strong> FireFox 来检查您的https连接,因此FireFox提供比其他浏览器更详细的错误消息。 检查安全&签署。它们必须是所有证书的最新版本! 检查正确的subjectAltName(与请求URL中的值完全相同) 确保你的服务器发送不仅是它的证书,还有整个链。否则,如果您使用中间CA,将会出现未知的颁发者错误。
我喜欢创建自己的PKI,其中根CA和中间CA最终签署服务器证书。为了创建证书,我使用openssl,得到了这些:
cert.pem
-----BEGIN CERTIFICATE-----
MIIFiTCCA3ECAQIwDQYJKoZIhvcNAQENBQAwgY8xCzAJBgNVBAYTAkRFMRYwFAYD
VQQIDA1OaWVkZXJzYWNoc2VuMRMwEQYDVQQHDApPc25hYnJ1ZWNrMRcwFQYDVQQK
DA5NeUNvbXBhbnkgR21iSDEbMBkGA1UECwwSR2VzY2hhZWZ0c2Z1ZWhydW5nMR0w
GwYDVQQDDBRNeUNvbXBhbnkgcHJpbWFyeSBDQTAeFw0yMjEyMTQwODI1MTdaFw0y
MzEyMTQwODI1MTdaMIGEMQswCQYDVQQGEwJERTEWMBQGA1UECAwNTmllZGVyc2Fj
aHNlbjETMBEGA1UEBwwKT3NuYWJydWVjazEXMBUGA1UECgwOTXlDb21wYW55IEdt
YkgxGzAZBgNVBAsMEkdlc2NoYWVmdHNmdWVocnVuZzESMBAGA1UEAwwJbG9jYWxo
b3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA51Lmf2dg3YG7wPdH
lhamw49sHkdf5R/LU0bF7MExwCjhQ010Fk4kwsTPVgNv3nc4TS2l2pVIIldoUdY9
2SNO4QWA3CyrvRF34aKJMnIMGTKelm8scwnZEU09jYUQ9ZkZYkNkvkEsAJ/L45SC
arW0lHEheAzC9vQSF6y4SBvQmUzUShEfvrN6FLRkCOYYbAQmULI/PsYzTWLyHTJq
A5meTEWFHSbGldUtTqdC7h/RywEL1ylTrgn15M6Pc1WtGI+FkLJGse9UKtwU9Gpx
k35QFnNMMms4Ksq0ESHLi/33zRL6A8+IIrrfLnCQwRsAAmY/ZOxi7RwL4W71rMSW
8SCV4hcjNt2I8cFHZZ3Oe0+R9yGfkYNo6nq5XgDdpz0wtQp2oydeEF8wsJxHe1z8
d6HMeKIWpVuCAgol68Ck+lCF6mrMSpSg/ZdnxCfEkWXYZ6Z9ygW3hjgylOxLQWG8
ePXEYLBlaGGHqE8PFJ7zGf3hUZnTxfPIJdql6Kd8BCX1OA7AHihurmgQ1CdRuMyY
eYfLGyu4OgJ+lAKbzfPFaAQS7DtBtrxiaf5VM1odwkjCvGX9lMTdCH2g4eBwmzKL
LJ/p+2X38m7IcTBxSBCK83eBpp7Yn57tMKpQBnRwjNP7l4BVEdvUq571QVrW4In1
JiD7Mf5Rt2RZ1Hm9Vz8iiy6+Cv0CAwEAATANBgkqhkiG9w0BAQ0FAAOCAgEAp0U4
7UBqDDAGtZKRL9z5l7U79YqnOUdoSz4JWjaQSBMjH5TOIKvBIqYAEFP4lN8tzU3/
WcObW5zJRXibtSnKCOb4wm/7BJsli+rZBdf4Ji2sDwRM4nHBn/DF5v74/Wp5sy04
hg9d+lxcPCzK0IW4E4Rrq56FkJtLLMvMMQNtP4Hccgh8yjqEjLcee6fqQW7bRs90
xkvQRSzONEAJua+vwToNW0D7WOTJi2SBh7A7SuhDe/6lQPsHiyVyZ3+pA66O3I+2
/Eeh97K6XYRJvjeBnf9UVlfDZDTjXZsn9wvR5A4vUVJClY0MaZsi8w+IFLkBZILG
ys4wkv+nWEua6Gx/kd/9zVIeW5LcQ7CQPJrgtP8EhoOkrGxoDKq1eSw8jefCzCsi
CWIz5SMB/8tmhg8Ivl/g15vgn1jg4mS86rbKMtDR7bsgp6DA1IslszF7PMvYaps8
T84bLkDYkg8cvPxfOWGNpsZTFCkY23oODNv+nSe/MJXIpwcaFRKZiwn80xs6Z3np
m3b6TYV1WUKXaVtyH+d5ALSfqLac8hz9JenHQirk1m9Gm+Wyi2pMxbAJWpJwSOgy
CIkpy/D7YXlR2e+FOTKrJ82CcqVGkLsXf95F4xj32m7j5oBNw0X1itFAjDG1HvAs
vmcviRRtco/in46rJSsOB/oj7EbXkTK29Giipls=
-----END CERTIFICATE-----
ca_cert.pem:
-----BEGIN CERTIFICATE-----
MIIGmDCCBICgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBjDELMAkGA1UEBhMCREUx
FjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEzARBgNVBAcMCk9zbmFicnVlY2sxFzAV
BgNVBAoMDk15Q29tcGFueSBHbWJIMRswGQYDVQQLDBJHZXNjaGFlZnRzZnVlaHJ1
bmcxGjAYBgNVBAMMEU15Q29tcGFueSByb290IENBMB4XDTIyMTIxNDA4MjUxNloX
DTMyMTIxMTA4MjUxNlowgY8xCzAJBgNVBAYTAkRFMRYwFAYDVQQIDA1OaWVkZXJz
YWNoc2VuMRMwEQYDVQQHDApPc25hYnJ1ZWNrMRcwFQYDVQQKDA5NeUNvbXBhbnkg
R21iSDEbMBkGA1UECwwSR2VzY2hhZWZ0c2Z1ZWhydW5nMR0wGwYDVQQDDBRNeUNv
bXBhbnkgcHJpbWFyeSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AMaZ356OnP3mYUlqHXwgV3hQcvyKKNbgrSCErrVC0hAZXoQlC3PyreT/jTTUvyLT
P/YxLvOImwQgN8bqfQTVLkPoZBpikvqwfP8UJEbDzEfD/9iGyeUfJDH1ytP33WGD
Cvd0T0KZgImxtziF6VPrbxzOTWYIDwFlEYnxsEcdYrB77B0TKcPH255mVyuhMEbd
dinRi2mXTjA4C20Ae4YtxRRziC2CjWTQmuZqa2qBNCUpm2q7PdPxSr7yRKq52r0r
D/Rq1k43KhGV9sCz1cmEnD5/KtZUWUY7JDv9NahAiOPVTDSmXXpwtYU7TiI0gfhb
Te41TL8TZiZkyz5oNFXMIgAPb+IlG46ffLHkNQlob9uL3QG6/PnxBUSnGiASvw1l
gurflkp48bwTb8XMX2KG+y7y82sZLlWx1N++p3FyeinrmFjvcIxjhW+P3AT6i7i0
QV+bdbRpJ2UMKdStdIwP37EIhfIA/0CNPtl4c66x5RpBaClAUJCbXnCPc94SB/GH
+j94F/RgMB/+n7L/NDUYZwy84BUqI+29roguN3WkU6xBJJmYzv6339N1asfGNbaW
5bz51CzyYQhq7BHAqjmfo2qQOt9aIdrDQhsFJVvJAoWFZNys11mBCOdBWSmuu3vV
9H1YSn7KWyLu3i+3dIJXfkxFAvBoOCwiQa3vTO1ZSC1nAgMBAAGjgf8wgfwwHQYD
VR0OBBYEFAy3QEgvo22iwIDuQ7C6aZ922mtYMIHMBgNVHSMEgcQwgcGAFJ7NjP0k
A071H/miNgOkF235LgRIoYGSpIGPMIGMMQswCQYDVQQGEwJERTEWMBQGA1UECAwN
TmllZGVyc2FjaHNlbjETMBEGA1UEBwwKT3NuYWJydWVjazEXMBUGA1UECgwOTXlD
b21wYW55IEdtYkgxGzAZBgNVBAsMEkdlc2NoYWVmdHNmdWVocnVuZzEaMBgGA1UE
AwwRTXlDb21wYW55IHJvb3QgQ0GCFAjxs+BJ1bFsbn9vzfcGrplFWxLIMAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEXDpvo66yHUNnMlob3lio/e2bto
IgCBBAACz26eR3z3HwzDXORn31HMSao6eC76Y9u/qb5RcaKx8UJKCd4orvfIN2pq
W/yyjmzAfr3Ing+M9BOux3rodzKIQMYpioPVbpWdat7RG15RRwgTbck/hnerjx28
37Uu+VNi7UtfSw/LKyIEA6e43iRb5QATg9OlS7xvgozgB80OgS4h4dgRAuNqP0lF
4B7oOR316jg4JFIn9ILcFA/qtDiBNggyqhv3hitrSBiJ54LXZBoyeSUjLpLX5h6C
+YchnND4Ky/eQrZt8LU8YtNr9ZsRIi29iZeZzC/xATEY3RfiVH0q51NKTY/VFpZ3
qtS7cpGcAmlYdpdVuXuiAxOtzYbx2QsjRxsm/dP+/qj6tlM93E3y0C+lsmyji3bW
OQtqdPzvYylaPP+9adc3mxlqucFRvTS3zpfxt7Z3MPTxuMbVIEzo5njWbZHLLnB7
KXevG0qcn9HixpSHOZ14u2nTd3Z4ql1qnUkguYBRhdN9XnKZECXY9sJJ071pjTmQ
bGlLNb1IlUYcAdO5SwlBNweZlBnVBlZIBB3t50Zq+d7srD4Rm8dItMs5XqpDQthR
/zsjzpzRTzA/sZPgUFoxBTRnwcVVUQ7dm/AmNXuXh2NJ09TnxVhMzZBgD55ieuVT
mvM7KSlwmrBnLZaP
-----END CERTIFICATE-----
root_cert.pem
-----BEGIN CERTIFICATE-----
MIIGqDCCBJCgAwIBAgIUCPGz4EnVsWxuf2/N9waumUVbEsgwDQYJKoZIhvcNAQEN
BQAwgYwxCzAJBgNVBAYTAkRFMRYwFAYDVQQIDA1OaWVkZXJzYWNoc2VuMRMwEQYD
VQQHDApPc25hYnJ1ZWNrMRcwFQYDVQQKDA5NeUNvbXBhbnkgR21iSDEbMBkGA1UE
CwwSR2VzY2hhZWZ0c2Z1ZWhydW5nMRowGAYDVQQDDBFNeUNvbXBhbnkgcm9vdCBD
QTAeFw0yMjEyMTQwODI1MTJaFw0zMjEyMTEwODI1MTJaMIGMMQswCQYDVQQGEwJE
RTEWMBQGA1UECAwNTmllZGVyc2FjaHNlbjETMBEGA1UEBwwKT3NuYWJydWVjazEX
MBUGA1UECgwOTXlDb21wYW55IEdtYkgxGzAZBgNVBAsMEkdlc2NoYWVmdHNmdWVo
cnVuZzEaMBgGA1UEAwwRTXlDb21wYW55IHJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDCIDeydrMZTO36BEkB5QmM1VcqbTTUE6OjTctNTefr
xFgBHD9JQ0ES3EkZ/U+cZlADRH8RW6Sb7TlenJjwEmiTp5ZtUISDONFuRDV31Icz
P4TH3lNX60IFFsjTeFAWi/8GywB3LOY932df2lLTyKoQCPU7NXFCF9Mop6g/9ess
hPNFt2zSDzjPi8/PJ4foWDB9ByuyMioO0JxAewFp6lvKZAgKzfEpo3sZotpzt+hA
Aoj2FFLOLarRDVMG+ltv1IKehpbJK/arH4J56xI6B5v9+MHgyMDn7lVrQmC26VMp
TFUjJWnuc3sXBaV0q0ri+n+YSGNeM21U9D2xnzEQ0m9YQOewc10GqMpKkySWB4dB
HQHaoWhEM8ySX3pTGAT63dnhD9cW1ec90VgvsgMOxeduUFhByAO6xIaOS8UCnfWd
rR2H/daPUBqhbr3D7iSJH1XX/XGLwgxRJ/m54kmmhADI689Bcf3crkQtI7oCSn6W
eNx8K883JKXGC5vHXcHm6KYyo8XZUB9s8z/UC80Vl6ajvBv+olvJVwTxwzzyhuYg
CiisVe2yzF71TiHzu87o6mTXALXiiQY7yu9lzxUdTc8eVTZoqFrwxcamN3XOf2cC
8uS7v0xY5b4ounlnPlhVMSGcx7zY8rs/eVNUosf+ZbYQfOCzJnr+Eg60F2Bod4iv
8wIDAQABo4H/MIH8MB0GA1UdDgQWBBSezYz9JANO9R/5ojYDpBdt+S4ESDCBzAYD
VR0jBIHEMIHBgBSezYz9JANO9R/5ojYDpBdt+S4ESKGBkqSBjzCBjDELMAkGA1UE
BhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEzARBgNVBAcMCk9zbmFicnVl
Y2sxFzAVBgNVBAoMDk15Q29tcGFueSBHbWJIMRswGQYDVQQLDBJHZXNjaGFlZnRz
ZnVlaHJ1bmcxGjAYBgNVBAMMEU15Q29tcGFueSByb290IENBghQI8bPgSdWxbG5/
b833Bq6ZRVsSyDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQB7/ExU
tNS+iRCvlwXTMCGAMHR5/6vs+4YWlCp9u2FjxLZBQHl7gwMYC/Dszv/AX23WVv7Q
mxIbKSAJUs3eNdoRUaQnUZluPsc7bbA8+9LS3buMm/jvJ1maiXTL32HFQki+DJs+
GC1RXUbnlmpZiMePA2lZkB8sHZLmlrNmQe9O6wY38Kvx0XtQRXOq7uhwBN5IJeXl
PIfYpDFvADi4s1EOkftvuE7hmKq2UtUiOgpThAK027uOBIouwoOoc/qsGDnx5X7x
xtyNwS2zk2i3ppmX0R2fN1r8HzEPdi/X6gxQI9AEdVo/1O42wixSy9+HdxCN0/QV
KKnaTBKvvjbRXdaA61rRc8zLdfh2pj+DWcgZ9SCdQeR7DxOjK/hiyByfJmT+WbXM
8+2IJ3CwENcYUsme7vgIRBtOIvTDUkppzq3XN3vZKQc8xDwbA5VtVvxgxVCxOedY
U9z7oA2lmzyoAFDn4Sz3/hfSQEJ3OcwvIUZK/pIPKvQKpEgZkcRFNZ6DWR0dp6Oh
m2YMfscYBANmJFlk0uCwHtb39r0ZYCmlXVurHi2swWmhzD2jr54YjXK+g6FN5Z7P
AVhKrXtTFKoP4gdeKaSqtu/7A+Hwl6pl4hp4gKXnfh4hc2s7ZVRmYQNh9joyAFs8
9E+oe/qRrYE78PF9ndCXVkWvzFMJ9iKGhrwAhg==
-----END CERTIFICATE-----
通过openssl验证这些结果将显示
.openssl.exe verify -show_chain -CAfile root_cert.pem -untrusted ca_cert.pem cert.pem
cert.pem: OK
Chain:
depth=0: C = DE, ST = Niedersachsen, L = Osnabrueck, O = MyCompany GmbH, OU = Geschaeftsfuehrung, CN = localhost (untrusted)
depth=1: C = DE, ST = Niedersachsen, L = Osnabrueck, O = MyCompany GmbH, OU = Geschaeftsfuehrung, CN = MyCompany primary CA (untrusted)
depth=2: C = DE, ST = Niedersachsen, L = Osnabrueck, O = MyCompany GmbH, OU = Geschaeftsfuehrung, CN = MyCompany root CA
我还创建了一个链。Pem文件,按照上面列出的顺序将所有证书连接到其中。
现在,我给出链。pem作为证书文件到我的web服务器。我还添加了root_cert。 使用此命令将我的操作系统作为受信任的。PS> Import-Certificate -FilePath ./root_cert.pem -CertStoreLocation Cert:LocalMachineRoot
现在打开浏览器,出现错误
- Chrome显示NET::ERR_CERT_COMMON_NAME_INVALID
- FireFox显示SEC_ERROR_UNKNOWN_ISSUER
如果我单击show certificate,两个浏览器都会列出上面的证书。
不幸的是,浏览器没有告诉我确切的问题,也没有提示如何解决这些问题。
我可以请求帮助关于我的具体问题,也为一个很好的参考,究竟需要什么使浏览器信任一个由你自己创建的链的服务器证书,所以其他遇到类似问题的人可能会找到帮助?谢谢!
备注:我只想添加root_cert。Pem作为受信任的操作系统,而不是任何中间证书。
2017年,浏览器检查证书有效性的方式发生了变化。而不是使用通用名称(cn)),他们现在使用subjectAltName.参见:heise
subjectAltName是证书的扩展,需要添加到证书中,包含主机的DNS或IP。
因此它是一个扩展,它不是openssl的主题标准的一部分。查看这里如何设置subjectAltName对openssl。
在之上,openssl有一个已知的错误,它将阻止文件的传输subjectAltName-签名请求时的扩展名。您需要通过配置文件手动设置它。这里也不支持CLI。在这里找到解决方案
FireFox发送上述错误,因为它没有链接到Root-CA的操作系统,您需要将其单独添加到FireFox中。
最后,如果您遇到创建的证书的有效性问题:
使用<<ul>- 别忘了把你的根ca添加到它的专用证书库中。