Windows
NET::ERR_CERT_AUTHORITY_INVALID 在 Windows 中使用自簽名 CA
我創建了一個(自簽名)根證書,並使用我用 Java 開發的系統簽署了一個 Web 伺服器證書(該 Web 證書用於 Apache 2.4.41)。
證書在 Linux 和 Mac 中正常工作(在不同的 Webkit 瀏覽器和 Firefox 中測試)。證書和伺服器設置
A+
使用testssl.sh得分。CA 證書在沒有任何警告的情況下正確安裝,但在 Windows 中不被接受(仍然顯示紅色三角形警告和
NET::ERR_CERT_AUTHORITY_INVALID
錯誤)(使用 2 個 Windows 10 設備進行測試,其中一個是全新安裝的)。在 Chrome、Edge 和 Firefox 中測試。我嘗試了很多事情:
- 使用
certlm.msc
,certutil.exe
, 通過settings
或點兩下文件安裝它們- 本地或使用者範圍
- 使用不同的設置重新生成根證書
- 更改 Apache 設置
- 重新啟動瀏覽器和電腦
- 停止防毒軟體
我已經閱讀了這個站點中的相關問題(似乎沒有解決它)並且我已經查看了其他網站的解決方案,但沒有成功。
這是同一系統生成的假CA證書(設置相同,只是這裡的密鑰長度為1024,以減少本文的大小):
密鑰和證書:
-----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJg/x+BCM0xGDiaC qc5h+83wrjZ/HVxaZ7GHK7g/sca4fvF1KQuADqx+iDfehxNpZ5hCjmAsgBgWkIbc E0Md/C6srSRWS4/EeoAPRgFJK2k5SNC0L1QII0DKc0xS7y9CRqcoPFWUt7ncUeuw RZGmDMYbNiqcamgjCWfnIPRB7kgVAgMBAAECgYBD4FuaDamVHb59SM+vpVt/ywfA YBeU7vE/4oWJVUxKzkI6IAO2jtb77EWKsvkBnIKFDVcwZWaOVrEEjuU/jQS6jvRU Ozwbvo4o9UhkxzEhNuREE7d0cs3RSzWBJ1u5PMYT8G7GXsIP22HgRD2XP86VBfSf TWAqKcfNWpNFtlA/wQJBAPAPULdIEvfO2e3VDNB/5Li50Et7jd8fzBU9B7U0Axus keuS3oer+zeA2nXinfd7rwFEyZN3tSUsU/8oQwlOzCkCQQCiW84xVNccCPcucwWu 2nEagbFcYyouh/Ml5fR00uBgA8K27y8NHLgzNuqob1zqW7TgsmgCYaTnPbol0t/I 29oNAkEAviQTVaiTxY4klTmL1dWHDz22GyN44sLnvebCJSdWUuQkDAgflCyHZZX8 8ySU5EImAoY+dzx40UHEIjT8q/GqyQJAXZMkB/Kp+BKCxFau09Q6k9hj7KeKzD62 uQUMG7jecPg55U19hMUktP/VxzZICxrH6SlqINU+Qbil7N7Y898ikQJAacFKaTdU 2VmKAT1WaO6DPNmwhJ72a4cTAol9y79CFndjrTtGSENJwseqTgPTr+LtRBq3S+nZ r5a1qsB0bzNGvg== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIC1zCCAkCgAwIBAgIIX2TQo7pcNcQwDQYJKoZIhvcNAQELBQAwgYsxFzAVBgNV BAMMDkZha2UgQXV0aG9yaXR5MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ BgNVBAcMAkxBMRQwEgYDVQQKDAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEk MCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQGV4YW1wbGUuY29tMB4XDTIxMTExMDIx MDY1M1oXDTIyMTExMDE1MDAwMFowgYsxFzAVBgNVBAMMDkZha2UgQXV0aG9yaXR5 MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAkxBMRQwEgYDVQQK DAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEkMCIGCSqGSIb3DQEJARYVd2Vi bWFzdGVyQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCY P8fgQjNMRg4mgqnOYfvN8K42fx1cWmexhyu4P7HGuH7xdSkLgA6sfog33ocTaWeY Qo5gLIAYFpCG3BNDHfwurK0kVkuPxHqAD0YBSStpOUjQtC9UCCNAynNMUu8vQkan KDxVlLe53FHrsEWRpgzGGzYqnGpoIwln5yD0Qe5IFQIDAQABo0IwQDAPBgNVHRMB Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQURaB83qfjI0wv+tvJ myfInKagSgswDQYJKoZIhvcNAQELBQADgYEAYQ2PvvfQSe9WtG6peJ4B52bG1Mzs U+jE9xc4oWEfvekkpjOkZ4dbk89gBVeAZsSxdffcQfFPyRKE9vubYrd9xuemUAGE 51ZyMqJWMawFRxtXdV1e6a1OTH1qKks61obwtRuRBOweoUW4KrOSgCLB3VhmXKVe YJiVhpvJCxzi/MI= -----END CERTIFICATE-----
加州摘要
Version: 3 SerialNumber: 6873848332899071428 IssuerDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,E=webmaster@example.com Start Date: Thu Nov 11 06:06:53 JST 2021 Final Date: Fri Nov 11 00:00:00 JST 2022 SubjectDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,E=webmaster@example.com Public Key: RSA Public Key [b8:07:ef:1f:8e:91:c0:ab:12:db:38:3f:76:e7:0a:7f:21:9d:fe:49],[56:66:d1:a4] modulus: 983fc7e042334c460e2682a9ce61fbcdf0ae367f1d5c5a67b1872bb83fb1c6b87ef175290b800eac7e8837de8713696798428e602c8018169086dc13431dfc2eacad24564b8fc47a800f4601492b693948d0b42f54082340ca734c52ef2f4246a7283c5594b7b9dc51ebb04591a60cc61b362a9c6a68230967e720f441ee4815 public exponent: 10001 Signature Algorithm: SHA256WITHRSA Signature: 610d8fbef7d049ef56b46ea9789e01e766c6d4cc ec53e8c4f71738a1611fbde924a633a467875b93 cf6005578066c4b175f7dc41f14fc91284f6fb9b 62b77dc6e7a6500184e7567232a25631ac05471b 57755d5ee9ad4e4c7d6a2a4b3ad686f0b51b9104 ec1ea145b82ab3928022c1dd58665ca55e609895 869bc90b1ce2fcc2 Extensions: critical(true) BasicConstraints: isCa(true) critical(true) KeyUsage: 0x6 critical(false) 2.5.29.14 value = DER
伺服器證書
-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCMzMPwSTHQTaxu rtfnFFVXLXnDOkolG2iuA4H7KkPrizZ24vloFCU353wsT2YVJ9ykIw+Y58vXqEw8 QjlhOHMRMetWeaEMH562uhakb8S+KArQN7SZh9vw7TF7OwiCIg/sWcle87j9ETSn NtZ4M0HMQ+s+AOX0jDLDWAW08wXk0hXAOHMvaaqnC3NoI94/joQoElctaCpUhrov kmmDIrJHufplUtMdJrqkzhrUfzKHkslTBLeTHAHHgNdX45JjYibZlqVY3rLns9NI DIN199ciAnJpqSlvp65SMLJUMFFp2kWK0/S8gnTo41QjcGMBNYR4KiGAPmZPzjaR QFw9G8mdAgMBAAECggEAWUQhHaBqMpRsNCgpvdmIWaL9RacZBvmfnmOe7uxW72jt eOZiFXhgOFdMxJL6N4N0QaPw6ZJcDDgpTTL3SgoN+eLaP5MRZaxOZa8JV+t8osqk QGpw173o1ZCsBGLi/A44ZjJulwKST++uoC0GQGLO3oBZDpBnOmoAbRTLWXOSUwVe pFyWB/5VYtBKAaTwd8MmoNuTCL9o1CGutBHsaUCglnHv/Z2Ar7JLJaiDPEu2/kSe H/5YroI6L1FF8X0TsCpcxOiMOW/eFzW6TDrbo/kggHRnVRGjoM+rPr8E7nKYlNks whQI2aA2pcazWoBBwzYyscD7jXQJfKNNZQ3pun1aQQKBgQDzBeanFuzZmYcVjfq3 QmWydKIIMyn+FuqiXhP1Hs9sRcsFS+FfG4RfZJXJNpJ+4NaAOgTyvofpmZ0g6M6a M5heae+Hhl/942xzcUqpiK3pJ0YaRy/aluo33O6tyDXAmvPqLBkJO0EfOneBHaAe KjVm3vK8xvf+fpE022rm36AU+QKBgQCUUXwDAEvWpwhlrWlzT2b1iONKWsZNV3vd Uy83zqZXJ2P+biaz9xFaNCiKXo5ziZU1XZVPg8+rYv2R3kxtAjgjNUwxr6vF/ZBs 2gpLy0YhoCjk/xcIIAFldna/a7vTUPDSNn4HWxkjEqgMu+GEzyngjZkm8sY7v3bi oXgPtuBWxQKBgQDkzVt5WQYpYHhj/MZdn2+r8k9TNQiGJwFFWRmlIBrdr2ATXnuT VY7tWQAE7xJBzmFlXDqoaGYBsxTSlR1e5NDBoy9XA1aA7IuArNtEfmBuMQG5X+hX /toJOkKk7uhcrAaVJGt124nWYu98am4DuG2KqsESpql5u6Puhd5B+6z10QKBgCT1 hSyOR1eu+dW0d8GHOMXYnaLqqd2d/jyxvONwOF0hcLZ3JmfUGlvbAXsxgtfhoe/R aSKOWxJ/MWbG+U50rh5/6oO7HdfRjsrBLq2ictBwQ6CEvG2G5DIvafnbU8udsNUB RTh6B/KIdJ3vt4vLv8i4IEDnYGSFGo/w4qUv0gltAoGACLthSVxyNdZCX/21WRdq THzdUqV39gkaNVJdT10UQzhzMZSBchoiSDSNha33XEwJqr3UivAuYeAqTeRI6jdr 7BBjXjQ0d3OhtgwqL2AHHzudzYhvSoUmPgfJ1YWeJvUVzGDowz5z6HEjc637GZU4 +ph1ewJMz75BlRZjT7kfi5o= -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDvTCCAyagAwIBAgIIXETyGvtei7MwDQYJKoZIhvcNAQELBQAwgYsxFzAVBgNV BAMMDkZha2UgQXV0aG9yaXR5MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ BgNVBAcMAkxBMRQwEgYDVQQKDAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEk MCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQGV4YW1wbGUuY29tMB4XDTIxMTExMDIx MDgzN1oXDTIyMTExMDE1MDAwMFowgYgxGTAXBgNVBAMMEGZha2UuZXhhbXBsZS5j b20xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCTEExFDASBgNV BAoMC0V4YW1wbGUgTFREMQ0wCwYDVQQLDAROb25lMR8wHQYJKoZIhvcNAQkBFhBm YWtlQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA jMzD8Ekx0E2sbq7X5xRVVy15wzpKJRtorgOB+ypD64s2duL5aBQlN+d8LE9mFSfc pCMPmOfL16hMPEI5YThzETHrVnmhDB+etroWpG/EvigK0De0mYfb8O0xezsIgiIP 7FnJXvO4/RE0pzbWeDNBzEPrPgDl9Iwyw1gFtPMF5NIVwDhzL2mqpwtzaCPeP46E KBJXLWgqVIa6L5JpgyKyR7n6ZVLTHSa6pM4a1H8yh5LJUwS3kxwBx4DXV+OSY2Im 2ZalWN6y57PTSAyDdffXIgJyaakpb6euUjCyVDBRadpFitP0vIJ06ONUI3BjATWE eCohgD5mT842kUBcPRvJnQIDAQABo4GmMIGjMAwGA1UdEwEB/wQCMAAwHwYDVR0j BBgwFoAUx90O8ddg/Fo/lTlIjapK58YMBCEwDgYDVR0PAQH/BAQDAgOoMEMGA1Ud EQQ8MDqBEGZha2VAZXhhbXBsZS5jb22CEGZha2UuZXhhbXBsZS5jb22CFHd3dy5m YWtlLmV4YW1wbGUuY29tMB0GA1UdDgQWBBTH3Q7x12D8Wj+VOUiNqkrnxgwEITAN BgkqhkiG9w0BAQsFAAOBgQCI3Ri0d6W6ETohRaGKLSqH5SDf//g0C9t2rp2ox8po BjuAMlPHtRn6bfMC6xIsqznjDYZSni2YEMf6YBLivimbo9rYC18E/I5u5KsqvIa+ ze5VZd5U7O8+4+8Uaf+R/Re4gdf7eJ3j02iP4d8wKevfUfD8Vcuddx9mrWqluCEZ KQ== -----END CERTIFICATE-----
證書摘要
Version: 3 SerialNumber: 6648705147606043571 IssuerDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,E=webmaster@example.com Start Date: Thu Nov 11 06:08:37 JST 2021 Final Date: Fri Nov 11 00:00:00 JST 2022 SubjectDN: CN=fake.example.com,C=US,ST=CA,L=LA,O=Example LTD,OU=None,E=fake@example.com Public Key: RSA Public Key [2e:cd:8e:16:02:6f:b3:27:16:01:21:cb:1a:2b:9b:27:18:71:86:87],[56:66:d1:a4] modulus: 8cccc3f04931d04dac6eaed7e71455572d79c33a4a251b68ae0381fb2a43eb8b3676e2f968142537e77c2c4f661527dca4230f98e7cbd7a84c3c42396138731131eb5679a10c1f9eb6ba16a46fc4be280ad037b49987dbf0ed317b3b0882220fec59c95ef3b8fd1134a736d6783341cc43eb3e00e5f48c32c35805b4f305e4d215c038732f69aaa70b736823de3f8e842812572d682a5486ba2f92698322b247b9fa6552d31d26baa4ce1ad47f328792c95304b7931c01c780d757e392636226d996a558deb2e7b3d3480c8375f7d722027269a9296fa7ae5230b254305169da458ad3f4bc8274e8e354237063013584782a21803e664fce3691405c3d1bc99d public exponent: 10001 Signature Algorithm: SHA256WITHRSA Signature: 88dd18b477a5ba113a2145a18a2d2a87e520dfff f8340bdb76ae9da8c7ca68063b803253c7b519fa 6df302eb122cab39e30d86529e2d9810c7fa6012 e2be299ba3dad80b5f04fc8e6ee4ab2abc86becd ee5565de54ecef3ee3ef1469ff91fd17b881d7fb 789de3d3688fe1df3029ebdf51f0fc55cb9d771f 66ad6aa5b8211929 Extensions: critical(true) BasicConstraints: isCa(false) critical(false) 2.5.29.35 value = Sequence Tagged [0] IMPLICIT DER Octet String[20] critical(true) KeyUsage: 0xa8 critical(false) 2.5.29.17 value = Sequence Tagged [1] IMPLICIT DER Octet String[16] Tagged [2] IMPLICIT DER Octet String[16] Tagged [2] IMPLICIT DER Octet String[20] critical(false) 2.5.29.14 value = DER
我的設置有什麼問題?
問題中發布的證書有兩個問題:
- 兩個證書都使用一個共享密鑰。由於證書應將密鑰綁定到其所有者(主題),因此將一個密鑰用於兩個主題確實沒有意義。
- 由於上述原因,主題密鑰標識符和授權密鑰標識符散列在兩個證書中是相同的。
請注意,您在最終實體證書中還有一個相當複雜的授權密鑰標識符。通常在這裡只放散列,直接從頒發 CA 證書的主題密鑰標識符中複製。也就是說,省略 Directory 和 Serial 條目。你所擁有的可能會奏效,但為什麼要冒險呢?