我创建了一个(自签名)根证书,并使用我用 Java 开发的系统签署了一个 Web 服务器证书(该 Web 证书用于 Apache 2.4.41)。
证书在 Linux 和 Mac 中正常工作(在不同的 Webkit 浏览器和 Firefox 中测试)。证书和服务器设置A+
使用testssl.sh得分。
CA 证书在没有任何警告的情况下正确安装,但在 Windows 中不被接受(仍然显示红色三角形警告和NET::ERR_CERT_AUTHORITY_INVALID
错误)(使用 2 个 Windows 10 设备进行测试,其中一个是全新安装)。在 Chrome、Edge 和 Firefox 中测试。
我尝试了很多事情:
- 使用
certlm.msc
,certutil.exe
, 通过settings
或双击文件安装它们 - 本地或用户范围
- 使用不同的设置重新生成根证书
- 更改 Apache 设置
- 重新启动浏览器和计算机
- 停止杀毒软件
我已经阅读了这个站点中的相关问题(似乎没有解决它)并且我已经查看了其他网站的解决方案,但没有成功。
这是同一系统生成的假CA证书(设置相同,只是这里的密钥长度为1024,以减少本文的大小):
密钥和证书:
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJg/x+BCM0xGDiaC
qc5h+83wrjZ/HVxaZ7GHK7g/sca4fvF1KQuADqx+iDfehxNpZ5hCjmAsgBgWkIbc
E0Md/C6srSRWS4/EeoAPRgFJK2k5SNC0L1QII0DKc0xS7y9CRqcoPFWUt7ncUeuw
RZGmDMYbNiqcamgjCWfnIPRB7kgVAgMBAAECgYBD4FuaDamVHb59SM+vpVt/ywfA
YBeU7vE/4oWJVUxKzkI6IAO2jtb77EWKsvkBnIKFDVcwZWaOVrEEjuU/jQS6jvRU
Ozwbvo4o9UhkxzEhNuREE7d0cs3RSzWBJ1u5PMYT8G7GXsIP22HgRD2XP86VBfSf
TWAqKcfNWpNFtlA/wQJBAPAPULdIEvfO2e3VDNB/5Li50Et7jd8fzBU9B7U0Axus
keuS3oer+zeA2nXinfd7rwFEyZN3tSUsU/8oQwlOzCkCQQCiW84xVNccCPcucwWu
2nEagbFcYyouh/Ml5fR00uBgA8K27y8NHLgzNuqob1zqW7TgsmgCYaTnPbol0t/I
29oNAkEAviQTVaiTxY4klTmL1dWHDz22GyN44sLnvebCJSdWUuQkDAgflCyHZZX8
8ySU5EImAoY+dzx40UHEIjT8q/GqyQJAXZMkB/Kp+BKCxFau09Q6k9hj7KeKzD62
uQUMG7jecPg55U19hMUktP/VxzZICxrH6SlqINU+Qbil7N7Y898ikQJAacFKaTdU
2VmKAT1WaO6DPNmwhJ72a4cTAol9y79CFndjrTtGSENJwseqTgPTr+LtRBq3S+nZ
r5a1qsB0bzNGvg==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC1zCCAkCgAwIBAgIIX2TQo7pcNcQwDQYJKoZIhvcNAQELBQAwgYsxFzAVBgNV
BAMMDkZha2UgQXV0aG9yaXR5MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ
BgNVBAcMAkxBMRQwEgYDVQQKDAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEk
MCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQGV4YW1wbGUuY29tMB4XDTIxMTExMDIx
MDY1M1oXDTIyMTExMDE1MDAwMFowgYsxFzAVBgNVBAMMDkZha2UgQXV0aG9yaXR5
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAkxBMRQwEgYDVQQK
DAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEkMCIGCSqGSIb3DQEJARYVd2Vi
bWFzdGVyQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCY
P8fgQjNMRg4mgqnOYfvN8K42fx1cWmexhyu4P7HGuH7xdSkLgA6sfog33ocTaWeY
Qo5gLIAYFpCG3BNDHfwurK0kVkuPxHqAD0YBSStpOUjQtC9UCCNAynNMUu8vQkan
KDxVlLe53FHrsEWRpgzGGzYqnGpoIwln5yD0Qe5IFQIDAQABo0IwQDAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQURaB83qfjI0wv+tvJ
myfInKagSgswDQYJKoZIhvcNAQELBQADgYEAYQ2PvvfQSe9WtG6peJ4B52bG1Mzs
U+jE9xc4oWEfvekkpjOkZ4dbk89gBVeAZsSxdffcQfFPyRKE9vubYrd9xuemUAGE
51ZyMqJWMawFRxtXdV1e6a1OTH1qKks61obwtRuRBOweoUW4KrOSgCLB3VhmXKVe
YJiVhpvJCxzi/MI=
-----END CERTIFICATE-----
加州摘要
Version: 3
SerialNumber: 6873848332899071428
IssuerDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,[email protected]
Start Date: Thu Nov 11 06:06:53 JST 2021
Final Date: Fri Nov 11 00:00:00 JST 2022
SubjectDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,[email protected]
Public Key: RSA Public Key [b8:07:ef:1f:8e:91:c0:ab:12:db:38:3f:76:e7:0a:7f:21:9d:fe:49],[56:66:d1:a4]
modulus: 983fc7e042334c460e2682a9ce61fbcdf0ae367f1d5c5a67b1872bb83fb1c6b87ef175290b800eac7e8837de8713696798428e602c8018169086dc13431dfc2eacad24564b8fc47a800f4601492b693948d0b42f54082340ca734c52ef2f4246a7283c5594b7b9dc51ebb04591a60cc61b362a9c6a68230967e720f441ee4815
public exponent: 10001
Signature Algorithm: SHA256WITHRSA
Signature: 610d8fbef7d049ef56b46ea9789e01e766c6d4cc
ec53e8c4f71738a1611fbde924a633a467875b93
cf6005578066c4b175f7dc41f14fc91284f6fb9b
62b77dc6e7a6500184e7567232a25631ac05471b
57755d5ee9ad4e4c7d6a2a4b3ad686f0b51b9104
ec1ea145b82ab3928022c1dd58665ca55e609895
869bc90b1ce2fcc2
Extensions:
critical(true) BasicConstraints: isCa(true)
critical(true) KeyUsage: 0x6
critical(false) 2.5.29.14 value = DER
服务器证书
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCMzMPwSTHQTaxu
rtfnFFVXLXnDOkolG2iuA4H7KkPrizZ24vloFCU353wsT2YVJ9ykIw+Y58vXqEw8
QjlhOHMRMetWeaEMH562uhakb8S+KArQN7SZh9vw7TF7OwiCIg/sWcle87j9ETSn
NtZ4M0HMQ+s+AOX0jDLDWAW08wXk0hXAOHMvaaqnC3NoI94/joQoElctaCpUhrov
kmmDIrJHufplUtMdJrqkzhrUfzKHkslTBLeTHAHHgNdX45JjYibZlqVY3rLns9NI
DIN199ciAnJpqSlvp65SMLJUMFFp2kWK0/S8gnTo41QjcGMBNYR4KiGAPmZPzjaR
QFw9G8mdAgMBAAECggEAWUQhHaBqMpRsNCgpvdmIWaL9RacZBvmfnmOe7uxW72jt
eOZiFXhgOFdMxJL6N4N0QaPw6ZJcDDgpTTL3SgoN+eLaP5MRZaxOZa8JV+t8osqk
QGpw173o1ZCsBGLi/A44ZjJulwKST++uoC0GQGLO3oBZDpBnOmoAbRTLWXOSUwVe
pFyWB/5VYtBKAaTwd8MmoNuTCL9o1CGutBHsaUCglnHv/Z2Ar7JLJaiDPEu2/kSe
H/5YroI6L1FF8X0TsCpcxOiMOW/eFzW6TDrbo/kggHRnVRGjoM+rPr8E7nKYlNks
whQI2aA2pcazWoBBwzYyscD7jXQJfKNNZQ3pun1aQQKBgQDzBeanFuzZmYcVjfq3
QmWydKIIMyn+FuqiXhP1Hs9sRcsFS+FfG4RfZJXJNpJ+4NaAOgTyvofpmZ0g6M6a
M5heae+Hhl/942xzcUqpiK3pJ0YaRy/aluo33O6tyDXAmvPqLBkJO0EfOneBHaAe
KjVm3vK8xvf+fpE022rm36AU+QKBgQCUUXwDAEvWpwhlrWlzT2b1iONKWsZNV3vd
Uy83zqZXJ2P+biaz9xFaNCiKXo5ziZU1XZVPg8+rYv2R3kxtAjgjNUwxr6vF/ZBs
2gpLy0YhoCjk/xcIIAFldna/a7vTUPDSNn4HWxkjEqgMu+GEzyngjZkm8sY7v3bi
oXgPtuBWxQKBgQDkzVt5WQYpYHhj/MZdn2+r8k9TNQiGJwFFWRmlIBrdr2ATXnuT
VY7tWQAE7xJBzmFlXDqoaGYBsxTSlR1e5NDBoy9XA1aA7IuArNtEfmBuMQG5X+hX
/toJOkKk7uhcrAaVJGt124nWYu98am4DuG2KqsESpql5u6Puhd5B+6z10QKBgCT1
hSyOR1eu+dW0d8GHOMXYnaLqqd2d/jyxvONwOF0hcLZ3JmfUGlvbAXsxgtfhoe/R
aSKOWxJ/MWbG+U50rh5/6oO7HdfRjsrBLq2ictBwQ6CEvG2G5DIvafnbU8udsNUB
RTh6B/KIdJ3vt4vLv8i4IEDnYGSFGo/w4qUv0gltAoGACLthSVxyNdZCX/21WRdq
THzdUqV39gkaNVJdT10UQzhzMZSBchoiSDSNha33XEwJqr3UivAuYeAqTeRI6jdr
7BBjXjQ0d3OhtgwqL2AHHzudzYhvSoUmPgfJ1YWeJvUVzGDowz5z6HEjc637GZU4
+ph1ewJMz75BlRZjT7kfi5o=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDvTCCAyagAwIBAgIIXETyGvtei7MwDQYJKoZIhvcNAQELBQAwgYsxFzAVBgNV
BAMMDkZha2UgQXV0aG9yaXR5MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJ
BgNVBAcMAkxBMRQwEgYDVQQKDAtFeGFtcGxlIExURDENMAsGA1UECwwETm9uZTEk
MCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQGV4YW1wbGUuY29tMB4XDTIxMTExMDIx
MDgzN1oXDTIyMTExMDE1MDAwMFowgYgxGTAXBgNVBAMMEGZha2UuZXhhbXBsZS5j
b20xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCTEExFDASBgNV
BAoMC0V4YW1wbGUgTFREMQ0wCwYDVQQLDAROb25lMR8wHQYJKoZIhvcNAQkBFhBm
YWtlQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
jMzD8Ekx0E2sbq7X5xRVVy15wzpKJRtorgOB+ypD64s2duL5aBQlN+d8LE9mFSfc
pCMPmOfL16hMPEI5YThzETHrVnmhDB+etroWpG/EvigK0De0mYfb8O0xezsIgiIP
7FnJXvO4/RE0pzbWeDNBzEPrPgDl9Iwyw1gFtPMF5NIVwDhzL2mqpwtzaCPeP46E
KBJXLWgqVIa6L5JpgyKyR7n6ZVLTHSa6pM4a1H8yh5LJUwS3kxwBx4DXV+OSY2Im
2ZalWN6y57PTSAyDdffXIgJyaakpb6euUjCyVDBRadpFitP0vIJ06ONUI3BjATWE
eCohgD5mT842kUBcPRvJnQIDAQABo4GmMIGjMAwGA1UdEwEB/wQCMAAwHwYDVR0j
BBgwFoAUx90O8ddg/Fo/lTlIjapK58YMBCEwDgYDVR0PAQH/BAQDAgOoMEMGA1Ud
EQQ8MDqBEGZha2VAZXhhbXBsZS5jb22CEGZha2UuZXhhbXBsZS5jb22CFHd3dy5m
YWtlLmV4YW1wbGUuY29tMB0GA1UdDgQWBBTH3Q7x12D8Wj+VOUiNqkrnxgwEITAN
BgkqhkiG9w0BAQsFAAOBgQCI3Ri0d6W6ETohRaGKLSqH5SDf//g0C9t2rp2ox8po
BjuAMlPHtRn6bfMC6xIsqznjDYZSni2YEMf6YBLivimbo9rYC18E/I5u5KsqvIa+
ze5VZd5U7O8+4+8Uaf+R/Re4gdf7eJ3j02iP4d8wKevfUfD8Vcuddx9mrWqluCEZ
KQ==
-----END CERTIFICATE-----
证书摘要
Version: 3
SerialNumber: 6648705147606043571
IssuerDN: CN=Fake Authority,C=US,ST=CA,L=LA,O=Example LTD,OU=None,[email protected]
Start Date: Thu Nov 11 06:08:37 JST 2021
Final Date: Fri Nov 11 00:00:00 JST 2022
SubjectDN: CN=fake.example.com,C=US,ST=CA,L=LA,O=Example LTD,OU=None,[email protected]
Public Key: RSA Public Key [2e:cd:8e:16:02:6f:b3:27:16:01:21:cb:1a:2b:9b:27:18:71:86:87],[56:66:d1:a4]
modulus: 8cccc3f04931d04dac6eaed7e71455572d79c33a4a251b68ae0381fb2a43eb8b3676e2f968142537e77c2c4f661527dca4230f98e7cbd7a84c3c42396138731131eb5679a10c1f9eb6ba16a46fc4be280ad037b49987dbf0ed317b3b0882220fec59c95ef3b8fd1134a736d6783341cc43eb3e00e5f48c32c35805b4f305e4d215c038732f69aaa70b736823de3f8e842812572d682a5486ba2f92698322b247b9fa6552d31d26baa4ce1ad47f328792c95304b7931c01c780d757e392636226d996a558deb2e7b3d3480c8375f7d722027269a9296fa7ae5230b254305169da458ad3f4bc8274e8e354237063013584782a21803e664fce3691405c3d1bc99d
public exponent: 10001
Signature Algorithm: SHA256WITHRSA
Signature: 88dd18b477a5ba113a2145a18a2d2a87e520dfff
f8340bdb76ae9da8c7ca68063b803253c7b519fa
6df302eb122cab39e30d86529e2d9810c7fa6012
e2be299ba3dad80b5f04fc8e6ee4ab2abc86becd
ee5565de54ecef3ee3ef1469ff91fd17b881d7fb
789de3d3688fe1df3029ebdf51f0fc55cb9d771f
66ad6aa5b8211929
Extensions:
critical(true) BasicConstraints: isCa(false)
critical(false) 2.5.29.35 value = Sequence
Tagged [0] IMPLICIT
DER Octet String[20]
critical(true) KeyUsage: 0xa8
critical(false) 2.5.29.17 value = Sequence
Tagged [1] IMPLICIT
DER Octet String[16]
Tagged [2] IMPLICIT
DER Octet String[16]
Tagged [2] IMPLICIT
DER Octet String[20]
critical(false) 2.5.29.14 value = DER
我的设置有什么问题?
问题中发布的证书有两个问题:
请注意,您在最终实体证书中还有一个相当复杂的授权密钥标识符。通常在这里只放散列,直接从颁发 CA 证书的主题密钥标识符中复制。也就是说,省略 Directory 和 Serial 条目。你所拥有的可能会奏效,但为什么要冒险呢?
由您自己虚构的证书颁发机构签名的证书总是会抛出错误,因为您的系统不信任 CA。要获得绿色锁,您必须将证书颁发机构的自签名证书添加到机器上受信任的根证书颁发机构存储中。
即使您信任自己机器上的虚构 CA,由该 CA 签名的证书也不会被 Internet 上的其他机器信任。如果您希望您的证书被其他机器信任,您必须向合法的证书颁发机构付费,让他们为您签署您的证书。
如果您的 CA 已正确安装在受信任的根 CA 中,并且您的实际密钥长度为 1024,则它可能太弱而无法信任。尝试使用至少 2048 长度重新生成它,因为浏览器时不时会弃用较短的密钥长度。