我正在创建简单的两个证书;一个是根证书,另一个是服务器证书。后者有rootcert.pem和rootprivkey.pem分配给标志-CA和CAkey分别使用。我已经在系统中安装了根证书并运行sudo update-cacertificates了。经过多次尝试后,我无法使用 openssl 来根据自签名证书验证服务器证书。它给了我这个错误:
error 20 at 0 depth lookup: unable to get local issuer certificate
error servercrt.pem: verification failed
注意:我没有中间证书。
现在,我该如何解决这个问题?
编辑:
用于生成和验证的命令
openssl req -new -newkey rsa:4096 -keyout rootprivkey.pem -out rootreq.pem -config openssl.cnf -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
openssl ca -out rootcrt.pem -days 2652 -keyfile rootprivkey.pem -selfsign -config openssl.cnf -infiles rootreq.pem
openssl req -new -newkey rsa:4096 -keyout serverprivkey.pem -out serverreq.pem -config openssl.cnf
openssl x509 -req -in serverreq.pem -days 1200 -CA rootcrt.pem -CAkey rootprivkey.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out servercrt.pem -set_serial 01
openssl verify -CAfile rootcrt.pem servercrt.pem
openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# You might want to copy this into /etc/ssl/ or define OPENSSL_CONF
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crldir = $dir # Where the issued crl are kept
database = $dir # database index file.
unique_subject = yes # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $certs # default place for new certs.
certificate = $certs/rootcrt.pem # The CA certificate
serial = $dir/serial.txt # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $crldir/crl.pem # The current CRL
private_key = $dir/private/rootprivkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
#x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 4096
default_keyfile = priv.key.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
req_extensions = v3_req
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default =
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
localityName_default =
0.organizationName = Organization Name (eg, company)
0.organizationName_default =
# SET-ex3 = SET extension number 3
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
上面的配置文件首先无法生成根 CA 证书,因为它没有
CommonName条目。我假设那是拼写错误或复制/粘贴错误,配置文件的其余部分是实际使用的。您的证书验证失败,因为您的根 CA 的
BasicConstraint扩展名设置为CA:False. 也就是说,它不是CA,因此就验证而言,不能用于验证其他证书上的数字签名。您需要更改您的配置文件,以便用于生成 CA 证书的命令使用:
basicConstraints = CA:true. 为了使其符合 RFC 5280,您还应该添加关键标志并使用basicConstraints = critical,CA:true.你的方法有点脱节。尝试以下操作:
./openssl.cnf为 CA ( )创建一个 OpenSSL 配置文件接下来,使用与您使用的命令类似的命令创建您的请求:
请注意,
-sigopt选项已被删除,因为此时的签名是用于证明拥有私钥的请求签名,而不是证书本身的签名 - 稍后再说。接下来,对其进行签名以创建自签名 CA 证书:
请注意,这里使用
openssl ca而不是openssl x509which 意味着您可以引用自定义openssl.cnf文件。另请注意使用-extensions选项将命令指向配置文件的特定部分。最后,请注意-sigopt选项已移至此处,因为这是签署您的 CA 证书的命令,因此应该包含您的 PSS 方案。接下来,为您的服务器/终端实体证书 (./server.cnf) 创建一个单独的 OpenSSL 配置文件。
运行与您使用的命令类似的命令,但配置文件已更改。
最后,与 CA 签署:
请注意,这一项没有选项
-extensions,因此 OpenSSL 默认为.x509_extensions =openssl.cnf您现在可以验证证书: