生成具有正確 SAN 欄位的自簽名證書的問題
我正在嘗試配置 Janus 網關,但我的自簽名證書出現問題,請參閱下面的日誌
Jan 25 09:50:46 localhost platform: [2018/01/25 09:50:46 EST] [EROR] /api/v4/webrtc/token:WebRTC.Token code=500 rid=7mgqedeejpnt3gginnpj5ikape uid=k7m4t6r663frfqaoo5enspfuqh ip=192.168.20.3 We encountered an error while connecting to the server [details: Post https://192.168.20.140:7889/admin: x509: cannot validate certificate for 192.168.20.140 because it doesn't contain any IP SANs]
我的主機名是 webrtc,IP 地址是 192.168.20.140,本地 DNS 是 192.168.20.1
我的理解是我的證書中可能沒有 SAN 資訊,所以我按照線上教程修改了生成證書請求的命令。請參閱下面的配置文件。
[ req ] default_bits = 2048 # RSA key size encrypt_key = yes # Protect private key default_md = sha256 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = yes # Prompt for DN distinguished_name = san_dn # DN template x509_extensions = v3_ca req_extensions = san_reqext # Desired extensions x509_extensions = usr_cert [ san_dn ] countryName = "1. Country Name (2 letters) (eg, US) " countryName_max = 2 stateOrProvinceName = "2. State or Province Name (eg, region) " localityName = "3. Locality Name (eg, city) " organizationName = "4. Organization Name (eg, company) " organizationalUnitName = "5. Organizational Unit Name (eg, section) " commonName = "6. Common Name (eg, full name)" commonName_max = 64 [ san_reqext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = critical,digitalSignature extendedKeyUsage = critical,codeSigning, msCodeInd, msCodeCom nsCertType = client,server,email,objsign subjectAltName = @alt_names [ usr_cert ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = critical,digitalSignature extendedKeyUsage = critical,codeSigning, msCodeInd, msCodeCom nsCertType = client,server,email,objsign authorityKeyIdentifier = keyid,issuer [ alt_names ] DNS.0 = localhost DNS.1 = webrtc DNS.2 = 192.168.20.140 DNS.3 = 192.168.20.1
下面是我用來生成證書請求的命令
openssl req -new -key ./webrtc_secret.key -config ./san_request.cfg -out ./webrtc.csr
以下是我使用自簽名 CA 生成證書並生成證書請求的命令
openssl x509 -req -in ./webrtc.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial \ -out ./webrtc.pem -days 365 -sha256
你能發現我的證書申請有什麼問題嗎?
更新1:
看起來我生成的證書請求具有正確的資訊。
Requested Extensions: X509v3 Subject Key Identifier: F0:CA:B8:FE:FA:CE:29:CE:0E:CB:01:93:B6:97:96:30:8E:B3:16:DB X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical Code Signing, Microsoft Individual Code Signing, Microsoft Commercial Code Signing Netscape Cert Type: SSL Client, SSL Server, S/MIME, Object Signing X509v3 Subject Alternative Name: DNS:localhost, DNS:webrtc, DNS:192.168.20.140, DNS:192.168.20.1
更新 2 因此,您會認為 openssl 在生成證書時會使用證書請求中的所有資訊。錯誤的!使用證書請求生成自簽名證書時,我必須手動指定副檔名。請參見下面的範例…這可能是答案。我現在要試試
openssl x509 -req -in ./webrtc.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial -out ./webrtc.pem -days 365 -sha256 -extfile ./san_ext.cfg -extensions san_reqext [ req ] req_extensions = san_reqext # Desired extensions [ san_reqext ] subjectAltName = @alt_names [ alt_names ] DNS.0 = localhost DNS.1 = mattermost IP.0 = 192.168.20.140 IP.1 = 192.168.20.1
不知道資訊失去在哪裡。
請閱讀我的整個問題,然後閱讀我的更新 2。更新 2 有詳細的答案。
因此,您會認為 openssl 在生成證書時會使用證書請求中的所有資訊。錯誤的!使用證書請求生成自簽名證書時,我必須手動指定副檔名。
這是一個例子……
openssl x509 -req -in ./webrtc.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial -out ./webrtc.pem -days 365 -sha256 -extfile ./san_ext.cfg -extensions san_reqext [ req ] req_extensions = san_reqext # Desired extensions [ san_reqext ] subjectAltName = @alt_names [ alt_names ] DNS.0 = localhost DNS.1 = mattermost IP.0 = 192.168.20.140 IP.1 = 192.168.20.1
主題備用名稱部分中的 IP 地址需要標識為
IP
,而不是DNS
。因此alt_names
,將 OpenSSL 配置文件的部分更改為如下所示:[ alt_names ] DNS.0 = localhost DNS.1 = webrtc IP.0 = 192.168.20.140 IP.1 = 192.168.20.1
然後重新生成請求和證書。