最近用OpenSSL產生自簽憑證,將簡易伺服器的http改成https,一直被瀏覽器認為是不安全的連線,出現過NET::ERR_CERT_AUTHORITY_INVALID、MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT等等警告訊息,最後按照下面步驟解決了。
憑證產生設定檔req.conf:
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name=req_distinguished_name
req_extensions=v3_req
[req_distinguished_name]
C = TW
ST = Taiwan
L = Taipei
O = Duotify Inc.
OU = IT Department
emailAddress = admin@example.com
CN = GSTTEST
[v3_req]
keyUsage=keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=@alt_names
[alt_names]
DNS.1=www.test1.com #這裡DNS網名對應到下面的IP,可以設定多組,
DNS.2=www.test2.com #這樣產生出來的server憑證可以讓多個設備使用。
DNS.3=www.test3.com
IP.1 = 192.168.0.155
IP.2 = 192.168.0.156
IP.3 = 210.23.77.215
產生 Root 憑證:
#openssl genrsa -des3 -out RootCA.key 4096
#openssl req -new -sha256 -key RootCA.key -out RootCA.req
#openssl x509 -req -days 3650 -sha256 -signkey RootCA.key -in RootCA.req -out RootCA.crt
產生Server 憑證:
#openssl genrsa -out server.key 2048
#openssl req -new -sha256 -config req.conf -key server.key -out server.req
#openssl x509 -req -days 3650 -sha256 -extensions v3_req -extfile req.conf -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in server.req -out server.crt
將根憑證 RootCA.crt 分別匯入Edge、Firefox與Chrome,或其它要使用的瀏覽器。
問題與解決
錯誤訊息ERR_SSL_KEY_USAGE_INCOMPATIBLE:
修改req.conf裡的[v3_req],把keyUsage = keyEncipherment, dataEncipherment 改成 keyUsage = nonRepudiation, digitalSignature, keyEncipherment,再重新執行Server 憑證生成命令:
openssl x509 -req -days 3650 -sha256 -extensions v3_req -extfile req.conf -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in server.req -out server.crt
If this is for a Web server and you cannot specify loading a separate private and public key:
You may need to concatenate the two files. For this use:
cat server.crt server.key > server.includesprivatekey.pem
Reference:
如何使用 OpenSSL 建立開發測試用途的自簽憑證 (Self-Signed Certificate)
chrome ssl pass 自簽 certificate in nginx(include root CA)
https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files
沒有留言:
張貼留言