主页 / server / 问题 / 950295
Accepted
pwan
Asked: 2019-01-23 16:51:53 +0800 CST

为什么 Chrome 会忽略我证书中的 X509v3 主题备用名称?

  • 772

我有一个包含 X509v3 主题替代设置的证书,但 Chrome 67.0.3396.99 说缺少主题替代名称,即使它看起来包含在证书中。

这是证书的 X509v3 部分openssl s_client -showcerts -connect www.mysite.org:443 </dev/null 2> /dev/null | openssl x509 -noout -text

    X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                DNS:www.mysite.org
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
               <redacted>

证书的主题是Subject: CN = www.mysite.org.

我是否错过了 Chrome 期望的一些额外的 X509v3 设置,因此它会接受 SAN?

google-chrome

2 个回答

  1. Best Answer

    Chrome 67 已经很老了,但是您的证书有两个违反 RFC5280 4.2 的 BasicConstraint 扩展,如果我复制该错误(手动!)我最新的 71.0.3578.98 表现出相同的症状:NET::ERR_CERT_COMMON_NAME_INVALID 和 'advanced ' 声称 '证书未指定主题备用名称' - 即使我'继续 $site (unsafe)' 然后单击挂锁并查看证书,它已确认存在 SAN 且正确。

    因此,用于创建此证书的任何方法都以某种方式被破坏,但 Chrome 的处理方式并不理想。

    补充:根据评论,这是我最新的测试数据,其中一个 BC 有效,而两个 BC(两种形式:关键和非)失败,Chrome 和 Firefox esr:

    ##### CA key&cert (in PKCS12 for my software):
Bag Attributes
    friendlyName: xca
    localKeyID: 54 69 6D 65 20 31 35 34 38 39 35 38 37 37 37 33 39 34
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCJbIS40YhIbOxE
B3BZt/FLJpF+GhkaP5YOJMO1pvXsMBOVdNh+Qcstsqv5O8J7uIHeBNwHmb7szB9e
RI1p7+XDik+I7tXq9wnzfa4bYw/3kArlixZhnZvLAK51ysBrLlNF4tc8BMo7OZfn
VUD4tJhSrzEJ8jtPLF2mD176VmYzoKQrXyhUNUu5OxRqxOBb88if4mqcreqiZZQN
YFMcnk6sySQJG91XjzIUITQ24H8SoPvL0j6gcXqAGDZ7S27OmiOwjuPgpGirAUf5
YdG72U66GlMCQhjHn797Bpdzto3JA/pLYTyzsw/972Hfs3GYKPh+Gpyb/BJAvEE+
p2/qWzm1AgMBAAECggEAVvOl6rcRbxoUSFsYmHwNncpShqKGvZf8HwjeGEMDGaW1
znw3O3Pv1gNWUwWf4d51tYAHpHuAVZ42PtRLUftrutT5zB+qlNgooLsl/cgpYy/t
5R2jVLJ/z+und3qJU4flQrPsEdrKBr1DQykrSfIi6zZUZgGxyz+8JYVWSDmAwyr0
5POtVdKLgapDGJjypMSuqmhvdDbf4ntSuqTbTrv6c1K8uDs1XrW1XvoEIVBrOZER
0L1IqXWMt8AJ7HniAHQvxm5XGiGNBHoF2HIDDUG0anyBSfhsD9OvAn7cZ4liW3Qn
l4TuAlFq5ApOGc0dSzIK01FSnrmXU3ZqsNzF6HZ5BQKBgQDFu48tLrNSW2BdDqx+
eCR18gLSBXSjvZdqs3sPvMe6nYy3wIbLjGKSW7ySyp2G3l9o4sFe8yA5b9rmNdyq
pWMJxUx+MDiOSJHkW0hIlwcwHTVCioxXHgEJNH45vwA2Mr7GeUSHYohPwL32Yo2A
eVGvk6awZyI0/Tim4RHd/g8TAwKBgQCx62wtV0FUFg0Dj6ggaiOL5s47CdP/qSel
dXtP+7zp45TaZuUhiWtCtgUhd5fI+4NOzftWehTehmdFcIgbGfvdQnw3OU3cYnQR
FH3PZ1rg+xXsZ5+X11fViAEcD0rawhTCDlN4ivL4qBZih8P0RF/QQdB1e2IHT8nr
TkIw5cUG5wKBgEhPqjGs1Xl130zI0/5AM51Kjwt9YUWMTTaBQqzjresqOM7uQp1n
zpiVoeXQ4UD0S9IQswTlRtCafmQYKIXji8+D7tBrFBO8qFXpqAqb6M4IsHSQNHib
iWdzYgH+PraTYj81FAGq4AzCgPX83qCwPVZHWftDDDhyrmghASa9BYg/AoGAVsEI
moM1Y57s8ZOW01dtxcXhQYBlUwBUSKWkXzfMwe8qoeQSTewH1RuUHOGHrYSWXlKp
/1y/2FGJAZ8BftWIrjbBAtx6Tr/jAIERZ5RqB9HmusM8WnmyZnhOsjPyuAByxrzd
jqWSHBU59QlmTzEX1yCAWQi0oAQT3RznwZgIHnkCgYEAoXzPF8H3KLEL8ku491c8
/wlbUJnfLuOiQnREIjsVVfOqEGivAPcTwH8/Xz8wmthbbwJyO+d0zvvMZKuWjqzh
otS4aI/JNLicKc8AubmyK9rIccv7fiXcTpEymEhc5w6A17WxHqDGJIPbeewWlhXS
CFb5QcE/0/ropS8rmOl4DfM=
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: xca
    localKeyID: 54 69 6D 65 20 31 35 34 38 39 35 38 37 37 37 33 39 34
subject=/CN=US/O=test CA for sf950295
issuer=/CN=US/O=test CA for sf950295
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIBCjANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQDEwJVUzEd
MBsGA1UEChMUdGVzdCBDQSBmb3Igc2Y5NTAyOTUwHhcNMTkwMTMxMTMxOTM3WhcN
MjAwMjAxMTMxOTM3WjAsMQswCQYDVQQDEwJVUzEdMBsGA1UEChMUdGVzdCBDQSBm
b3Igc2Y5NTAyOTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJbIS4
0YhIbOxEB3BZt/FLJpF+GhkaP5YOJMO1pvXsMBOVdNh+Qcstsqv5O8J7uIHeBNwH
mb7szB9eRI1p7+XDik+I7tXq9wnzfa4bYw/3kArlixZhnZvLAK51ysBrLlNF4tc8
BMo7OZfnVUD4tJhSrzEJ8jtPLF2mD176VmYzoKQrXyhUNUu5OxRqxOBb88if4mqc
reqiZZQNYFMcnk6sySQJG91XjzIUITQ24H8SoPvL0j6gcXqAGDZ7S27OmiOwjuPg
pGirAUf5YdG72U66GlMCQhjHn797Bpdzto3JA/pLYTyzsw/972Hfs3GYKPh+Gpyb
/BJAvEE+p2/qWzm1AgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIE
MA0GCSqGSIb3DQEBCwUAA4IBAQBW/8BsWEuOETdnaC70sCxN9gP/kOnViCSSob3l
pmtxpoWQRYs5cQrCTwB/ivd/PwiZToHnaZKSMFAkWNsNp9Rrmldx+iG887vhQ6Z/
Hm0j3jm4wwhRskkpexphkempaXVdqXnDPKCog/B1LCYWQNS8YVWl93mCmF20/xmx
2nAVxW5nNiO3H/A+pQ0x3kqH9+wcMN7q9U997FRQij3UzweqvAv1JqnS5z4H/yPc
uWCYKP9I9QoTBFLFu2PMyBowEEhkhHUUfyTiAXCZtOMvevmBIHX+hg42D5v8BX9q
ZWeQ8+oEpiig3nuup2oQ3xTYSbIXkVbV2Bla6d9akw7LQUoL
-----END CERTIFICATE-----

##### server private key
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDxI6MlJ6DgfvQ0
miZ3dvbzMpXMkerHGuO3WxzwmKtII5/sVoguf6qjiCmYnI2R71r1c0Ohv4i7aUwW
omaXVZjcnsLfHDZtaTSucQK1vCnrtnobwn0K9tU/yMv/0Y4IKb/cQUSAsjDHz3Sn
FlwtiJuTTUp5PFvN1VWyBBLyEPcJ2VreGoCSqC2vJpdQStA62/YZfS3fYznUk+1a
cntqq0a2/lzA5MPyCc4dx4iNaffkz3eWHtUDkyXbJzl2lpRI0IREecsRG6C8CO75
BlCzl2J1ErKSomOSkQYgNRWAKUzfx89Dfq02ny1OFTfeRtzfmCtvDQbwmJc+zdPm
Usz5CR6BAgMBAAECggEBAOEaroLRwpmvidLNEBm3oYKX90UX9j5V+LvCv3pOWp6m
OvVKNiiKH0Y3pvUDOBlCgvvc1QbaoQ6qllAO3IxraJ6TSkEyuhBbBMXPU4NJmyyi
lMzzOv2QPLQlg2JVQiyWpLc86nDlZyovnKsZ8YTEIM9aeKpCUUUN4MikivcUJTk3
sUqJlABTy9bTE92iA4JqkQmp3KzyYep8QijEfIwkH0qtUkDIr6GXEE+cBQnlP7g+
pVI5n8q+RO5bYhLrGoy7LzzEKsbSFJjIEp/YhVZivH1zEl9Ub6+xst4ywcFFeAkq
iscNpi47SBRGIpWg/T7ND/XjKQT5cOm4L9vnSnILDQECgYEA/9bGHrANikdKD/KC
iCVRlnUxeoSvy8fjAxIQnZUsYfF5XH/xDKKE167Elw05yJRm3QhUxa6h/WjYfaqv
8y1j+v+Nb0D46WbIhni6nzc3FY+e0txmDIw1hDFDDKP/anC9xoUW87xc7P01iKRH
oR04+0Cg1Jxwdsz0ywFHQOPJOxECgYEA8Up+oWN/j2FsA7zPwSAuZczhi0fbrSoA
muy4KTW7Gg2LNPGbXB0daA4foAAuRRvZuTwXrEBENT59g4s0WWUUYwpV0Axr5WeA
VzHUEmbwYBxIgLxjO/jMWesBWZCzUBe/0sQi1ccHYQcOHIiWOKBBOXM5BXEQrGSJ
YrnXEZLdTHECgYEA0a9kPi6pSlZXm252EcQUdK6k2Pf7ZZf0tcWOnLlw4O2bPHcY
R/TD0ErLkcojPAR1sl9rq4IP/rR6C7Vj9HmVYlklwLONzy6Q17YHrwsAOMm3sLc3
ZL1d93SwsaGQa9rvj8/xGd+eghaeU9nhY2miFDvKFbgKbTRaxi/MCKEpgyECgYEA
0kS/uzZw1+rm7Q7h4QOBS1dSiUSSjAGZS2jUR506MkbxM68EWy5IDQCZ0J23tKPD
hSd33bSXe+q8CCEL+ocaUACWrVnVwLEEZ3fVvj+UY7zh9cW1mHKE6irgH0P47ufz
UuF3FeJ+bLBwPK9OcYQ9sqnVXAeepwxpqO4YHIlmbhECgYBpCDKfIdEepDY9BuPh
Ni3Auha5Cwt3f+Z4nkYR0+t/7yNfZ+AWKbjnJuMfF1gGhFvAKyq2K2lTJE1K3bEB
KWWTWce8Q6K9CVjzFcx8tlA4xKmxSsGLXzvzgk8PZcWFTyJPDr65oU0fI4S582fz
N7cpS4+xQtADXZZ2/YiQIh1+cg==
-----END PRIVATE KEY-----

##### certificate 1, single BC
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=US, O=test CA for sf950295
        Validity
            Not Before: Jan 31 13:21:49 2019 GMT
            Not After : Feb  1 13:21:49 2020 GMT
        Subject: CN=test.qo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:23:a3:25:27:a0:e0:7e:f4:34:9a:26:77:76:
                    f6:f3:32:95:cc:91:ea:c7:1a:e3:b7:5b:1c:f0:98:
                    ab:48:23:9f:ec:56:88:2e:7f:aa:a3:88:29:98:9c:
                    8d:91:ef:5a:f5:73:43:a1:bf:88:bb:69:4c:16:a2:
                    66:97:55:98:dc:9e:c2:df:1c:36:6d:69:34:ae:71:
                    02:b5:bc:29:eb:b6:7a:1b:c2:7d:0a:f6:d5:3f:c8:
                    cb:ff:d1:8e:08:29:bf:dc:41:44:80:b2:30:c7:cf:
                    74:a7:16:5c:2d:88:9b:93:4d:4a:79:3c:5b:cd:d5:
                    55:b2:04:12:f2:10:f7:09:d9:5a:de:1a:80:92:a8:
                    2d:af:26:97:50:4a:d0:3a:db:f6:19:7d:2d:df:63:
                    39:d4:93:ed:5a:72:7b:6a:ab:46:b6:fe:5c:c0:e4:
                    c3:f2:09:ce:1d:c7:88:8d:69:f7:e4:cf:77:96:1e:
                    d5:03:93:25:db:27:39:76:96:94:48:d0:84:44:79:
                    cb:11:1b:a0:bc:08:ee:f9:06:50:b3:97:62:75:12:
                    b2:92:a2:63:92:91:06:20:35:15:80:29:4c:df:c7:
                    cf:43:7e:ad:36:9f:2d:4e:15:37:de:46:dc:df:98:
                    2b:6f:0d:06:f0:98:97:3e:cd:d3:e6:52:cc:f9:09:
                    1e:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encip
herment
            X509v3 Subject Alternative Name:
                DNS:test.qo
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                00:11:22:33:44:55:66:77:00:11:22:33:44:55:66:77
    Signature Algorithm: sha256WithRSAEncryption
        21:95:ea:18:ee:e1:de:d7:89:27:0b:27:43:d5:17:60:a3:d0:
        c1:ee:00:90:f7:ce:80:84:ac:7f:b3:21:0f:41:54:a3:26:39:
        60:76:2a:98:de:66:ab:ce:10:67:24:e9:36:fc:e7:9d:4a:5d:
        93:85:50:a6:5d:8a:84:98:78:b8:82:23:da:11:bc:2a:84:1f:
        9e:3f:b5:2b:af:19:87:02:12:2d:a8:ed:1d:d0:e3:17:1f:f4:
        bb:9a:fe:20:75:74:1a:7f:2c:a5:34:c4:c9:c5:c4:b9:68:ce:
        e1:21:4b:3f:9d:03:cf:d2:0e:f8:57:89:92:ac:78:38:c9:9b:
        2e:7e:d8:a7:8f:51:9b:c5:61:f7:d7:12:4e:a6:99:7e:59:a3:
        ae:02:c7:93:2f:4d:33:d8:d2:56:f9:fc:ba:a8:50:d2:0b:65:
        f0:df:6d:58:d5:0f:78:f7:80:cc:5b:f7:f6:5f:f7:89:e9:3f:
        dc:37:6b:2f:b8:dd:1b:4e:4a:3b:e1:d5:12:88:9b:18:20:cf:
        de:ec:d4:b9:02:1c:96:2d:d9:ee:9a:4f:99:68:a4:c6:a9:8c:
        b1:c5:38:cf:04:a0:89:73:47:16:f0:57:51:a0:ea:ff:36:1a:
        ba:81:ff:5c:bf:50:f9:14:a5:87:35:10:a6:cc:c1:f4:a5:45:
        ca:6b:28:4b
-----BEGIN CERTIFICATE-----
MIIDFzCCAf+gAwIBAgIBCzANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQDEwJVUzEd
MBsGA1UEChMUdGVzdCBDQSBmb3Igc2Y5NTAyOTUwHhcNMTkwMTMxMTMyMTQ5WhcN
MjAwMjAxMTMyMTQ5WjASMRAwDgYDVQQDEwd0ZXN0LnFvMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA8SOjJSeg4H70NJomd3b28zKVzJHqxxrjt1sc8Jir
SCOf7FaILn+qo4gpmJyNke9a9XNDob+Iu2lMFqJml1WY3J7C3xw2bWk0rnECtbwp
67Z6G8J9CvbVP8jL/9GOCCm/3EFEgLIwx890pxZcLYibk01KeTxbzdVVsgQS8hD3
Cdla3hqAkqgtryaXUErQOtv2GX0t32M51JPtWnJ7aqtGtv5cwOTD8gnOHceIjWn3
5M93lh7VA5Ml2yc5dpaUSNCERHnLERugvAju+QZQs5didRKykqJjkpEGIDUVgClM
38fPQ36tNp8tThU33kbc35grbw0G8JiXPs3T5lLM+QkegQIDAQABo14wXDAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIE8DASBgNVHREECzAJggd0ZXN0LnFvMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMBkGA1UdDgQSBBAAESIzRFVmdwARIjNEVWZ3MA0GCSqGSIb3
DQEBCwUAA4IBAQAhleoY7uHe14knCydD1Rdgo9DB7gCQ986AhKx/syEPQVSjJjlg
diqY3marzhBnJOk2/OedSl2ThVCmXYqEmHi4giPaEbwqhB+eP7UrrxmHAhItqO0d
0OMXH/S7mv4gdXQafyylNMTJxcS5aM7hIUs/nQPP0g74V4mSrHg4yZsuftinj1Gb
xWH31xJOppl+WaOuAseTL00z2NJW+fy6qFDSC2Xw321Y1Q9494DMW/f2X/eJ6T/c
N2svuN0bTko74dUSiJsYIM/e7NS5AhyWLdnumk+ZaKTGqYyxxTjPBKCJc0cW8FdR
oOr/Nhq6gf9cv1D5FKWHNRCmzMH0pUXKayhL
-----END CERTIFICATE-----

##### certificate 2, double BC (not critical) 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=US, O=test CA for sf950295
        Validity
            Not Before: Jan 31 13:21:50 2019 GMT
            Not After : Feb  1 13:21:50 2020 GMT
        Subject: CN=test.qo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:23:a3:25:27:a0:e0:7e:f4:34:9a:26:77:76:
                    f6:f3:32:95:cc:91:ea:c7:1a:e3:b7:5b:1c:f0:98:
                    ab:48:23:9f:ec:56:88:2e:7f:aa:a3:88:29:98:9c:
                    8d:91:ef:5a:f5:73:43:a1:bf:88:bb:69:4c:16:a2:
                    66:97:55:98:dc:9e:c2:df:1c:36:6d:69:34:ae:71:
                    02:b5:bc:29:eb:b6:7a:1b:c2:7d:0a:f6:d5:3f:c8:
                    cb:ff:d1:8e:08:29:bf:dc:41:44:80:b2:30:c7:cf:
                    74:a7:16:5c:2d:88:9b:93:4d:4a:79:3c:5b:cd:d5:
                    55:b2:04:12:f2:10:f7:09:d9:5a:de:1a:80:92:a8:
                    2d:af:26:97:50:4a:d0:3a:db:f6:19:7d:2d:df:63:
                    39:d4:93:ed:5a:72:7b:6a:ab:46:b6:fe:5c:c0:e4:
                    c3:f2:09:ce:1d:c7:88:8d:69:f7:e4:cf:77:96:1e:
                    d5:03:93:25:db:27:39:76:96:94:48:d0:84:44:79:
                    cb:11:1b:a0:bc:08:ee:f9:06:50:b3:97:62:75:12:
                    b2:92:a2:63:92:91:06:20:35:15:80:29:4c:df:c7:
                    cf:43:7e:ad:36:9f:2d:4e:15:37:de:46:dc:df:98:
                    2b:6f:0d:06:f0:98:97:3e:cd:d3:e6:52:cc:f9:09:
                    1e:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encip
herment
            X509v3 Subject Alternative Name:
                DNS:test.qo
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                00:11:22:33:44:55:66:77:00:11:22:33:44:55:66:77
    Signature Algorithm: sha256WithRSAEncryption
        2a:06:eb:51:d6:74:b4:86:ea:ec:6c:d8:a2:a1:d3:75:c7:9f:
        13:5f:15:3f:50:f8:8b:2d:3d:69:e5:b3:18:b6:73:10:70:06:
        43:e4:c3:4c:ef:55:de:bf:30:cb:3f:b2:4a:6b:f5:2b:c8:ce:
        21:a0:b5:db:e2:41:7b:7a:cd:e9:07:f8:6a:88:cd:a0:da:54:
        1a:ad:37:f0:22:00:0a:af:96:d9:eb:00:52:e3:70:3d:66:e3:
        95:f7:be:ad:3a:78:79:3a:b4:8e:65:c2:78:dc:91:30:78:ad:
        a6:46:5f:c2:f3:0f:a0:82:ef:78:d1:2d:cc:1a:69:94:e3:a9:
        4c:c4:43:f7:f9:0d:69:81:64:b7:9d:20:83:5a:2a:10:c9:ed:
        cb:64:32:f9:aa:ef:87:76:66:a6:40:9f:1e:b0:e7:27:e6:62:
        09:ec:4f:3d:d1:f9:c7:d6:f9:f9:82:c2:86:3e:8a:a8:cf:be:
        9a:92:cb:bc:f1:85:f9:87:e3:32:d8:69:bb:ed:f8:71:7a:4c:
        30:fd:6a:b8:23:5e:1f:ad:3a:1c:64:29:01:19:22:68:a1:09:
        d2:53:20:c2:3c:62:17:48:d5:c4:e0:18:de:7c:9c:bc:ab:00:
        c7:d9:75:9c:0e:cc:47:a8:e1:17:04:34:93:df:63:b9:1b:4a:
        3f:f0:ab:6d
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIBDDANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQDEwJVUzEd
MBsGA1UEChMUdGVzdCBDQSBmb3Igc2Y5NTAyOTUwHhcNMTkwMTMxMTMyMTUwWhcN
MjAwMjAxMTMyMTUwWjASMRAwDgYDVQQDEwd0ZXN0LnFvMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA8SOjJSeg4H70NJomd3b28zKVzJHqxxrjt1sc8Jir
SCOf7FaILn+qo4gpmJyNke9a9XNDob+Iu2lMFqJml1WY3J7C3xw2bWk0rnECtbwp
67Z6G8J9CvbVP8jL/9GOCCm/3EFEgLIwx890pxZcLYibk01KeTxbzdVVsgQS8hD3
Cdla3hqAkqgtryaXUErQOtv2GX0t32M51JPtWnJ7aqtGtv5cwOTD8gnOHceIjWn3
5M93lh7VA5Ml2yc5dpaUSNCERHnLERugvAju+QZQs5didRKykqJjkpEGIDUVgClM
38fPQ36tNp8tThU33kbc35grbw0G8JiXPs3T5lLM+QkegQIDAQABo2kwZzAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIE8DASBgNVHREECzAJggd0ZXN0LnFvMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAkGA1UdEwQCMAAwGQYDVR0OBBIEEAARIjNEVWZ3ABEiM0RV
ZncwDQYJKoZIhvcNAQELBQADggEBACoG61HWdLSG6uxs2KKh03XHnxNfFT9Q+Ist
PWnlsxi2cxBwBkPkw0zvVd6/MMs/skpr9SvIziGgtdviQXt6zekH+GqIzaDaVBqt
N/AiAAqvltnrAFLjcD1m45X3vq06eHk6tI5lwnjckTB4raZGX8LzD6CC73jRLcwa
aZTjqUzEQ/f5DWmBZLedIINaKhDJ7ctkMvmq74d2ZqZAnx6w5yfmYgnsTz3R+cfW
+fmCwoY+iqjPvpqSy7zxhfmH4zLYabvt+HF6TDD9argjXh+tOhxkKQEZImihCdJT
IMI8YhdI1cTgGN58nLyrAMfZdZwOzEeo4RcENJPfY7kbSj/wq20=
-----END CERTIFICATE-----

##### certificate 3, double BC (critical)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13 (0xd)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=US, O=test CA for sf950295
        Validity
            Not Before: Jan 31 13:21:51 2019 GMT
            Not After : Feb  1 13:21:51 2020 GMT
        Subject: CN=test.qo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:23:a3:25:27:a0:e0:7e:f4:34:9a:26:77:76:
                    f6:f3:32:95:cc:91:ea:c7:1a:e3:b7:5b:1c:f0:98:
                    ab:48:23:9f:ec:56:88:2e:7f:aa:a3:88:29:98:9c:
                    8d:91:ef:5a:f5:73:43:a1:bf:88:bb:69:4c:16:a2:
                    66:97:55:98:dc:9e:c2:df:1c:36:6d:69:34:ae:71:
                    02:b5:bc:29:eb:b6:7a:1b:c2:7d:0a:f6:d5:3f:c8:
                    cb:ff:d1:8e:08:29:bf:dc:41:44:80:b2:30:c7:cf:
                    74:a7:16:5c:2d:88:9b:93:4d:4a:79:3c:5b:cd:d5:
                    55:b2:04:12:f2:10:f7:09:d9:5a:de:1a:80:92:a8:
                    2d:af:26:97:50:4a:d0:3a:db:f6:19:7d:2d:df:63:
                    39:d4:93:ed:5a:72:7b:6a:ab:46:b6:fe:5c:c0:e4:
                    c3:f2:09:ce:1d:c7:88:8d:69:f7:e4:cf:77:96:1e:
                    d5:03:93:25:db:27:39:76:96:94:48:d0:84:44:79:
                    cb:11:1b:a0:bc:08:ee:f9:06:50:b3:97:62:75:12:
                    b2:92:a2:63:92:91:06:20:35:15:80:29:4c:df:c7:
                    cf:43:7e:ad:36:9f:2d:4e:15:37:de:46:dc:df:98:
                    2b:6f:0d:06:f0:98:97:3e:cd:d3:e6:52:cc:f9:09:
                    1e:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encip
herment
            X509v3 Subject Alternative Name:
                DNS:test.qo
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                00:11:22:33:44:55:66:77:00:11:22:33:44:55:66:77
    Signature Algorithm: sha256WithRSAEncryption
        3d:8b:c3:57:fd:0a:0d:5d:5d:f5:c2:cd:9c:e0:f3:1a:6f:a6:
        25:64:56:6f:09:7c:6c:45:dd:a2:97:98:67:43:8c:12:b3:11:
        69:df:94:fa:48:07:80:fc:36:d2:20:de:61:1a:6d:e5:f8:b5:
        8b:e3:11:31:1b:b8:d5:17:f3:37:bb:f5:1c:bc:78:87:bf:1a:
        1c:5e:d1:67:76:6a:06:81:ea:44:54:52:cb:6b:5b:47:c8:61:
        3a:04:07:b4:6d:0b:c9:bd:81:80:04:ec:3f:58:86:60:34:10:
        b2:56:8e:12:73:0e:3d:c4:28:60:ec:eb:0c:84:9d:9a:57:44:
        6a:af:40:66:6c:36:26:b4:50:ad:28:a4:52:fe:0f:1e:bc:23:
        fb:58:ef:b1:9f:ae:08:c2:82:9e:ea:29:6d:bd:8b:d9:2e:bc:
        ab:93:53:3e:56:74:0e:57:2f:8d:a5:37:c7:f1:74:a7:c6:76:
        66:83:3f:c9:c3:1c:9f:fb:60:c9:85:a6:a3:4b:ff:e9:c6:a1:
        e1:56:ad:87:78:93:62:f5:f1:bc:5a:8e:b3:32:32:63:60:6c:
        f2:a8:62:d7:6a:f6:58:a0:84:e5:ad:74:c8:e3:ff:75:8b:13:
        9a:19:33:94:0b:67:48:9a:e2:37:be:cb:51:1b:da:fc:4f:df:
        0b:1e:df:07
-----BEGIN CERTIFICATE-----
MIIDJTCCAg2gAwIBAgIBDTANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQDEwJVUzEd
MBsGA1UEChMUdGVzdCBDQSBmb3Igc2Y5NTAyOTUwHhcNMTkwMTMxMTMyMTUxWhcN
MjAwMjAxMTMyMTUxWjASMRAwDgYDVQQDEwd0ZXN0LnFvMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA8SOjJSeg4H70NJomd3b28zKVzJHqxxrjt1sc8Jir
SCOf7FaILn+qo4gpmJyNke9a9XNDob+Iu2lMFqJml1WY3J7C3xw2bWk0rnECtbwp
67Z6G8J9CvbVP8jL/9GOCCm/3EFEgLIwx890pxZcLYibk01KeTxbzdVVsgQS8hD3
Cdla3hqAkqgtryaXUErQOtv2GX0t32M51JPtWnJ7aqtGtv5cwOTD8gnOHceIjWn3
5M93lh7VA5Ml2yc5dpaUSNCERHnLERugvAju+QZQs5didRKykqJjkpEGIDUVgClM
38fPQ36tNp8tThU33kbc35grbw0G8JiXPs3T5lLM+QkegQIDAQABo2wwajAJBgNV
HRMEAjAAMAsGA1UdDwQEAwIE8DASBgNVHREECzAJggd0ZXN0LnFvMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwGQYDVR0OBBIEEAARIjNEVWZ3ABEi
M0RVZncwDQYJKoZIhvcNAQELBQADggEBAD2Lw1f9Cg1dXfXCzZzg8xpvpiVkVm8J
fGxF3aKXmGdDjBKzEWnflPpIB4D8NtIg3mEabeX4tYvjETEbuNUX8ze79Ry8eIe/
Ghxe0Wd2agaB6kRUUstrW0fIYToEB7RtC8m9gYAE7D9YhmA0ELJWjhJzDj3EKGDs
6wyEnZpXRGqvQGZsNia0UK0opFL+Dx68I/tY77GfrgjCgp7qKW29i9kuvKuTUz5W
dA5XL42lN8fxdKfGdmaDP8nDHJ/7YMmFpqNL/+nGoeFWrYd4k2L18bxajrMyMmNg
bPKoYtdq9lighOWtdMjj/3WLE5oZM5QLZ0ia4je+y1Eb2vxP3wse3wc=
-----END CERTIFICATE-----
    • 3

  2. 我的证书有一些问题。

    • 如上所述,它有一个重复的基本约束,但修复它并没有解决问题。我确实发现 Chromium在这里拒绝重复扩展。
    • 我在创建主题密钥和授权密钥标识符时遇到了一些错误。 这个答案帮助我解决了这个问题。
    • 主要问题是我将扩展的关键设置设置为 false。我应该忽略关键设置,所以它会默认为 false。这是在 Chronium 源代码中检查。DER 编码要求使用最短的编码,并且允许可选的关键设置默认为 false 会导致比显式设置更短的编码。

    以下是其他一些随机评论:

    • NET::ERR_CERT_COMMON_NAME_INVALID 是 Chromium 中证书问题的默认错误,大多数证书解析错误在没有任何日志记录的情况下返回 false,因此看起来有许多证书解析错误将作为无效的常见错误呈现给用户名称错误。
    • https://lapo.it/asn1js/对解码证书很有用。在 Chrome 中查看证书或使用 openssl 无法区分默认为非关键的扩展名或明确设置的扩展名
    • 如果您遇到类似的证书问题,可以查看 x509 linter,例如 https://github.com/globalsign/certlinthttps://github.com/zmap/zlint
    • 1

相关问题