Certificate

具有排除子樹違規問題的 x509 證書

  • July 19, 2019

我想在我們的測試環境中使用自簽名 x509 證書,所以我遵循了 Ivan Ristic 的“ OpenSSL Cookbook ”中描述的過程。很棒的資源。我也決定走私人 CA 路線。

但是,Chrome 抱怨我的站點/https 端點不安全,出現“NET::ERR_CERT_AUTHORITY_INVALID”錯誤。openssl s_client 還會引發驗證錯誤:num=48: exclude subtree violation。Firefox 給了我一個“SEC_ERROR_CERT_NOT_IN_NAME_SPACE”錯誤頁面。

我對為什麼排除子樹違規感到困惑?以我有限的知識(第一次使用私有 CA 功能),我可能錯誤地認為我的 host.cnf 具有通過我的 root-ca.conf 中的 nameConstraints 允許的 SAN 主機名?我感謝任何見解,更正我對 openssl 配置文件的誤解。

rfc5280 部分“4.2.1.10。名稱約束”指出:

DNS 名稱限製表示為 host.example.com。任何可以通過簡單地在名稱左側添加零個或多個標籤來建構的 DNS 名稱都滿足名稱約束。例如,www.host.example.com 會滿足約束,但 host1.example.com 不會。

但是我看到了很多 SAN 的例子,nameConstraints 使用前導點表示法——所以我在我的 root-ca.conf 中嘗試了兩個 DNS nameConstraints。我很絕望,所以我會假設任何一個都是正確的……

血腥細節:

我通過以下命令設置了我的 root-ca、sub-ca 配置文件,創建了相應的 CSR、root-ca.crt、sub-ca.crt:

(on the target machine - but I haven't found any docs saying this is required)
openssl genrsa -aes128 -out host-private.key 2048
openssl req -new -key host-private.key -out host.csr -passin pass:XXXX -config host.cnf

將 host.csr 複製到我的 CA 環境中。我執行了以下命令來創建根 CA 證書:

openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

創建中間/從屬 CA 證書:

openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

然後,創建主機證書:

openssl ca -config sub-ca.conf -in host.csr -out host.crt -extensions server_ext

我創建了一個鏈證書以部署到我的 nginx 環境中。host.csr + sub-ca.crt + root-ca.crt

我還將 root-ca.crt 添加到主機的 CA 信任庫中。我正在使用 nginx 通過 ngx_http_proxy 模組作為多個內部服務的 SSL/TLS 終止反向代理。我還將生成的 root-ca.crt 添加到我的 Chrome 安裝的 CE 信任庫中。Chrome 顯示的站點資訊在證書層次結構中具有正確的 root-ca、sub-ca、主機證書。

主機.cnf:

[req]
prompt = no
distinguished_name = dn
req_extensions = ext
# the use of -passin overrides this 
input_password = PASSPHRASE
[dn]
CN = rt168openmbee.serc.stevens.edu
emailAddress = shespelt@stevens.edu
O = SERC
L = Hoboken
ST = NJ
C = US
[ext]
subjectAltName = DNS:rt168openmbee.serc.stevens.edu,IP:155.246.39.32

根-ca.conf:

[default]
name                    = root-ca
domain_suffix           = serc.stevens.edu 
aia_url                 = http://$name.$domain_suffix/$name.crt
crl_url                 = http://$name.$domain_suffix/$name.crl
ocsp_url                = http://ocsp.$name.$domain_suffix:9080
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "US"
organizationName        = "SERC"
commonName              = "Root CA"

[ca_default]
home                    = .
database                = $home/db/index
serial                  = $home/db/serial
crlnumber               = $home/db/crlnumber
certificate             = $home/$name.crt
private_key             = $home/private/$name.key
RANDFILE                = $home/private/random
new_certs_dir           = $home/certs
unique_subject          = no
copy_extensions         = none
default_days            = 3650
default_crl_days        = 365
default_md              = sha256
policy                  = policy_c_o_match

[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 4096
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn
req_extensions          = ca_ext

[ca_ext]
basicConstraints        = critical,CA:true
keyUsage                = critical,keyCertSign,cRLSign
subjectKeyIdentifier    = hash

[sub_ca_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:true,pathlen:0
crlDistributionPoints   = @crl_info
extendedKeyUsage        = clientAuth,serverAuth
keyUsage                = critical,keyCertSign,cRLSign
nameConstraints         = @name_constraints
subjectKeyIdentifier    = hash

[crl_info]
URI.0                   = $crl_url

[issuer_info]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[name_constraints]
permitted;DNS.0=serc.stevens.edu
permitted;DNS.1=.serc.stevens.edu
permitted;IP.0=155.246.39.0/255.255.255.0
excluded;IP.1=0.0.0.0/0.0.0.0
excluded;IP.2=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = OCSPSigning
noCheck                 = yes
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash

子ca.conf:

[default]
name                    = sub-ca
domain_suffix           = serc.stevens.edu
aia_url                 = http://$name.$domain_suffix/$name.crt
crl_url                 = http://$name.$domain_suffix/$name.crl
ocsp_url                = http://ocsp.$name.$domain_suffix:9081
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "US"
organizationName        = "SERC"
commonName              = "Sub CA"

[ca_default]
home                    = .
database                = $home/db/index
serial                  = $home/db/serial
crlnumber               = $home/db/crlnumber
certificate             = $home/$name.crt
private_key             = $home/private/$name.key
RANDFILE                = $home/private/random
new_certs_dir           = $home/certs
unique_subject          = no
copy_extensions         = copy
default_days            = 365
default_crl_days        = 30
default_md              = sha256
policy                  = policy_c_o_match

[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 2048
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn

[server_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
crlDistributionPoints   = @crl_info
extendedKeyUsage        = clientAuth,serverAuth
keyUsage                = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier    = hash

[client_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
crlDistributionPoints   = @crl_info
extendedKeyUsage        = clientAuth
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash

[crl_info]
URI.0                   = $crl_url

[issuer_info]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[ocsp_ext]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = OCSPSigning
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash

使用 openssl s_client -showcerts -connect,這裡是檢索到的證書(保存的 PEM 證書通過 openssl x509 -text …執行)。

主機證書:

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           29:d9:fb:61:7a:0f:ba:c3:51:28:a3:05:14:df:8a:b1
       Signature Algorithm: sha256WithRSAEncryption
       Issuer: C = US, O = SERC, CN = Sub CA
       Validity
           Not Before: Jul 18 19:52:13 2019 GMT
           Not After : Jul 17 19:52:13 2020 GMT
       Subject: C = US, ST = NJ, O = SERC, CN = rt168openmbee.serc.stevens.edu, emailAddress = shespelt@stevens.edu
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               RSA Public-Key: (2048 bit)
               Modulus:
                   00:b9:19:1f:2b:2a:54:bc:7a:78:1c:13:33:09:8e:
                   12:e1:b5:f8:7c:58:f8:29:7e:b4:45:45:6b:5a:3f:
                   ac:41:f6:d6:bf:4a:08:77:a6:a0:94:dd:26:68:ed:
                   8a:ec:fc:e9:3e:db:98:45:0c:cf:8a:09:d6:46:14:
                   a7:bb:d2:f0:da:dd:db:7c:ed:31:7b:20:f7:7d:f0:
                   f9:13:1a:45:1b:ab:90:79:a7:d7:60:d2:94:70:0e:
                   79:4c:03:23:c0:b6:f7:dc:93:b4:c7:eb:6e:69:f1:
                   58:6c:14:07:98:4e:56:9d:01:39:d6:a1:be:da:a5:
                   76:83:aa:68:30:65:51:23:96:99:fe:05:9c:a7:61:
                   64:30:b1:f6:38:33:70:6d:8b:25:ce:d9:93:6e:b0:
                   5e:84:e8:71:4b:55:62:64:f1:6b:b4:ed:7b:dd:b7:
                   d9:b2:4a:24:29:bb:3b:ad:59:cc:4d:fb:84:6a:91:
                   45:e7:f1:cc:21:48:40:42:83:03:1e:07:6d:3f:c2:
                   a6:bf:8f:76:db:f8:9c:a2:a9:88:71:81:f5:d6:48:
                   d9:17:d9:0d:bb:9d:c5:24:bb:d8:58:93:85:1c:5f:
                   a4:39:df:8f:d6:9a:2a:2f:9c:34:bb:28:f0:87:fe:
                   df:9d:41:8a:0b:f6:c5:a3:0c:4c:6c:e1:f4:a6:89:
                   23:c1
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           Authority Information Access: 
               CA Issuers - URI:http://sub-ca.serc.stevens.edu/sub-ca.crt
               OCSP - URI:http://ocsp.sub-ca.serc.stevens.edu:9081

           X509v3 Authority Key Identifier: 
               keyid:FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F

           X509v3 Basic Constraints: critical
               CA:FALSE
           X509v3 CRL Distribution Points: 

               Full Name:
                 URI:http://sub-ca.serc.stevens.edu/sub-ca.crl

           X509v3 Extended Key Usage: 
               TLS Web Client Authentication, TLS Web Server Authentication
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Subject Key Identifier: 
               4F:60:83:45:A3:32:DB:C4:5C:AD:C1:BD:69:09:AF:E2:55:13:1A:6A
           X509v3 Subject Alternative Name: 
               DNS:rt168openmbee.serc.stevens.edu, IP Address:155.246.39.32
   Signature Algorithm: sha256WithRSAEncryption
        07:d1:b6:ab:5d:b4:8a:f7:77:3c:57:06:f3:7c:69:a9:fa:85:
        d0:04:b6:3b:24:2b:32:9f:31:4e:33:3b:a9:ed:d8:3e:8a:cf:
        aa:19:be:84:86:42:86:9c:d3:c4:a6:35:2e:87:b5:10:40:d2:
        05:92:13:e1:e6:00:cc:42:f9:55:ff:14:ba:3e:0e:d8:3c:9b:
        d6:47:19:27:61:d3:c1:a4:9f:a9:80:c7:ae:68:c1:bf:a1:3c:
        fd:c6:cc:df:16:4e:0b:ca:22:3e:d1:5f:b6:9f:ee:38:84:3b:
        65:4d:86:d5:f3:df:03:7a:e1:13:ad:1e:62:8c:ad:ca:3c:d4:
        78:89:8a:91:c9:a8:85:58:fa:78:49:ff:94:b5:37:68:72:89:
        18:94:d7:08:ec:62:40:a5:35:1d:93:2c:7b:bf:b7:f1:b4:0f:
        57:a7:17:69:8d:fb:a4:7d:1f:7b:bd:8c:f6:32:a9:6a:e4:04:
        64:89:05:55:ee:43:cf:a3:51:67:35:6c:84:16:62:d3:6e:57:
        de:0b:e9:fb:e3:11:a7:ed:94:9e:1e:ef:ec:5f:c4:03:33:cf:
        0c:00:5c:8b:9f:ad:4e:b2:89:01:9f:be:49:9d:51:b8:2f:ba:
        f3:9d:70:80:69:e3:bf:95:d6:a3:07:ee:fa:8b:84:ac:78:50:
        7c:f3:08:0c

中間 CA 證書:

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:cb
       Signature Algorithm: sha256WithRSAEncryption
       Issuer: C = US, O = SERC, CN = Root CA
       Validity
           Not Before: Jul 18 19:49:50 2019 GMT
           Not After : Jul 15 19:49:50 2029 GMT
       Subject: C = US, O = SERC, CN = Sub CA
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               RSA Public-Key: (2048 bit)
               Modulus:
                   00:be:90:03:fa:85:91:b7:0a:72:6c:0c:81:aa:6d:
                   19:c1:d6:40:a5:f9:c5:28:35:ce:d6:e1:70:ea:eb:
                   80:54:2b:ad:87:e5:67:b1:6c:94:df:14:e7:97:9f:
                   1d:00:a3:db:96:48:e1:76:6f:06:bf:3d:27:f8:62:
                   74:90:75:95:3c:f2:5d:40:d4:1b:11:61:f0:52:db:
                   9a:d9:7f:4e:04:76:7f:fa:4e:c2:f2:00:fc:79:fb:
                   0c:51:aa:b8:39:5a:9c:73:b5:1f:04:cd:76:5c:7b:
                   a2:4b:41:3e:14:47:e9:d4:b1:b5:46:3b:05:05:99:
                   cc:63:1e:d8:1c:3d:4a:5a:b4:23:23:3e:39:8a:78:
                   05:1a:44:ba:fd:a4:b5:98:05:a4:e0:b8:d8:f1:3a:
                   0a:09:54:2d:4d:db:09:df:88:1c:b4:73:a5:a7:41:
                   5d:f8:a8:ec:fc:52:b1:6f:36:22:1c:3e:e7:66:93:
                   90:a7:dc:32:50:21:60:31:57:51:09:76:50:15:f7:
                   fc:4e:b9:05:ae:b6:93:2e:f4:b0:44:aa:3c:73:a7:
                   1c:c5:87:d9:54:81:f3:97:42:df:08:77:0b:5d:dd:
                   01:04:be:5e:1a:94:57:4b:82:65:71:91:3b:ad:58:
                   82:b7:55:e7:c9:7e:ed:fd:59:0f:83:48:1a:33:d4:
                   95:c1
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           Authority Information Access: 
               CA Issuers - URI:http://root-ca.serc.stevens.edu/root-ca.crt
               OCSP - URI:http://ocsp.root-ca.serc.stevens.edu:9080

           X509v3 Authority Key Identifier: 
               keyid:F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83

           X509v3 Basic Constraints: critical
               CA:TRUE, pathlen:0
           X509v3 CRL Distribution Points: 

               Full Name:
                 URI:http://root-ca.serc.stevens.edu/root-ca.crl

           X509v3 Extended Key Usage: 
               TLS Web Client Authentication, TLS Web Server Authentication
           X509v3 Key Usage: critical
               Certificate Sign, CRL Sign
           X509v3 Name Constraints: 
               Permitted:
                 DNS:serc.stevens.edu
                 DNS:.serc.stevens.edu
                 IP:155.246.39.0/255.255.255.0
               Excluded:
                 IP:0.0.0.0/0.0.0.0
                 IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

           X509v3 Subject Key Identifier: 
               FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
   Signature Algorithm: sha256WithRSAEncryption
        ab:93:26:fa:85:ae:72:fa:e3:2d:65:9a:10:a5:c8:cc:e2:1c:
        c6:4d:40:53:80:c2:6f:67:24:4e:29:23:b9:75:6e:2f:7f:ce:
        7e:fb:2c:64:e8:e6:90:13:2d:39:da:13:3f:a9:71:5b:72:b1:
        3b:11:e5:aa:98:e6:cc:47:a7:95:dc:7a:c0:27:2f:52:1e:08:
        1f:34:b5:ab:1d:16:53:89:d4:b4:8a:d9:f7:ca:4d:7a:5a:bc:
        9a:16:ed:45:5d:18:2a:50:0b:57:12:ea:23:8a:b8:f1:2b:26:
        5b:1a:e8:7b:35:37:de:22:8f:cf:ae:f6:4f:7f:3e:88:0b:21:
        40:40:46:53:ad:83:6a:3a:26:ba:0e:28:ba:0c:8d:04:56:e3:
        59:d5:7d:13:06:d2:89:b1:5c:50:0c:54:60:09:bc:22:b8:96:
        e8:42:8c:a6:dd:47:86:6f:16:bd:a9:45:3f:b6:f1:4d:58:82:
        cf:e9:e2:e2:be:2b:2d:97:e5:0d:df:24:09:96:95:1d:1a:08:
        94:87:73:6c:61:1a:70:36:ae:55:79:a8:ae:58:66:0d:2a:94:
        32:27:91:bb:0a:5c:2f:64:b8:fe:a2:5f:3d:f7:d9:66:a9:2a:
        e4:6b:9b:7f:66:ba:7a:61:e6:57:4f:c8:8b:5c:74:d7:0b:db:
        a3:cb:d2:97:50:95:6f:34:64:24:ce:7a:0b:c3:dd:3a:7c:81:
        d1:48:5e:74:af:7f:9c:fc:73:3b:01:b9:a9:d7:67:87:7b:81:
        b0:99:9b:a5:29:1d:97:bb:70:61:48:32:13:e8:20:da:f5:7a:
        96:2b:c0:04:1f:b2:27:a3:cb:35:a0:63:08:e3:5b:8e:ae:87:
        60:c9:85:9e:b7:4a:a7:12:8f:81:3b:7d:5b:00:05:be:54:bd:
        49:4e:1c:73:0e:c7:51:27:40:82:63:e4:48:d5:94:f3:63:53:
        a1:84:5c:ca:3a:91:94:ca:23:de:65:48:5b:ff:7e:e6:79:8b:
        a1:bf:c0:2d:9f:91:b5:c5:66:3c:58:e8:b8:e9:8f:81:18:cb:
        7e:eb:46:4b:59:5d:d1:34:74:3f:92:c4:0d:9e:4a:ec:25:f4:
        48:f4:d8:c9:a1:8f:72:2f:a5:8b:a2:14:16:f1:84:41:9b:df:
        85:99:62:af:50:ab:c0:4d:4c:a9:7a:d0:31:24:4f:04:00:e3:
        16:bb:53:08:fa:66:8b:d5:15:2b:22:62:ac:64:38:c2:2f:c0:
        fa:ad:a1:be:b6:67:f6:f6:ac:af:a4:33:ea:4a:a0:8d:49:ad:
        35:3c:6f:ae:b3:b6:a0:e6:84:df:32:36:46:73:48:26:28:a2:
        10:9a:d2:2c:85:48:d7:d4

根 CA 證書:

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:ca
       Signature Algorithm: sha256WithRSAEncryption
       Issuer: C = US, O = SERC, CN = Root CA
       Validity
           Not Before: Jul 18 19:47:30 2019 GMT
           Not After : Jul 15 19:47:30 2029 GMT
       Subject: C = US, O = SERC, CN = Root CA
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               RSA Public-Key: (4096 bit)
               Modulus:
                   00:c7:6a:ca:cb:b6:3b:23:63:f4:21:32:37:a6:b8:
                   ed:34:0a:06:38:06:7a:cf:3a:0a:6e:36:ef:81:d0:
                   01:2d:e7:ea:dc:d9:46:d7:45:f3:ed:84:ed:7e:20:
                   6a:e2:00:34:43:4e:2a:fc:2b:53:ef:d2:af:1e:25:
                   c9:ed:e0:34:d0:9a:03:c2:50:16:46:96:89:cb:6d:
                   43:b4:17:61:49:07:53:85:62:d6:27:b5:0a:b0:87:
                   3b:b6:e3:ba:f7:b9:35:77:37:bb:ae:a8:7e:04:0f:
                   54:e2:b3:26:b0:3f:65:01:27:fc:dc:ac:b6:3a:a4:
                   d0:ea:6a:d2:f5:c5:7c:be:43:0f:41:d1:9d:1c:1c:
                   61:e1:ba:af:03:95:30:10:a9:3d:52:64:ce:70:40:
                   bd:dc:0d:53:35:00:c1:e9:e1:68:fd:f5:d5:d1:a1:
                   e4:c7:c7:22:fb:56:6f:a6:e1:ea:48:e8:61:fb:8c:
                   76:28:8a:4e:18:84:ab:f3:9b:d5:49:7c:04:40:15:
                   83:4d:26:2b:33:92:84:7e:f2:75:1b:0b:4c:d6:54:
                   c3:f2:4a:9f:13:72:ab:9c:92:a4:42:77:99:00:25:
                   91:c1:b6:87:bd:fa:f1:07:f0:ce:72:0f:3c:be:bc:
                   79:58:f6:8b:6e:07:bc:5d:ee:23:be:0d:d5:d6:91:
                   22:f4:73:1b:4f:5f:cc:82:87:57:61:50:96:8c:69:
                   0b:ae:f7:40:47:7c:62:4e:2e:77:3e:8c:f1:41:7d:
                   e8:64:d5:bf:24:36:99:bb:0c:46:0e:28:7b:52:95:
                   7d:b8:f2:e5:91:0d:07:ea:cb:9c:9d:08:dd:1f:e2:
                   3a:02:6a:5b:36:d1:ff:b9:0f:a4:08:ed:12:38:7a:
                   0b:a1:68:7e:be:b1:bb:90:e2:6a:9f:33:8f:d4:d2:
                   8b:ba:84:db:f9:c6:d7:94:19:d5:cd:db:ce:b3:ba:
                   53:36:51:9a:16:12:57:f9:16:27:1e:23:3b:09:c0:
                   2b:d8:f3:cf:d7:d2:ec:2d:b0:fd:bf:dc:85:7d:cb:
                   9d:cc:e1:70:0d:2a:fd:43:4f:48:3d:89:09:33:2e:
                   6b:e8:f0:ba:ca:21:9c:32:79:a2:64:e1:dc:75:8b:
                   ed:0b:32:50:5b:b1:b5:0b:11:7a:d4:f0:d9:df:f7:
                   61:04:4a:c5:41:c7:0e:cb:e5:c7:1a:3c:6e:7b:63:
                   8b:bd:e5:f2:99:c8:2e:5c:e4:ed:a0:1d:b4:c1:64:
                   b8:71:27:23:23:2f:93:54:b4:d8:99:b5:a4:35:7b:
                   dd:82:ef:b4:ee:d4:fb:f4:91:58:af:5e:f2:8f:37:
                   9d:5a:9f:62:99:f9:26:31:d8:74:08:71:2f:bc:1d:
                   40:a6:43
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Basic Constraints: critical
               CA:TRUE
           X509v3 Key Usage: critical
               Certificate Sign, CRL Sign
           X509v3 Subject Key Identifier: 
               F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
   Signature Algorithm: sha256WithRSAEncryption
        16:77:4d:7b:ef:89:3d:31:45:07:8f:a3:c4:ad:ed:89:a0:9b:
        b6:ab:74:59:1a:fb:7b:48:e1:e0:3c:75:73:dc:e3:e2:1b:a3:
        74:a1:0d:37:ea:ac:85:fb:1c:e0:86:f1:86:ee:78:51:fd:4d:
        58:04:8b:5c:6b:b3:06:1c:07:04:a1:c5:51:a9:d1:4c:24:42:
        7c:ef:1e:35:c5:df:00:79:44:91:a1:f5:cb:71:5b:a7:85:b1:
        f3:36:3c:75:e7:f8:d5:29:85:18:2e:ff:79:e1:eb:1f:72:24:
        6a:36:a4:17:4e:76:4d:5d:d1:85:c4:18:c3:f4:83:07:10:3f:
        7a:e2:36:33:48:1d:da:5d:08:2a:59:4f:3a:97:74:b7:d8:97:
        85:b0:b1:82:f8:46:d5:df:75:d9:56:77:34:0e:26:d5:3a:eb:
        8b:02:5e:d1:c3:fd:16:22:1f:ab:86:76:c4:cf:5b:d5:d5:bd:
        da:70:76:9e:18:bd:2f:16:c0:89:fe:cc:e0:93:63:f0:23:65:
        37:4c:6c:f5:e4:a7:fd:b2:02:86:91:6a:f5:31:b2:93:cc:33:
        87:38:57:6b:55:59:7e:ed:02:13:5d:6f:4f:15:91:ac:7e:7f:
        52:57:35:de:ec:87:38:bf:fe:7e:bd:5d:3c:ef:43:a9:d1:13:
        ab:ed:6f:ac:cf:bf:7e:e8:35:0b:92:97:08:05:78:db:68:e0:
        b1:05:2a:49:6e:00:34:71:a5:0f:5b:1c:17:47:9e:23:6f:64:
        d7:f0:93:60:12:7f:6d:0a:cd:15:e7:de:72:c4:76:86:ef:4d:
        65:c6:2a:1a:c4:35:0e:08:07:c5:ee:34:aa:9e:e1:90:d4:66:
        87:0f:1f:32:fa:21:7e:4f:01:9b:6d:19:20:ed:e5:9d:1a:ee:
        b3:e6:c4:93:4b:a4:cc:62:db:65:c1:b9:3b:05:a8:45:38:87:
        29:6d:8c:86:86:7b:c5:3d:89:85:c8:8e:f5:da:7d:c5:89:31:
        49:7b:af:9e:ff:03:89:db:ac:65:c5:5f:78:0d:cf:91:6f:19:
        6a:e4:eb:b6:d5:46:ff:3b:8c:44:cd:00:7b:3c:ed:6f:f6:79:
        61:93:12:08:58:7c:d5:02:9b:a7:4c:a0:c6:1a:f8:d9:b1:b6:
        1e:77:75:1d:24:e8:d2:ff:61:ee:a8:85:e5:1b:49:cf:3c:91:
        56:ea:e5:0e:6e:39:96:d0:d4:b7:95:25:e3:1a:a3:82:26:c8:
        3f:53:47:fe:93:10:c4:bf:91:b5:7d:40:d2:2e:22:8e:7f:e5:
        8a:4c:6e:03:04:de:f7:81:95:fc:a9:0f:31:51:ab:21:9d:20:
        06:64:c2:9e:41:db:07:86

您的伺服器證書無效,因為您在 CA 證書中排除了它的 IP 地址。以下是來自 RFC5280 的相關文本:

Any name matching a restriction in the excludedSubtrees
field is invalid regardless of information appearing in the
permittedSubtrees.

只需刪除 CA 證書中排除的部分,一切都應該正常工作。如果名稱約束僅包含允許的部分,則無論如何都將禁止所有其他名稱。

閱讀這篇博文,了解如何處理子樹。

引用自:https://serverfault.com/questions/975838