a7:41: 5d:f8:a8:ec:fc:52:b1:6f:36:22:1c:3e:e7:66:93: 90:a7:dc:32:50:21:60:31:57:51:09:76:50:15:f7: fc:4e:b9:05:ae:b6:93:2e:f4:b0:44:aa:3c:73:a7: 1c:c5:87:d9:54:81:f3:97:42:df:08:77:0b:5d:dd: 01:04:be:5e:1a:94:57:4b:82:65:71:91:3b:ad:58: 82:b7:55:e7:c9:7e:ed:fd:59:0f:83:48:1a:33:d4: 95:c1 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:http://root-ca.serc.stevens.edu/root-ca.crt OCSP - URI:http://ocsp.root-ca.serc.stevens.edu:9080 X509v3 Authority Key Identifier: keyid:F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 CRL Distribution Points: Full Name: URI:http://root-ca.serc.stevens.edu/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Name Constraints: Permitted: DNS:serc.stevens.edu DNS:.serc.stevens.edu IP:155.246.39.0/255.255.255.0 Excluded: IP:0.0.0.0/0.0.0.0 IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 X509v3 Subject Key Identifier: FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F Signature Algorithm: sha256WithRSAEncryption ab:93:26:fa:85:ae:72:fa:e3:2d:65:9a:10:a5:c8:cc:e2:1c: c6:4d:40:53:80:c2:6f:67:24:4e:29:23:b9:75:6e:2f:7f:ce: 7e:fb:2c:64:e8:e6:90:13:2d:39:da:13:3f:a9:71:5b:72:b1: 3b:11:e5:aa:98:e6:cc:47:a7:95:dc:7a:c0:27:2f:52:1e:08: 1f:34:b5:ab:1d:16:53:89:d4:b4:8a:d9:f7:ca:4d:7a:5a:bc: 9a:16:ed:45:5d:18:2a:50:0b:57:12:ea:23:8a:b8:f1:2b:26: 5b:1a:e8:7b:35:37:de:22:8f:cf:ae:f6:4f:7f:3e:88:0b:21: 40:40:46:53:ad:83:6a:3a:26:ba:0e:28:ba:0c:8d:04:56:e3: 59:d5:7d:13:06:d2:89:b1:5c:50:0c:54:60:09:bc:22:b8:96: e8:42:8c:a6:dd:47:86:6f:16:bd:a9:45:3f:b6:f1:4d:58:82: cf:e9:e2:e2:be:2b:2d:97:e5:0d:df:24:09:96:95:1d:1a:08: 94:87:73:6c:61:1a:70:36:ae:55:79:a8:ae:58:66:0d:2a:94: 32:27:91:bb:0a:5c:2f:64:b8:fe:a2:5f:3d:f7:d9:66:a9:2a: e4:6b:9b:7f:66:ba:7a:61:e6:57:4f:c8:8b:5c:74:d7:0b:db: a3:cb:d2:97:50:95:6f:34:64:24:ce:7a:0b:c3:dd:3a:7c:81: d1:48:5e:74:af:7f:9c:fc:73:3b:01:b9:a9:d7:67:87:7b:81: b0:99:9b:a5:29:1d:97:bb:70:61:48:32:13:e8:20:da:f5:7a: 96:2b:c0:04:1f:b2:27:a3:cb:35:a0:63:08:e3:5b:8e:ae:87: 60:c9:85:9e:b7:4a:a7:12:8f:81:3b:7d:5b:00:05:be:54:bd: 49:4e:1c:73:0e:c7:51:27:40:82:63:e4:48:d5:94:f3:63:53: a1:84:5c:ca:3a:91:94:ca:23:de:65:48:5b:ff:7e:e6:79:8b: a1:bf:c0:2d:9f:91:b5:c5:66:3c:58:e8:b8:e9:8f:81:18:cb: 7e:eb:46:4b:59:5d:d1:34:74:3f:92:c4:0d:9e:4a:ec:25:f4: 48:f4:d8:c9:a1:8f:72:2f:a5:8b:a2:14:16:f1:84:41:9b:df: 85:99:62:af:50:ab:c0:4d:4c:a9:7a:d0:31:24:4f:04:00:e3: 16:bb:53:08:fa:66:8b:d5:15:2b:22:62:ac:64:38:c2:2f:c0: fa:ad:a1:be:b6:67:f6:f6:ac:af:a4:33:ea:4a:a0:8d:49:ad: 35:3c:6f:ae:b3:b6:a0:e6:84:df:32:36:46:73:48:26:28:a2: 10:9a:d2:2c:85:48:d7:d4
根 CA 證書:
Certificate: Data: Version: 3 (0x2) Serial Number: 4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:ca Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = SERC, CN = Root CA Validity Not Before: Jul 18 19:47:30 2019 GMT Not After : Jul 15 19:47:30 2029 GMT Subject: C = US, O = SERC, CN = Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:c7:6a:ca:cb:b6:3b:23:63:f4:21:32:37:a6:b8: ed:34:0a:06:38:06:7a:cf:3a:0a:6e:36:ef:81:d0: 01:2d:e7:ea:dc:d9:46:d7:45:f3:ed:84:ed:7e:20: 6a:e2:00:34:43:4e:2a:fc:2b:53:ef:d2:af:1e:25: c9:ed:e0:34:d0:9a:03:c2:50:16:46:96:89:cb:6d: 43:b4:17:61:49:07:53:85:62:d6:27:b5:0a:b0:87: 3b:b6:e3:ba:f7:b9:35:77:37:bb:ae:a8:7e:04:0f: 54:e2:b3:26:b0:3f:65:01:27:fc:dc:ac:b6:3a:a4: d0:ea:6a:d2:f5:c5:7c:be:43:0f:41:d1:9d:1c:1c: 61:e1:ba:af:03:95:30:10:a9:3d:52:64:ce:70:40: bd:dc:0d:53:35:00:c1:e9:e1:68:fd:f5:d5:d1:a1: e4:c7:c7:22:fb:56:6f:a6:e1:ea:48:e8:61:fb:8c: 76:28:8a:4e:18:84:ab:f3:9b:d5:49:7c:04:40:15: 83:4d:26:2b:33:92:84:7e:f2:75:1b:0b:4c:d6:54: c3:f2:4a:9f:13:72:ab:9c:92:a4:42:77:99:00:25: 91:c1:b6:87:bd:fa:f1:07:f0:ce:72:0f:3c:be:bc: 79:58:f6:8b:6e:07:bc:5d:ee:23:be:0d:d5:d6:91: 22:f4:73:1b:4f:5f:cc:82:87:57:61:50:96:8c:69: 0b:ae:f7:40:47:7c:62:4e:2e:77:3e:8c:f1:41:7d: e8:64:d5:bf:24:36:99:bb:0c:46:0e:28:7b:52:95: 7d:b8:f2:e5:91:0d:07:ea:cb:9c:9d:08:dd:1f:e2: 3a:02:6a:5b:36:d1:ff:b9:0f:a4:08:ed:12:38:7a: 0b:a1:68:7e:be:b1:bb:90:e2:6a:9f:33:8f:d4:d2: 8b:ba:84:db:f9:c6:d7:94:19:d5:cd:db:ce:b3:ba: 53:36:51:9a:16:12:57:f9:16:27:1e:23:3b:09:c0: 2b:d8:f3:cf:d7:d2:ec:2d:b0:fd:bf:dc:85:7d:cb: 9d:cc:e1:70:0d:2a:fd:43:4f:48:3d:89:09:33:2e: 6b:e8:f0:ba:ca:21:9c:32:79:a2:64:e1:dc:75:8b: ed:0b:32:50:5b:b1:b5:0b:11:7a:d4:f0:d9:df:f7: 61:04:4a:c5:41:c7:0e:cb:e5:c7:1a:3c:6e:7b:63: 8b:bd:e5:f2:99:c8:2e:5c:e4:ed:a0:1d:b4:c1:64: b8:71:27:23:23:2f:93:54:b4:d8:99:b5:a4:35:7b: dd:82:ef:b4:ee:d4:fb:f4:91:58:af:5e:f2:8f:37: 9d:5a:9f:62:99:f9:26:31:d8:74:08:71:2f:bc:1d: 40:a6:43 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83 Signature Algorithm: sha256WithRSAEncryption 16:77:4d:7b:ef:89:3d:31:45:07:8f:a3:c4:ad:ed:89:a0:9b: b6:ab:74:59:1a:fb:7b:48:e1:e0:3c:75:73:dc:e3:e2:1b:a3: 74:a1:0d:37:ea:ac:85:fb:1c:e0:86:f1:86:ee:78:51:fd:4d: 58:04:8b:5c:6b:b3:06:1c:07:04:a1:c5:51:a9:d1:4c:24:42: 7c:ef:1e:35:c5:df:00:79:44:91:a1:f5:cb:71:5b:a7:85:b1: f3:36:3c:75:e7:f8:d5:29:85:18:2e:ff:79:e1:eb:1f:72:24: 6a:36:a4:17:4e:76:4d:5d:d1:85:c4:18:c3:f4:83:07:10:3f: 7a:e2:36:33:48:1d:da:5d:08:2a:59:4f:3a:97:74:b7:d8:97: 85:b0:b1:82:f8:46:d5:df:75:d9:56:77:34:0e:26:d5:3a:eb: 8b:02:5e:d1:c3:fd:16:22:1f:ab:86:76:c4:cf:5b:d5:d5:bd: da:70:76:9e:18:bd:2f:16:c0:89:fe:cc:e0:93:63:f0:23:65: 37:4c:6c:f5:e4:a7:fd:b2:02:86:91:6a:f5:31:b2:93:cc:33: 87:38:57:6b:55:59:7e:ed:02:13:5d:6f:4f:15:91:ac:7e:7f: 52:57:35:de:ec:87:38:bf:fe:7e:bd:5d:3c:ef:43:a9:d1:13: ab:ed:6f:ac:cf:bf:7e:e8:35:0b:92:97:08:05:78:db:68:e0: b1:05:2a:49:6e:00:34:71:a5:0f:5b:1c:17:47:9e:23:6f:64: d7:f0:93:60:12:7f:6d:0a:cd:15:e7:de:72:c4:76:86:ef:4d: 65:c6:2a:1a:c4:35:0e:08:07:c5:ee:34:aa:9e:e1:90:d4:66: 87:0f:1f:32:fa:21:7e:4f:01:9b:6d:19:20:ed:e5:9d:1a:ee: b3:e6:c4:93:4b:a4:cc:62:db:65:c1:b9:3b:05:a8:45:38:87: 29:6d:8c:86:86:7b:c5:3d:89:85:c8:8e:f5:da:7d:c5:89:31: 49:7b:af:9e:ff:03:89:db:ac:65:c5:5f:78:0d:cf:91:6f:19: 6a:e4:eb:b6:d5:46:ff:3b:8c:44:cd:00:7b:3c:ed:6f:f6:79: 61:93:12:08:58:7c:d5:02:9b:a7:4c:a0:c6:1a:f8:d9:b1:b6: 1e:77:75:1d:24:e8:d2:ff:61:ee:a8:85:e5:1b:49:cf:3c:91: 56:ea:e5:0e:6e:39:96:d0:d4:b7:95:25:e3:1a:a3:82:26:c8: 3f:53:47:fe:93:10:c4:bf:91:b5:7d:40:d2:2e:22:8e:7f:e5: 8a:4c:6e:03:04:de:f7:81:95:fc:a9:0f:31:51:ab:21:9d:20: 06:64:c2:9e:41:db:07:86
您的伺服器證書無效,因為您在 CA 證書中排除了它的 IP 地址。以下是來自 RFC5280 的相關文本:
Any name matching a restriction in the excludedSubtrees field is invalid regardless of information appearing in the permittedSubtrees.
只需刪除 CA 證書中排除的部分,一切都應該正常工作。如果名稱約束僅包含允許的部分,則無論如何都將禁止所有其他名稱。
閱讀這篇博文,了解如何處理子樹。