主页 / computer / 问题

问题[ssl](computer)

Martin Hope
GuteShel
Asked: 2024-12-12 03:56:47 +0800 CST
  • 7

我通过其openssl.cnf文件配置了 OpenSSL,以便subjectAltName从电子邮件 ei复制subjectAltName = email:copy。然而,当我签署 CSR 时,我看到主题备用名称字段为空,如下所示:

            X509v3 Subject Alternative Name: 
                <EMPTY>

我注意到的另一件事是,尽管电子邮件存在于 CSR 中,但它却没有出现在证书的任何地方。

我如何配置 OpenSSL 以subjectAltName从电子邮件中复制?

ssl
Martin Hope
divB
Asked: 2024-07-18 06:58:12 +0800 CST
  • 5

我创建了一个包含两个域的 LetsEncrypt 证书,one.example.com 和 two.example.com(注意,我知道通配符证书,但这个问题是一个证书中的多个名称)。

该证书以 one.example.com 作为 CN,并以 one.example.com 和 two.example.com 作为 X509v3 主体备用名称属性。

我将证书与 nginx 一起使用。

按照惯例,客户端只需检查 CN 是否与 DNS 名称匹配,我预计只要 one.example.com 和 two.example.com 现在指向同一个 nginx 服务器,我就可以通过这两个 DNS 名称访问它们。但只有 one.example.com 有效。

我可以使用 openssl 重现此问题:

openssl s_client -showcerts -servername one.example.com -connect 192.168.151.97:443                                                          
Connecting to 192.168.151.97
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E5
verify return:1
depth=0 CN=one.example.com
verify return:1
---
Certificate chain
 0 s:CN=one.example.com
   i:C=US, O=Let's Encrypt, CN=E5
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jul 17 05:27:55 2024 GMT; NotAfter: Oct 15 05:27:54 2024 GMT
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=E5
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=CN=one.example.com
issuer=C=US, O=Let's Encrypt, CN=E5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2434 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---


openssl s_client -showcerts -servername two.example.com -connect 192.168.151.97:443
Connecting to 192.168.151.97
CONNECTED(00000003)
402EB7DC01000000:error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:907:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 333 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

因此您可以看到,one.example.com 可以工作,但是 two.example.com 不工作,尽管它被列为主题备用名称。

即使我明确指定-servername two.example.com,情况也不会改变。

为什么 browsers/openssl 无法成功验证 two.example.com?

ssl
Martin Hope
Scott E
Asked: 2024-06-17 09:00:20 +0800 CST
  • 4

我的 SSL 证书经销商向我提供了证书文件、CSR、公钥和私钥,所有这些都是带有密文的 txt 文件。我必须续订托管在 IIS 服务器上的 SSL 证书,并且证书必须包含私钥,以便 IIS 接受它。我的问题:

  1. 证书文件需要什么文件扩展名?(我将把包含密文的 txt 文件重命名为此扩展名)

  2. 私钥需要什么文件扩展名?(我将把密文的 txt 文件重命名为此扩展名)

  3. 我知道您可以使用 openssl 将私钥插入证书。我应该使用什么命令来执行 openSSL?

  4. 显然,证书和密钥必须采用正确的格式才能使 Open SSL 正常工作——我尝试了许多不同的组合,但仍然没有成功!

ssl
Martin Hope
user180574
Asked: 2024-06-02 03:50:30 +0800 CST
  • 5

当我创建 CSR 时,我指定了主题行。

$ openssl req -in csr -noout -text
...
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = 12345-67890, serialNumber = 67890, 1.3.5.7.9.24.6.8 = 1234
...

$ openssl ca -verbose -config signer.cnf -in csr -out output.crt
...
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = 12345-67890, serialNumber = 67890, 1.3.5.7.9.24.6.8 = 1234
...
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName        :ASN.1 12:'12345-67890'
serialNumber      :PRINTABLE:'67890'
1.3.5.7.9.24.6.8  :ASN.1 12:'1234'
Everything appears to be ok, creating and signing the certificate
Successfully added extensions from config
The subject name appears to be ok, checking data base for clashes
Certificate is to be certified until Jun  1 16:48:27 2025 GMT (365 days)
Sign the certificate? [y/n]:

但是当我检查output.crt时,主题行是空的“主题:”。

下面是配置“signer.cnf”。

[ ca ]
default_ca = my_ca

[ my_ca ]
dir = .
certs = $dir
new_certs_dir = $dir
database = index.txt
serial = serial
private_key = ...
certificate = ...
default_days = 365
policy = my_policy
x509_extensions = my_extensions
copy_extensions = copy

[ my_extensions ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment

[ my_policy ]
ssl
Martin Hope
readyStateFail
Asked: 2024-05-23 22:00:40 +0800 CST
  • 8

第三方要求我设置一个 FTPS 站点供他们连接。

我在 IIS 10 上执行此操作。

第三方客户端需要使用与 FTP 用户绑定的客户端证书。

我已经对此进行了测试,并使用自签名客户端证书使一切正常工作。

但是,还要求客户端证书由受信任的 CA 签名。

我熟悉使用 win-acme 生成服务器证书 - 但我不确定是否可以使用 win-acme 生成客户端证书[未绑定到域]。

我曾尝试使用 win-acme 生成客户端证书,但是,由于证书是与用户名而不是域名绑定的,所以我看不到验证证书的方法。

如何获取可与 FTP 用户绑定并由第三方用于连接到 FTP 站点的可信客户端证书?

非常感谢您的帮助。

ssl
Martin Hope
Daviid
Asked: 2024-05-23 03:26:16 +0800 CST
  • 6

我有这个cert_functions.ps1文件

$ErrorActionPreference = "Stop"
$PSDefaultParameterValues['*:ErrorAction']='Stop'
function New-WorkstationCertificateRequestConfiguration {
    param(
        [Parameter(Mandatory=$true)]
        [string]$DOMAIN,
        [Parameter(Mandatory=$true)]
        [string]$ORGANIZATION
    )

    # static parameters
    $keyAlgorithm = 'RSA'
    $keySize = '2048'
    $hashAlgorithm = 'sha256'

    $template = @'
; Request.inf
[Version]
Signature="`$Windows NT$"

[NewRequest]
Subject = "CN=_DOMAIN_NAME_,C=ES,ST=YYYYYYYYY,L=XXXXXXXX,O=_ORGANIZATION_"
MachineKeySet = TRUE
KeyLength = _KEY_SIZE_
KeySpec=1
Exportable = TRUE
ExportableEncrypted = TRUE
RequestType = PKCS10
HashAlgorithm = _HASH_ALGORITHM_
KeyAlgorithm = _KEY_ALGORITHM_
SMIME = FALSE
EncryptionAlgorithm = AES
EncryptionLength = 128
ProviderName = "Microsoft Software Key Storage Provider"
FriendlyName = _DOMAIN_NAME_

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"
_continue_ = "DNS=_DOMAIN_NAME_&"
_continue_ = "DNS=testing._DOMAIN_NAME_&"
'@
   
        $template = $template -replace '_DOMAIN_NAME_',$DOMAIN
        $template = $template -replace '_ORGANIZATION_',$ORGANIZATION
        $template = $template -replace '_KEY_ALGORITHM_',$keyAlgorithm
        $template = $template -replace '_KEY_SIZE_',$keySize
        $template = $template -replace '_HASH_ALGORITHM_',$hashAlgorithm

        return $template
}

function New-WebHostingCertificate {
    param(
        [parameter(mandatory=$true)]
        [string]$domain,
        [string]$organization,
        [string]$authoritycertificatesserver = "localhost\MYORG-AD01-CA"
    )
    
    # check if $organization is not provided as an argument
    if (-not $organization) {
        # derive $organization from $domain (hostname without tld and subdomains)
        $organization = get-organization -domain $domain
    } else {
        echo $organization.gettype()
        $organization = $organization.toupper()[0] + $organization.substring(1)
    }
    
    $answerfile = new-temporaryfile
    $requestfile = new-temporaryfile
    $publiccertfile = new-temporaryfile
    $pfxcertfile = new-temporaryfile
    $privatekeyfile = new-temporaryfile
    $certfile = new-temporaryfile
    
    set-content $answerfile.fullname (new-workstationcertificaterequestconfiguration -domain $domain -organization $organization)
    
    # logging progress: creating certificate request
    write-output "creating certificate request..."
    try {
        echo "certreq -new $($answerfile.fullname) $($requestfile.fullname)"
        invoke-expression -command "certreq -new -f -q $($answerfile.fullname) $($requestfile.fullname)"
    } catch {
        write-error "couldn't create certificate request"
        return
    }
    
    # logging progress: submitting certificate request
    write-output "submitting certificate request..."
    try {
        echo "certreq -submit -config $($authoritycertificatesserver) $($requestfile.fullname) $($publiccertfile.fullname)"
        invoke-expression -command "certreq -submit -config $($authoritycertificatesserver) $($requestfile.fullname) $($publiccertfile.fullname) | select-string 'id. de solicitud: (\d+)' | foreach-object { `$_.matches.groups[1].value }"  -outvariable id_solicitud
        # invoke-expression -command "certreq -submit -config $($authoritycertificatesserver) $($requestfile.fullname) $($publiccertfile.fullname)"
    } catch {
        write-error "couldn't submit certificate request"
        return
    }
    
    # logging progress: resubmitting certificate request
    write-output "resubmitting certificate request..."
    try {
        invoke-expression -command "certutil -resubmit $($id_solicitud)"
    } catch {
        write-error "couldn't resubmit certificate request"
        return
    }
    
    # logging progress: retrieving certificate request
    write-output "retrieving certificate request..."
    try {
        invoke-expression -command "certreq -retrieve -f -q -config $($authoritycertificatesserver) $($id_solicitud) $($publiccertfile.fullname)"
    } catch {
        write-error "couldn't retrieve certificate request"
        return
    }
    
    # logging progress: accepting certificate request
    write-output "accepting certificate request..."
    try {
        echo "certreq -accept -f -q -user -config $($authoritycertificatesserver) $($publiccertfile.fullname)"
        invoke-expression -command "certreq -accept -f -q -user -config $($authoritycertificatesserver) $($publiccertfile.fullname)"
    } catch {
        write-error "couldn't accept certificate request"
        return
    }
    
    # get thumbprint of the newly generated certificate
    $certprint = new-object -typename system.security.cryptography.x509certificates.x509certificate2($publiccertfile)
    $thumbprint = $certprint.thumbprint
    
    # logging progress: exporting signed certificate to pfx file
    write-output "exporting signed certificate to pfx file..."
    try {
        echo "certutil -user -exportPFX -p 'foo' my $($thumbprint) cert.pfx"
        invoke-expression -command "certutil -user -exportPFX -p 'foo' my $($thumbprint) cert.pfx"
        if ($LASTEXITCODE -ne 0) {
            Write-Error "An error occurred: $output"
            return
        }
    } catch [System.Exception] {
        $message = $Error[0].Exception.Message
        Write-Error "Couldn't export PFX certificate request $message"
        return
    }
    
    # logging progress: extracting private key from pfx file
    write-output "extracting private key from pfx file..."
    try {
        echo "openssl pkcs12 -in cert.pfx -nocerts -out $($DOMAIN).key"
        invoke-expression -command "openssl pkcs12 -in cert.pfx -nocerts -out $($DOMAIN).key"
    } catch {
        write-error "couldn't extract private key from pfx"
        return
    }

    # logging progress: extracting certificate from pfx file
    write-output "extracting certificate from pfx file..."
    try {
        echo "openssl pkcs12 -in cert.pfx -clcerts -nokeys -out $($DOMAIN).crt"
        invoke-expression -command "openssl pkcs12 -in cert.pfx -clcerts -nokeys -out $($DOMAIN).crt"
    } catch {
        write-error "couldn't extract certificate from pfx"
        return
    }

    # cleanup temporary files
    write-output "cleaning up temporary files..."
    try {
        remove-item $answerfile.fullname, $requestfile.fullname, $publiccertfile.fullname, $pfxcertfile.fullname -force
        write-output "removed temporary files"
    } catch {
        write-error "failed to remove temporary files"
    }

    # security cleanup
    write-output "cleaning up certificate requests..."
    try {
        get-childitem cert:\localmachine\request\ | remove-item -force
    } catch {
        write-error "failed to cleanup certificate requests"
    }
}

function Renew-WebHostingCertificates {
    param(
        [string]$AuthorityCertificatesServer = "localhost\MYORG-AD01-CA"
    )
    
    $keyFiles = Get-ChildItem -File -Filter "*.key" | Where-Object  { ($_.Name -match ".key$") -and ($_.Name -ne "root.key") }

    foreach ($keyFile in $keyFiles) {
        $DOMAIN = $keyFile.Name -replace '\.key$'
        $ORGANIZATION = Get-Organization -DOMAIN $DOMAIN
        
        Invoke-Expression -OutVariable NUMERO_SERIE -Command "certutil -view -restrict `"CommonName=$($DOMAIN),Disposition=20`" -out `"SerialNumber`" | Select-String 'N.*mero de serie: `"(.+)`"' | ForEach-Object { `$_.Matches.Groups[1].Value }"
        
        if ($NUMERO_SERIE) {
            Invoke-Expression -Command "certutil -revoke $($NUMERO_SERIE) 4"
        }
        
        echo $DOMAIN
        echo $ORGANIZATION
        
        New-WebHostingCertificate -DOMAIN $DOMAIN -ORGANIZATION $ORGANIZATION
    }
}


function Get-Organization {
    param(
        [Parameter(Mandatory=$true)]
        [string]$DOMAIN
    )
    
    $regexExpression = "(?<domainname>(?<ip>^[A-Fa-f\d\.:]+$)|(?<nodots>^[^\.]+$)|(?<fqdomain>(?:(?:[^\.]+\.)?(?<tld>(?:[^\.\s]{2})(?:(?:\.[^\.\s][^\.\s])|(?:[^\.\s]+)))))$)"
    if ($DOMAIN -match $regexExpression) {
        # The text matches the regex pattern
        # You can access matched groups like this:
        $domainname = $matches['domainname']
        $ip = $matches['ip']
        $nodots = $matches['nodots']
        $fqdomain = $matches['fqdomain']

        # Use the matched values as needed
        $ORGANIZATION = $domainname.split('.')[0]
    } else {
        $ORGANIZATION = $DOMAIN
    }
    
    return $ORGANIZATION
}

每当我想运行它时,我都会在管理员 powershell 中执行

cd C:\Apache24\certificates && Import-Module .\cert_functions.ps1 && New-WebHostingCertificate

我得到了cert.pfxCA 和证书信息,但 crt 和密钥文件为 0KB

这是一个示例输出:

PS C:\Users\daviid> cd C:\Apache24\certificates && Import-Module .\cert_functions.ps1 && new-WebHostingCertificate

cmdlet New-WebHostingCertificate at command pipeline position 1
Supply values for the following parameters:
domain: example.com
creating certificate request...
certreq -new C:\Users\daviid\AppData\Local\Temp\1\tmpuw1yqs.tmp C:\Users\daviid\AppData\Local\Temp\1\tmpzgbyas.tmp

CertReq: Solicitud creada
submitting certificate request...
certreq -submit -config localhost\MYORG-AD01-CA C:\Users\daviid\AppData\Local\Temp\1\tmpzgbyas.tmp C:\Users\daviid\AppData\Local\Temp\1\tmpa3y433.tmp
152
resubmitting certificate request...
Certificado emitido.
CertUtil: -resubmit comando completado correctamente.
retrieving certificate request...
Id. de solicitud: 152
Id. de solicitud: "152"
Certificado recuperado (Emitida) Emitida  Reenviado por MYORG\daviid
accepting certificate request...
certreq -accept -f -q -user -config localhost\MYORG-AD01-CA C:\Users\daviid\AppData\Local\Temp\1\tmpa3y433.tmp
Certificado instalado:
  Número de serie: 4900000098a01baad244749bbf000000000098
  Sujeto: CN=example.com, O=example, L=XXXXXXXX, S=YYYYYYYYY, C=ES (Nombre DNS=example.com, Nombre DNS=testing.example.com)
  NotBefore: 22/05/2024 20:57
  NotAfter: 22/05/2025 21:07
  Huella digital: 9d8e76343bcda0e03b274393ed7fdb110fe4fa68

exporting signed certificate to pfx file...
certutil -user -exportPFX -p 'foo' my 9D8E76343BCDA0E03B274393ED7FDB110FE4FA68 cert.pfx
my "Personal"
================ Certificado 37 ================
Número de serie: 4900000098a01baad244749bbf000000000098
Emisor: CN=MYORG-AD01-CA, DC=MYORG, DC=COM
 NotBefore: 22/05/2024 20:57
 NotAfter: 22/05/2025 21:07
Sujeto: CN=example.com, O=example, L=XXXXXXXX, S=YYYYYYYYY, C=ES
Certificado no raíz
Hash de cert(sha1): 9d8e76343bcda0e03b274393ed7fdb110fe4fa68
No hay información sobre el proveedor de claves
No se encuentra el certificado y la clave privada para el descifrado.
CertUtil: -exportPFX comando completado correctamente.
extracting private key from pfx file...
openssl pkcs12 -in cert.pfx -nocerts -out example.com.key
Enter Import Password:

extracting certificate from pfx file...
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out example.com.crt
Enter Import Password:

cleaning up temporary files...
removed temporary files
cleaning up certificate requests...
PS C:\Apache24\certificates>

这是openssl pkcs12 -info -in .\cert.pfx输出(base64 修改)

PS C:\Apache24\certificates> openssl pkcs12 -info -in .\cert.pfx
Enter Import Password:

MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Certificate bag
Bag Attributes: <Empty Attributes>
subject=DC = COM, DC = MYORG, CN = MYORG-AD01-CA
issuer=DC = COM, DC = MYORG, CN = MYORG-AD01-CA
-----BEGIN CERTIFICATE-----
MOKAmgXigLAw4oCaA3HCoAMCAQICEGPDvsKwHMKBw5ZP4oCZR2DDilwnw4HDjBU
wCgYJKuKAoEjigKDDtwoBAQoF77+9MFcxEzARBgoJ4oCZJuKAsOKAnMOyLGQBGR
YDQ09NMRwwGgYKCeKAmSbigLDigJzDsixkARkWDE1ZT1JHMSIwIAYDVQQDExlNW
U9SRy1BRDAxLUNBMB4XCjIzMDcwMzA5NDIwNloXCjMzMDcwMzA5NTIwNlowVzET
MBEGCgnigJkm4oCw4oCcw7IsZAEZFgNDT00xHDAaBgoJ4oCZJuKAsOKAnMOyLGQ
BGRYMTVlPUkcxIjAgBgNVBAMTGU1ZT1JHLUFEMDEtQ0Ew4oCaAiIwCgYJKuKAoE
jigKDDtwoBAQEF77+9A+KAmgIP77+9MOKAmgIKAuKAmgIB77+9w4rigqzCrsOl4
oC6e2/Ctg7FoMO7BeKAmXoLNcOlIsOK4oKsah7DlsO5wql3wqbDqVDDmsObE8Ku
w5nDmDFgBnRlYDTigJx2DOKAoAhQxb0BKwXDpX3DtMO+w7jDqDMZwr1h4oC6CeK
AoglLxaFuMMO4wp3DgUwpUnRNW8KBYG/DvQdULE/CrsK5a1fDs8O9ClDFoVLCoA
gi4oCmWl5dw6vDshUKwrTDnQpKwqfDlkI/wroUUHUlCUnCtTkQw69CwrBfB8KiU
FNd4oC5w6ZwwrwFOjfDusOXw7fDlklyV8OdG8O2d8K+dBUJXsWSRWsBdcOiKXXv
v73DtcKzw5LDv8ODwo/DnHUR4oSiw6BBQ8K1w74Zw553wrbCozp1B8OOWltycuK
CrFkCxpJ8ARB6w7LDsRp2w7LDkV5axb7DvkXFuMW4HOKAnmN+XMO9BcOKLijDvs
OD4oCTfnNVw5vCoeKAmsOzw7M64oSiDxNp4oC6w7tKwqtDf8OeS8Kdwqtfw58cw
7nDncK0w4Qfw6TDksK/Q07CkArDiRTDhmMcw7bCtjwab8O9w5ImMGRje8aSw4AX
R8OSw7Dvv71RQsKgwqTigJk0TzbigJpAXMOzCk1oC+KAujjDggzDnjVzw68eJcW
TRnbDlAzDpsKrTH7CvsKhw7zDg8O1E+KCrMKlJsOF4oC5aHwgw4QoH8KnEVt0w4
9Pw6lveT3Cs39Rw5tSwqEWEmw6LRJ8dAzCogk7wrsxw5DDksK44oCgwpB0ZsK5V
B1CfMOZEMO0FVRGw6VQw6N3w4Y7wqYWwrrLhsOsw4XigJRLw77CsFBIw6PigLBR
fMucwqwPw7TigJjDtcKqy4Yfw6E7w5rDrHQOVuKAlMaSBVoEIsO8bcOUw6hUw4v
Cu8K1wqdyxaHCjw7DhFvFoCHDoHx14oCiZinDmyDCocWSQ8O3DMK0GhVZeEFhEc
KmfsW+wrnDgn5JTmxyBSPDkinDhsOxSMaSSFNXxb1kCjTDrcK+wrJzy5w3G8ONw
5rCnSLCsB3CsQIDAe+/vQHCo1EwTzALBgNVHQ8EBAMCAeKAoDAPBgNVHRMBAcO/
BAUwAwEBw78wHQYDVR0OBBYEFD8Hw7YGw59kw4nCvXLigJhbw44f4oCiBl/DtcK
mTMO2MBAGCSsGAQQB4oCaNxUBBAMCAe+/vTAKBgkq4oCgSOKAoMO3CgEBCgXvv7
0D4oCaAgHvv71qw6t3woHDpy7igKLFvcOCw70nwrNIHGDDvcKPw6lbwqkgc183J
A7CtMOywqrDunjCp0/CkMK8KwrigJ3DqFpmbOKAocWTw73CqcOk4oCmHSzFk3wh
xbjDuw/CgcOiwqJfwrFrf2rDrsW94oCw4oChw7LigLATKEh6ZMOTw7/DrsKrJ0h
BR8OwwqLDvuKAok4uLEfFocO1wq/Cr8K8SGtpHVJrLOKAmifDrQfDpkbDsx7DvF
DDocOnY8KN4oCTxaHDsl0+77+9f8KQw4zigJzDjeKAnh3DmV4EWx89MsK2wp3Co
QPigLp1xaHDu3c6wrTigJhbwo83EloQwo0GEj3Du8OlWsOAPMO14oCYw7TDgcO8
wrohw6PDqnckw7HDkATigqwiw7gsbBvCs++/vWhSa13DjsOMIXgP77+9HSHCvSp
EP8KPKyPigJzDn+KAosOb4oCd77+9bkPDkSUKwr/CjcKzWw4rLizDkeKAuRvDtx
LDv+KEosK8wq/CvMKufAlowoFX4oCTw5jDssOnNsOGw51MP8OU4oKsH8WTwr8qf
i3CsMOmw6IHw708euKAsGs1I8Ox4oCgFMKuLTzDpnph4oCecMKmaHTCoHhRwqTD
rQXDryXCgcObfloffnJsQAsqwq7Dk8ucwrXCsMONWcK6wq4gw7zCs8KwSBzDvsK
mwqPCt38sSXtawqdWOlYUw7vCpMOhdMKtCuKAkwYZ4oCUw7Z5DOKAmeKAnMOyw4
fDkD7DocOzw4xcPsKiw4VVAeKCrBTDpEBwwrXDssOzw7kUPcOKDyVPw6BZw4XDk
CBqw419w6rDhcOjwqJrGcKww7LDnlvGkiFM4oKsf8ODwqZqak3igLnCtFoiwrzL
hsKn4oSiUcKgxaESwrvCr8O4S8OIw4ZLw6LDp8aSRcK54oCaBcOGxbjCpOKAphD
DljLDmsKkw7fDscObw6wsw5DCtEc2GMK0IRLFk8K0TAp/XcOcw67CjTFGbWjDgM
ONwq7FveKAoGfDi8OKeMO1KAXDsMKjHX3CtUtKCcOFW08Xw5/DnMOzEMK+YRjDk
sOQwqs2enB4ZhbDvnFJxZPCswXigLBUxaA4
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <Empty Attributes>
subject=C = ES, ST = YYYYYYYYY, L = XXXXXXXX, O = example, CN = example.com
issuer=DC = COM, DC = MYORG, CN = MYORG-AD01-CA
-----BEGIN CERTIFICATE-----
MOKAmgXCpjDigJoDxb3CoAMCAQICE0nvv73vv73vv73LnMKgG8Kqw5JEdOKAusK
/77+977+977+977+977+9y5wwCgYJKuKAoEjigKDDtwoBAQoF77+9MFcxEzARBg
oJ4oCZJuKAsOKAnMOyLGQBGRYDQ09NMRwwGgYKCeKAmSbigLDigJzDsixkARkWD
E1ZT1JHMSIwIAYDVQQDExlNWU9SRy1BRDAxLUNBMB4XCjI0MDUyMjE4NTcyNVoX
CjI1MDUyMjE5MDcyNVowXDELMAkGA1UEBhMCRVMxEjAQBgNVBAgTCVlZWVlZWVl
ZWTERMA8GA1UEBxMIWFhYWFhYWFgxEDAOBgNVBAoTB2V4YW1wbGUxFDASBgNVBA
MTC2V4YW1wbGUuY29tMOKAmgEiMAoGCSrigKBI4oCgw7cKAQEBBe+/vQPigJoBD
++/vTDigJoBCgLigJoBAe+/vcOrw6TigKZMwqZ3wroyawPCpHPigLnCpMOhwrjD
ujTigJ3DssO3CsKjOSPDs+KAmsK3V8Ocwq93asKvCMK1w5N+EXkRHuKAnRoXN8O
0W2NkCU8tw7bDl+KAsMOv4oCw77+9d8OSbnXCv11T4oCwYXjigJ7CpcOI4oCgwq
REVwpGw73igLAtNEJEwrBOw4daLkfCsE5qDsOKcWho4oCTw5Jdw75dNFJUIsKQw
5HDq8OxwoHigJ12OBUlw6/Dt8K14oCecMK8xbh9xaAMwrzCqMO3X8KgMg/CqFLD
mcK2XsOHZSDDrMO3QA5kR8K+xZLDluKAouKAsFR9IcK9xpIoNOKAnikwd+KAmcO
Ew7EwCHjCsMuGDMaSw5DFuMOySsKN4oCew7ItUwopLDnCou+/vcOTxpLigqxeKD
nDsktIRR1OX2vCtcOfWMOUw6/Cs8K7YmvDlU7DmcOtw4DDinbCsBxnBU7igLBHE
eKAmSvCq8OzKMKlw5BcRQcDXRXigJhJw7ElwqrDgGU+ReKApuKAoThqSwcdAgMB
77+9AcKj4oCaAWQw4oCaAWAwHQYDVR0OBBYEFMW4O+KAmMOA4oCgCD7Dh8K3EcK
tWCXDonDDgk0Cw7fDozArBgNVHRHDhCQwIuKAmgtleGFtcGxlLmNvbeKAmhN0ZX
N0aW5nLmV4YW1wbGUuY29tMB8GA1UdIwQYMBbigqwUPwfDtgbDn2TDicK9cuKAm
FvDjh/igKIGX8O1wqZMw7YwXQYDVR0fBFYwVDBSwqBQwqBO4oCgTGZpbGU6Ly8v
L0FEMDEuTVlPUkcuQ09NL0NlcnRFbnJvbGwvMMK1FTkVSMK1BRDDgMOEwrUKBFT
DpFUkwrQUdMOEw7QkFS5jcmwwwoHGkgYIKwYBBQUHAQEEdzB1MHMGCCsGAQUFBz
AC4oCgZ2ZpbGU6Ly8vL0FEMDEuTVlPUkcuQ09NL0NlcnRFbnJvbGwvQUQwMS5NW
U9SRy5DT01fTVlPUkctQUQwMS1DQS5jcnQwDAYDVR0TAQHDvwQCMO+/vTAKBgkq
4oCgSOKAoMO3CgEBCgXvv70D4oCaAgHvv705XsK6w4Jrwo3igJ1cJ+KAoi3DlMK
hw7EbMV7igJTCoGvigKLDhMO+w6ZaDnfDusOCw4Zpw6NiFOKAne+/vWbDiVfDhc
K8w5vDjlXigJjCjcKmeMOtb8K4LTBPw5XCrMOMFjpqccOHw4Q4MOKAnhXDj3/Dh
W8QY8KsTDPGknFPw6d5wrDDnsKlxZLDiwrigJpFwrTigLrCucW9KnJ1b8K5wrkd
4oCwwrLDtCpEwrbigJ5Yw7vDv1NFUQbCreKAnuKAosKlwqcdYmXCrcKgwqXDpVI
PccO7Wj7igJMrw7fFvcORXMOLw6paV3hMw6dpwrzCpWEPw6Iewq3DiMOSOBsPw4
TDnMKBw47CpeKAlOKAoMOWw43ihKLDlcK8AsOrU8Ofa8OiKMOdxZLDlsOMw5Pig
JlTw4PCkBDigLDFk8OrZAHigKEBTsK9wo/igJgYenPDo27DqeKEosKhMwTCtifD
n3R8YcKtw71dw6/igJ0rxZJyw4HFveKEosOoc+KAky5Zw6TDk30+H2zCgcKvwpA
YxpLCncO6fwdpwqXigJTCusOdw7hDfmY8b0PDhXILw5zigKbDgsO+X8KwBm3Cpn
zCrHx1w4zDmG/CvMOyw6TCo07igLnDq2AEw64bVDvCtVPDgxrDu3nCtsKiw5TCp
MKsw5pbw4YgISXCqGtRGsO94oC6bDDigJrDieKAoeKAlMK9w68I4oCwwrLDgGw6
wrURfcOxw78Exb0Kw7F8wrgoXHzCvMKww7fDoXZqw5MWLsO+w7J4bcucWuKAosO
CVktAwrJFHsOCcsKgxpLFksOB4oCYbuKApjd3VVAmFj99xaEZw4cPw7HCvkwIY8
OZw6jFvcOuDAPDsU5Gw6JswrjFkiPDoMKvFMKPwqJBwqrigJPDu8K+ZuKApj8aw
5Mhwr0IThLDmEPCqzXCsRFZTMOkaj3DtR7CpknDsGUt4oSic8uGw5Qac8O2w60m
wrEQw7964oSiPjvigLDigKLDpFfDvsOxPOKAmXHFoHleAsKpw6jDoivDsHPCvEY
rwrFPw6cJw5bDtWbCkMO5VcOLxaDDtDVhw6NZ4oKswqcy4oCdw7XCr1sWw6DDrM
O6w4nCjcOkwq3CpA==
-----END CERTIFICATE-----

我试过这个Python代码

with open(p12_file_path, 'rb') as pfxFile:
        (privatekey, certificate, cas) = pkcs12.load_key_and_certificates(pfxFile.read(), p12_password.encode('utf-8'))

privatekey和certificate都是None,而cas包含我的CA数据和我的主机名数据。

print(privatekey)
print(certificate)
print(cas)


None
None
[<Certificate(subject=<Name(DC=COM,DC=MYORG,CN=MYORG-AD01-CA)>, ...)>, <Certificate(subject=<Name(C=ES,ST=XXXXXXX,L=YYYYYY,O=ffff,CN=ffff)>, ...)>]

我究竟做错了什么?

更新:

openssl req -new -nodes -newkey rsa:2048 -keyout $certKey -out $certCsr -config $certCfg

certreq -config $AuthorityCertificatesServer -submit $certCsr | Select-String 'Id. de solicitud: (\d+)' | ForEach-Object { $_.Matches.Groups[1].Value }" -OutVariable ID_SOLICITUD

certutil -resubmit $ID_SOLICITUD

现在我已经停在这里了,如果我不这样做,certutil -resubmit我的证书将在 certsrv 窗口中保持待定状态并且certreq -accept不执行任何操作,如果我这样做,certutil -resubmit它会自动转到 certsrv 上的已颁发证书(那么我还需要以下命令吗?)。

不确定以下顺序:

certreq -accept -user -config $($AuthorityCertificatesServer) $certRsp

certreq -config $AuthorityCertificatesServer -retrieve $ID_SOLICITUD $certRsp $certP7b

openssl pkcs7 -in $certP7b -print_certs > $certPem

输出certutil.exe -dump -split <file>

Mensaje PKCS7/CMS:
  CMSG_SIGNED(2)
  CMSG_SIGNED_DATA_CMS_VERSION(3)
  Tipo de contenido: 1.3.6.1.5.5.7.12.3 Respuesta de CMC

Contenido de mensaje PKCS7:
================ Iniciar nivel de anidación 1 ================
Respuesta CMS:
Atributos etiquetados: 1

  Id. de cuerpo: 1
  1.3.6.1.5.5.7.7.1 Información de estado de CMC
  Valor[0]:
    Información de estado de CMC: CMC_STATUS_PENDING(3)
    Referencia de Id. de cuerpo[0]: 1
    Cadena de estado: Tomada bajo proposición
    Otra elección de información: CMC_OTHER_INFO_PEND_CHOICE(2)
Token pendiente:    0000  c2 00 00 00                                        ....
     Tiempo pendiente 24/05/2024 14:41


Información del contenido etiquetada: 0
Otros mensajes etiquetados: 0
----------------  Finalizar nivel de anidación 1  ----------------

Contador de firmantes: 1
No se confía en ninguno de los firmantes del mensaje criptográfico o de la lista de certificados de confianza. 0x8009202b (-2146885589 CRYPT_E_NO_TRUSTED_SIGNER)
No se confía en ninguno de los firmantes del mensaje criptográfico o de la lista de certificados de confianza. 0x8009202b (-2146885589 CRYPT_E_NO_TRUSTED_SIGNER)

Información de firmante[0]:
CMSG_SIGNER_INFO_PKCS_1_5_VERSION(1)
CERT_ID_ISSUER_SERIAL_NUMBER(1)
    Número de serie: 63feb01c81d64f924760ca5c27c1cc15
    Emisor: CN=MYORG-AD01-CA, DC=MYORG, DC=COM
Algoritmo hash:
    Id. de objeto del algoritmo: 2.16.840.1.101.3.4.2.3 sha512 (sha512NoSign)
    Parámetros de algoritmo: NULL
Algoritmo hash cifrado:
    Id. de objeto del algoritmo: 1.2.840.113549.1.1.1 RSA
    Parámetros de algoritmo: NULL
Hash cifrado:
    0000  a9 d1 7e e9 ff 40 39 30  ee 7a b7 44 f6 49 05 ea
    0010  79 62 30 11 cf fa 97 d5  40 da b8 60 ff 43 8a f7
    0020  d1 8a 7e 89 2b 56 07 f1  5d 6b 27 3d a9 cd 91 fb
    0030  cc 5a 50 12 49 7f 77 9a  0c d0 4b bb 37 e1 e7 7e
    0040  95 5d d7 1f a4 62 c9 58  b3 65 ea 3f 19 d9 a1 e3
    0050  92 24 80 57 4a 46 4c 39  ff 8b f5 fd af 9e 65 f9
    0060  4e 04 95 f3 91 89 7e 5d  52 c5 b2 9f 3c 53 17 ad
    0070  78 d5 d6 26 43 00 ac e5  f6 67 cb 3a 28 6f bf c8
    0080  ba f0 ea 9f 2d 76 cc bd  f2 34 02 40 05 19 2c c7
    0090  a0 2b 6e 74 e5 06 80 56  4b ed ff cc 23 aa 0e 5a
    00a0  1c ed 99 30 c2 18 20 fb  56 5f 7c 76 7e 84 34 9e
    00b0  ed 0a 97 75 82 e2 bc ac  4d 78 85 66 85 d1 21 87
    00c0  e7 ed b5 48 f4 2d 48 d3  68 71 85 60 ae 66 c3 c6
    00d0  84 6a e7 be 4a 50 ad 82  5e 31 75 ea 27 bb 21 d3
    00e0  a5 c8 58 1c 6b 81 e2 bd  c5 ac 9e eb 40 d2 2d 00
    00f0  ab 7f 74 2a 62 ca 85 f3  80 4e 85 92 7e f3 ec 9c
    0100  01 d7 59 82 19 2e 09 6e  1e c5 82 01 78 e2 f8 75
    0110  6c e0 d8 d6 95 47 06 a1  a9 95 56 f3 86 b6 82 3a
    0120  2d 21 b1 81 c1 5e 65 58  f9 cc ad f7 88 d9 d1 64
    0130  fe d0 71 36 9a d7 b1 33  3a 70 fd 49 7d ce 83 28
    0140  f8 58 eb 57 ac 3a bf 9a  15 82 e6 11 9a 4c f2 ab
    0150  06 26 3d 9e ec eb 78 7f  4d 7e 9f fa 6d fe 4f 41
    0160  d9 41 f0 17 0c 4f 58 9d  57 b0 cc b4 16 1f 2e 95
    0170  27 a5 77 55 f4 fd a2 b6  4a f4 8c 61 0d 66 99 68
    0180  d0 7b bf 4a 2e 83 89 ff  c6 8a 86 38 d7 01 c2 19
    0190  c4 7c 77 7c 89 bd 82 32  2b 6a 22 ef 94 48 08 1f
    01a0  32 f1 4e 18 22 e5 a8 99  d3 f1 79 fe a3 51 79 1c
    01b0  cd 7a 36 28 3b f6 a8 ac  e3 76 aa b1 22 29 9b d8
    01c0  1d 84 1a b3 20 0b 72 26  f4 c0 28 1b 0e bd 6e da
    01d0  b2 2f d3 a3 d2 ae 1e c5  b3 13 b8 18 29 db f1 9e
    01e0  b7 d5 4c 79 ec 78 89 d4  95 ba 0a ec f7 ae dc cb
    01f0  94 5e b5 64 93 46 e9 d7  bd 4c 63 85 6b 62 f3 49

Atributos autenticados[0]:
  2 atributos:

  Atributo[0]: 1.2.840.113549.1.9.3 (Tipo de contenido)
    Valor[0][0], Longitud = a
    1.3.6.1.5.5.7.12.3 Respuesta de CMC

  Atributo[1]: 1.2.840.113549.1.9.4 (Síntesis del mensaje)
    Valor[1][0], Longitud = 42
    Síntesis del mensaje:
        0072197ea46d7b12e77c687b70db82488626e206e703fbe3ef6da2fdeb832f36d8cd2ad446aab57429e32b505c5e557e14191692403fdbadf1ea2b2f9cc51f42

Atributos no autenticados[0]:
  0 atributos:

Algoritmo hash calculado: 9b1099cc47c2abcee33e791bf254ec6b0cb75ff20149e4a7e86b63fbb3c0ad59c6b5783c1e9c796417eeba3e28917837e8f166ec4ff8432b9c54210d32a4e0a3
Sin destinatario
Algoritmo hash calculado: 9b1099cc47c2abcee33e791bf254ec6b0cb75ff20149e4a7e86b63fbb3c0ad59c6b5783c1e9c796417eeba3e28917837e8f166ec4ff8432b9c54210d32a4e0a3

No hay certificados
No hay CRLs
ssl
Martin Hope
Zvi Vered
Asked: 2024-04-23 12:08:00 +0800 CST
  • 5

我的网络包含一台 Windows PC 和数十台运行 Linux 的嵌入式 PC。客户要求 PC 与所有端点之间的通信受到保护。

在端点中,我正在运行 python HTTP 服务器:

context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.check_hostname = False
context.load_cert_chain('certificate.pem', 'private.key')

server_address= ('10.0.0.2',1443)
httpd = HTTPServer (server_address, CustomHTTP)
httpd.socket = context.wrap_socket(httpd.socket, server_side=True)

httpd.serve_forever ()

每个端点都有不同的 IP(当然)。我应该为每个端点创建不同的证书吗?

ssl
Martin Hope
Rick Brian
Asked: 2024-01-24 09:33:03 +0800 CST
  • 7

有什么方法可以在没有公共证书的情况下配置 Nginx 吗?

这里的目标是,我想在公共互联网上发布 API,但所有 API 客户端(白名单客户端)都应该在其应用程序中 SSL 固定公共证书,而不是根据请求获取临时证书。所以我们不需要nginx来发布公共证书。

我知道公开共享证书是无害的,但这个特殊的要求来自我们的企业客户。他们甚至询问我们是否可以在 nginx 中放入无效的公共证书...因此,当没有真正公共证书的“攻击者”会将 API 视为错误时,而真正的 ssl 固定客户端将能够使用API 正常。

ssl
Martin Hope
bimbo1989
Asked: 2023-11-29 01:32:50 +0800 CST
  • 6

从昨天开始,我遇到了与https://upload.wikimedia.org/ URL 相关的任何问题,它们都给出了ERR_CERT_COMMON_NAME_INVALID错误。

我尝试了一些故障排除,发现 SSL Checker 没有检测到错误(https://www.sslshopper.com/ssl-checker.html#hostname=https://upload.wikimedia.org/),甚至尝试使用以下命令访问 URL像https://www.proxysite.com/这样的代理网站是有效的。

我注意到我获得的证书至少可以说看起来很可疑。什么是sinkhole.duskrise.com

在此输入图像描述

每个浏览器都会发生这种情况,甚至在 Windows 11 沙盒模式中也是如此。请注意,在 Wi-Fi 上一切正常,问题似乎仅在通过 LAN 连接时才会出现。我正在使用由我的 ISP (WindTre) 提供的 Home&Life HUB。

这可能与恶意软件有关吗?请注意,这是我遇到问题的唯一网站,维基百科工作正常,除了所有图像未显示托管在wikimedia.org.

ssl