如果我的理解是正确的,CA 就像一个父证书,用于验证已由 CA 证书签名的其他证书,而无需为 Web 服务(例如 FTP 服务器、Web 服务器、Nextcloud、OpenVPN)安装多个服务器证书服务器等?
我正在尝试创建一个 CA 证书,我可以将其分发到我的本地网络并通过 WAN 分发到朋友的网络上,以便当他们尝试访问我的一项服务时,可以安全地连接到该证书。例如,与其为我托管的每项服务提供几个证书,不如只给他们一个,即 CA 证书。
每个服务器证书都由 CA 不经意地签名,因此通过在他们的机器上安装一个 CA 证书,这将自动验证服务器证书,因为它首先是使用 CA 签名的。正确的?
问题是今天我尝试将 CA 证书安装到我的 Windows 客户端 PC 上,并尝试通过 HTTPS 访问我的 OpenMediaVault GUI,但我仍然收到不安全的警告屏幕。
下面的代码块显示了 CA 和服务器证书的整个创建过程。我将包含目录树的屏幕截图,以便您查看所有文件和文件夹。我还将包括配置文件的内容
我的指南
# Make OpenSSL Directory
mkdir ~/Desktop/OpenSSL
# Make Child Directories
mkdir -p ~/Desktop/OpenSSL/{ca,configs,"csr's",keys}
# Change Directory Into OpenSSL Directory
cd ~/Desktop/OpenSSL
# Create CA Certificate
openssl req -x509 -newkey rsa:4096 -keyout ca/cakey.pem -out ca/cacert.pem -days 3650 -sha256 -nodes -config configs/ca_openssl.cnf
# Create serial file
echo '01' > serial
# Create index.txt
touch index.txt
##
### Create server certificates ###
##
# OpenMediaVault
openssl genrsa -out keys/OpenMediaVault.pem 4096
openssl req -new -key keys/OpenMediaVault.pem -config configs/openmediavault_openssl.cnf -out "csr's"/OpenMediaVault.csr
# OpenWrt
openssl genrsa -out keys/OpenWrt.pem 4096
openssl req -new -key keys/OpenWrt.pem -config configs/openwrt_openssl.cnf -out "csr's"/OpenWrt.csr
##
### Sign Server Certificates With CA ###
##
# OpenMediaVault
openssl x509 -req -CA ca/cacert.pem -CAkey ca/cakey.pem -in "csr's"/OpenMediaVault.csr -out certificates/OpenMediaVault.crt -extfile configs/openmediavault_openssl.cnf -extensions v3_req -CAserial serial
# OpenWrt
openssl x509 -req -CA ca/cacert.pem -CAkey ca/cakey.pem -in "csr's"/OpenWrt.csr -out certificates/OpenWrt.crt -extfile configs/openwrt_openssl.cnf -extensions v3_req -CAserial serial
# Convert PEM to CRT
openssl x509 -outform der -in ca/cacert.pem -out "My Custom CA".crt
# Convert PEM to PKCS12
openssl pkcs12 -export -out certificate.pfx -inkey ca/cakey.pem -in ca/cacert.pem -certfile CACert.crt
'ca_openssl.cnf'
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ~/Desktop/"OpenSSL Certificates"
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
cr = $dir/crl.pem
private_key = $dir/private/cakey.pem
[ req ]
# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
# The size of the key in bits
default_bits = 4096
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = SOME_PROVINCE
localityName = SOME_CITY
organizationName = domain
organizationalUnitName = domain
commonName = domain Certificate Authority
emailAddress = [email protected]
[ v3_ca ]
# Extensions added to the request
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
'openmediavault_openssl.cnf'
[ req ]
# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_distinguished_name
req_extensions = v3_req
# The size of the key in bits
default_bits = 4096
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = SOME_PROVINCE
localityName = SOME_CITY
organizationName = OpenMediaVault
organizationalUnitName = OpenMediaVault
commonName = OpenMediaVault.local
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternative_names
[ alternative_names ]
DNS.0 = domain.com
IP.0 = 192.168.1.123
'openwrt_openssl.cnf'
[ req ]
# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.
prompt = no
string_mask = default
distinguished_name = req_distinguished_name
req_extensions = v3_req
# The size of the key in bits
default_bits = 4096
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = SOME_PROVINCE
localityName = SOME_CITY
organizationName = OpenWrt
organizationalUnitName = OpenWrt
commonName = OpenWrt.local
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternative_names
[ alternative_names ]
DNS.0 = domain.com
IP.0 = 192.168.1.1
我从“/certificates”目录安装了“OpenMediaVault.crt”,从“/keys”目录安装了“OpenMediaVault.pem”。
“certificate.pfx”文件是“我的指南”部分中最后一个命令的结果,并已导入 Windows certmgr。我使用带有 Firefox 认证选项的“我的自定义 CA.crt”文件。
我究竟做错了什么?
非常感谢
将要
更新 1
我想我已经找到了问题的原因。当我访问https://openmediavault.local(这是证书中设置的通用名称)时,我收到此消息“证书仅对以下名称有效:”我的屏幕上显示的两个(一个模糊了隐私)是我添加的subjectAltNames。为什么替代名称有效但 CN 无效?我从https://192.168.1.123访问它,我的 Firefox 地址栏中有一个绿色挂锁。
更新 2
只是为了让您知道我将 CN 添加到 subjectAltName 中,并且一切正常。
作为与 OpenSSL 相关的一个附带问题,我现在希望制作一些 OpenVPN 证书。使用 OpenSSL 制作的 CA 可以签署我的 OpenVPN 证书吗?