Ich möchte selbstsignierte x509-Zertifikate in unserer Testumgebung verwenden, also folgte ich dem in Ivan Ristics "OpenSSL-Kochbuch". Tolle Ressource. Ich habe mich auch für den privaten CA-Weg entschieden.
Chrome beschwert sich jedoch, dass mein Site-/https-Endpunkt nicht gesichert ist, und meldet den Fehler „NET::ERR_CERT_AUTHORITY_INVALID“. openssl s_client meldet auch einen Prüffehler:num=48:Verstoß gegen ausgeschlossenen Teilbaum. Firefox gibt mir eine „SEC_ERROR_CERT_NOT_IN_NAME_SPACE“-Fehlerseite.
Ich bin ratlos, warum der ausgeschlossene Teilbaum verletzt wird. Mit meinem begrenzten Wissen (ich verwende zum ersten Mal die private CA-Funktionalität) liege ich wahrscheinlich falsch, wenn ich annehme, dass meine host.cnf SAN-Hostnamen enthält, die über die nameConstraints in meiner root-ca.conf zulässig sind. Ich freue mich über alle Erkenntnisse und Korrekturen zu meinem Missverständnis der OpenSSL-Konfigurationsdateien.
Im Abschnitt „4.2.1.10. Namensbeschränkungen“ von rfc5280 heißt es:
DNS-Namensbeschränkungen werden als host.example.com ausgedrückt. Jeder DNS-Name, der durch einfaches Hinzufügen von null oder mehr Bezeichnungen auf der linken Seite des Namens erstellt werden kann, erfüllt die Namensbeschränkung. Beispielsweise würde www.host.example.com die Beschränkung erfüllen, host1.example.com jedoch nicht.
Aber ich sehe viele Beispiele für SAN-Namensbeschränkungen, die die führende Punktnotation verwenden – also habe ich zwei DNS-Namensbeschränkungen in meiner root-ca.conf ausprobiert. Ich bin verzweifelt, also gehe ich davon aus, dass beide richtig sein können …
Blutige Details:
Ich habe meine Root-CA- und Sub-CA-Konfigurationsdateien eingerichtet und die entsprechenden CSRs, root-ca.crt, sub-ca.crt, mit den folgenden Befehlen erstellt:
(on the target machine - but I haven't found any docs saying this is required)
openssl genrsa -aes128 -out host-private.key 2048
openssl req -new -key host-private.key -out host.csr -passin pass:XXXX -config host.cnf
Habe die Datei host.csr in meine CA-Umgebung kopiert. Um das Stamm-CA-Zertifikat zu erstellen, habe ich die folgenden Befehle ausgeführt:
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
So erstellen Sie das Zwischen-/Unter-CA-Zertifikat:
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
Anschließend wird das Host-Zertifikat erstellt:
openssl ca -config sub-ca.conf -in host.csr -out host.crt -extensions server_ext
Ich habe ein Kettenzertifikat für die Bereitstellung in meiner Nginx-Umgebung erstellt. host.csr + sub-ca.crt + root-ca.crt
Ich habe auch die root-ca.crt zum CA-Truststore meines Hosts hinzugefügt. Ich verwende nginx als SSL/TLS-Terminator-Reverse-Proxy für mehrere interne Dienste über das Modul ngx_http_proxy. Ich habe auch die generierte root-ca.crt zum CE-Truststore meiner Chrome-Installation hinzugefügt. Die von Chrome angezeigten Site-Informationen haben die Root-CA-, Sub-CA- und Host-Zertifikate korrekt in der Zertifikatshierarchie.
host.cnf:
[req]
prompt = no
distinguished_name = dn
req_extensions = ext
# the use of -passin overrides this
input_password = PASSPHRASE
[dn]
CN = rt168openmbee.serc.stevens.edu
emailAddress = [email protected]
O = SERC
L = Hoboken
ST = NJ
C = US
[ext]
subjectAltName = DNS:rt168openmbee.serc.stevens.edu,IP:155.246.39.32
root-ca.conf:
[default]
name = root-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Root CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=serc.stevens.edu
permitted;DNS.1=.serc.stevens.edu
permitted;IP.0=155.246.39.0/255.255.255.0
excluded;IP.1=0.0.0.0/0.0.0.0
excluded;IP.2=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
noCheck = yes
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
sub-ca.conf:
[default]
name = sub-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Sub CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
mit openssl s_client -showcerts -connect werden hier die abgerufenen Zertifikate angezeigt (gespeicherte PEM-Zertifikate werden über openssl x509 -text ... ausgeführt).
Host-Zertifikat:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:d9:fb:61:7a:0f:ba:c3:51:28:a3:05:14:df:8a:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Sub CA
Validity
Not Before: Jul 18 19:52:13 2019 GMT
Not After : Jul 17 19:52:13 2020 GMT
Subject: C = US, ST = NJ, O = SERC, CN = rt168openmbee.serc.stevens.edu, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b9:19:1f:2b:2a:54:bc:7a:78:1c:13:33:09:8e:
12:e1:b5:f8:7c:58:f8:29:7e:b4:45:45:6b:5a:3f:
ac:41:f6:d6:bf:4a:08:77:a6:a0:94:dd:26:68:ed:
8a:ec:fc:e9:3e:db:98:45:0c:cf:8a:09:d6:46:14:
a7:bb:d2:f0:da:dd:db:7c:ed:31:7b:20:f7:7d:f0:
f9:13:1a:45:1b:ab:90:79:a7:d7:60:d2:94:70:0e:
79:4c:03:23:c0:b6:f7:dc:93:b4:c7:eb:6e:69:f1:
58:6c:14:07:98:4e:56:9d:01:39:d6:a1:be:da:a5:
76:83:aa:68:30:65:51:23:96:99:fe:05:9c:a7:61:
64:30:b1:f6:38:33:70:6d:8b:25:ce:d9:93:6e:b0:
5e:84:e8:71:4b:55:62:64:f1:6b:b4:ed:7b:dd:b7:
d9:b2:4a:24:29:bb:3b:ad:59:cc:4d:fb:84:6a:91:
45:e7:f1:cc:21:48:40:42:83:03:1e:07:6d:3f:c2:
a6:bf:8f:76:db:f8:9c:a2:a9:88:71:81:f5:d6:48:
d9:17:d9:0d:bb:9d:c5:24:bb:d8:58:93:85:1c:5f:
a4:39:df:8f:d6:9a:2a:2f:9c:34:bb:28:f0:87:fe:
df:9d:41:8a:0b:f6:c5:a3:0c:4c:6c:e1:f4:a6:89:
23:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.serc.stevens.edu/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.serc.stevens.edu:9081
X509v3 Authority Key Identifier:
keyid:FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.serc.stevens.edu/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
4F:60:83:45:A3:32:DB:C4:5C:AD:C1:BD:69:09:AF:E2:55:13:1A:6A
X509v3 Subject Alternative Name:
DNS:rt168openmbee.serc.stevens.edu, IP Address:155.246.39.32
Signature Algorithm: sha256WithRSAEncryption
07:d1:b6:ab:5d:b4:8a:f7:77:3c:57:06:f3:7c:69:a9:fa:85:
d0:04:b6:3b:24:2b:32:9f:31:4e:33:3b:a9:ed:d8:3e:8a:cf:
aa:19:be:84:86:42:86:9c:d3:c4:a6:35:2e:87:b5:10:40:d2:
05:92:13:e1:e6:00:cc:42:f9:55:ff:14:ba:3e:0e:d8:3c:9b:
d6:47:19:27:61:d3:c1:a4:9f:a9:80:c7:ae:68:c1:bf:a1:3c:
fd:c6:cc:df:16:4e:0b:ca:22:3e:d1:5f:b6:9f:ee:38:84:3b:
65:4d:86:d5:f3:df:03:7a:e1:13:ad:1e:62:8c:ad:ca:3c:d4:
78:89:8a:91:c9:a8:85:58:fa:78:49:ff:94:b5:37:68:72:89:
18:94:d7:08:ec:62:40:a5:35:1d:93:2c:7b:bf:b7:f1:b4:0f:
57:a7:17:69:8d:fb:a4:7d:1f:7b:bd:8c:f6:32:a9:6a:e4:04:
64:89:05:55:ee:43:cf:a3:51:67:35:6c:84:16:62:d3:6e:57:
de:0b:e9:fb:e3:11:a7:ed:94:9e:1e:ef:ec:5f:c4:03:33:cf:
0c:00:5c:8b:9f:ad:4e:b2:89:01:9f:be:49:9d:51:b8:2f:ba:
f3:9d:70:80:69:e3:bf:95:d6:a3:07:ee:fa:8b:84:ac:78:50:
7c:f3:08:0c
Zwischen-CA-Zertifikat:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:49:50 2019 GMT
Not After : Jul 15 19:49:50 2029 GMT
Subject: C = US, O = SERC, CN = Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:90:03:fa:85:91:b7:0a:72:6c:0c:81:aa:6d:
19:c1:d6:40:a5:f9:c5:28:35:ce:d6:e1:70:ea:eb:
80:54:2b:ad:87:e5:67:b1:6c:94:df:14:e7:97:9f:
1d:00:a3:db:96:48:e1:76:6f:06:bf:3d:27:f8:62:
74:90:75:95:3c:f2:5d:40:d4:1b:11:61:f0:52:db:
9a:d9:7f:4e:04:76:7f:fa:4e:c2:f2:00:fc:79:fb:
0c:51:aa:b8:39:5a:9c:73:b5:1f:04:cd:76:5c:7b:
a2:4b:41:3e:14:47:e9:d4:b1:b5:46:3b:05:05:99:
cc:63:1e:d8:1c:3d:4a:5a:b4:23:23:3e:39:8a:78:
05:1a:44:ba:fd:a4:b5:98:05:a4:e0:b8:d8:f1:3a:
0a:09:54:2d:4d:db:09:df:88:1c:b4:73:a5:a7:41:
5d:f8:a8:ec:fc:52:b1:6f:36:22:1c:3e:e7:66:93:
90:a7:dc:32:50:21:60:31:57:51:09:76:50:15:f7:
fc:4e:b9:05:ae:b6:93:2e:f4:b0:44:aa:3c:73:a7:
1c:c5:87:d9:54:81:f3:97:42:df:08:77:0b:5d:dd:
01:04:be:5e:1a:94:57:4b:82:65:71:91:3b:ad:58:
82:b7:55:e7:c9:7e:ed:fd:59:0f:83:48:1a:33:d4:
95:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.serc.stevens.edu/root-ca.crt
OCSP - URI:http://ocsp.root-ca.serc.stevens.edu:9080
X509v3 Authority Key Identifier:
keyid:F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.serc.stevens.edu/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:serc.stevens.edu
DNS:.serc.stevens.edu
IP:155.246.39.0/255.255.255.0
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
Signature Algorithm: sha256WithRSAEncryption
ab:93:26:fa:85:ae:72:fa:e3:2d:65:9a:10:a5:c8:cc:e2:1c:
c6:4d:40:53:80:c2:6f:67:24:4e:29:23:b9:75:6e:2f:7f:ce:
7e:fb:2c:64:e8:e6:90:13:2d:39:da:13:3f:a9:71:5b:72:b1:
3b:11:e5:aa:98:e6:cc:47:a7:95:dc:7a:c0:27:2f:52:1e:08:
1f:34:b5:ab:1d:16:53:89:d4:b4:8a:d9:f7:ca:4d:7a:5a:bc:
9a:16:ed:45:5d:18:2a:50:0b:57:12:ea:23:8a:b8:f1:2b:26:
5b:1a:e8:7b:35:37:de:22:8f:cf:ae:f6:4f:7f:3e:88:0b:21:
40:40:46:53:ad:83:6a:3a:26:ba:0e:28:ba:0c:8d:04:56:e3:
59:d5:7d:13:06:d2:89:b1:5c:50:0c:54:60:09:bc:22:b8:96:
e8:42:8c:a6:dd:47:86:6f:16:bd:a9:45:3f:b6:f1:4d:58:82:
cf:e9:e2:e2:be:2b:2d:97:e5:0d:df:24:09:96:95:1d:1a:08:
94:87:73:6c:61:1a:70:36:ae:55:79:a8:ae:58:66:0d:2a:94:
32:27:91:bb:0a:5c:2f:64:b8:fe:a2:5f:3d:f7:d9:66:a9:2a:
e4:6b:9b:7f:66:ba:7a:61:e6:57:4f:c8:8b:5c:74:d7:0b:db:
a3:cb:d2:97:50:95:6f:34:64:24:ce:7a:0b:c3:dd:3a:7c:81:
d1:48:5e:74:af:7f:9c:fc:73:3b:01:b9:a9:d7:67:87:7b:81:
b0:99:9b:a5:29:1d:97:bb:70:61:48:32:13:e8:20:da:f5:7a:
96:2b:c0:04:1f:b2:27:a3:cb:35:a0:63:08:e3:5b:8e:ae:87:
60:c9:85:9e:b7:4a:a7:12:8f:81:3b:7d:5b:00:05:be:54:bd:
49:4e:1c:73:0e:c7:51:27:40:82:63:e4:48:d5:94:f3:63:53:
a1:84:5c:ca:3a:91:94:ca:23:de:65:48:5b:ff:7e:e6:79:8b:
a1:bf:c0:2d:9f:91:b5:c5:66:3c:58:e8:b8:e9:8f:81:18:cb:
7e:eb:46:4b:59:5d:d1:34:74:3f:92:c4:0d:9e:4a:ec:25:f4:
48:f4:d8:c9:a1:8f:72:2f:a5:8b:a2:14:16:f1:84:41:9b:df:
85:99:62:af:50:ab:c0:4d:4c:a9:7a:d0:31:24:4f:04:00:e3:
16:bb:53:08:fa:66:8b:d5:15:2b:22:62:ac:64:38:c2:2f:c0:
fa:ad:a1:be:b6:67:f6:f6:ac:af:a4:33:ea:4a:a0:8d:49:ad:
35:3c:6f:ae:b3:b6:a0:e6:84:df:32:36:46:73:48:26:28:a2:
10:9a:d2:2c:85:48:d7:d4
Stamm-CA-Zertifikat:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:47:30 2019 GMT
Not After : Jul 15 19:47:30 2029 GMT
Subject: C = US, O = SERC, CN = Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:c7:6a:ca:cb:b6:3b:23:63:f4:21:32:37:a6:b8:
ed:34:0a:06:38:06:7a:cf:3a:0a:6e:36:ef:81:d0:
01:2d:e7:ea:dc:d9:46:d7:45:f3:ed:84:ed:7e:20:
6a:e2:00:34:43:4e:2a:fc:2b:53:ef:d2:af:1e:25:
c9:ed:e0:34:d0:9a:03:c2:50:16:46:96:89:cb:6d:
43:b4:17:61:49:07:53:85:62:d6:27:b5:0a:b0:87:
3b:b6:e3:ba:f7:b9:35:77:37:bb:ae:a8:7e:04:0f:
54:e2:b3:26:b0:3f:65:01:27:fc:dc:ac:b6:3a:a4:
d0:ea:6a:d2:f5:c5:7c:be:43:0f:41:d1:9d:1c:1c:
61:e1:ba:af:03:95:30:10:a9:3d:52:64:ce:70:40:
bd:dc:0d:53:35:00:c1:e9:e1:68:fd:f5:d5:d1:a1:
e4:c7:c7:22:fb:56:6f:a6:e1:ea:48:e8:61:fb:8c:
76:28:8a:4e:18:84:ab:f3:9b:d5:49:7c:04:40:15:
83:4d:26:2b:33:92:84:7e:f2:75:1b:0b:4c:d6:54:
c3:f2:4a:9f:13:72:ab:9c:92:a4:42:77:99:00:25:
91:c1:b6:87:bd:fa:f1:07:f0:ce:72:0f:3c:be:bc:
79:58:f6:8b:6e:07:bc:5d:ee:23:be:0d:d5:d6:91:
22:f4:73:1b:4f:5f:cc:82:87:57:61:50:96:8c:69:
0b:ae:f7:40:47:7c:62:4e:2e:77:3e:8c:f1:41:7d:
e8:64:d5:bf:24:36:99:bb:0c:46:0e:28:7b:52:95:
7d:b8:f2:e5:91:0d:07:ea:cb:9c:9d:08:dd:1f:e2:
3a:02:6a:5b:36:d1:ff:b9:0f:a4:08:ed:12:38:7a:
0b:a1:68:7e:be:b1:bb:90:e2:6a:9f:33:8f:d4:d2:
8b:ba:84:db:f9:c6:d7:94:19:d5:cd:db:ce:b3:ba:
53:36:51:9a:16:12:57:f9:16:27:1e:23:3b:09:c0:
2b:d8:f3:cf:d7:d2:ec:2d:b0:fd:bf:dc:85:7d:cb:
9d:cc:e1:70:0d:2a:fd:43:4f:48:3d:89:09:33:2e:
6b:e8:f0:ba:ca:21:9c:32:79:a2:64:e1:dc:75:8b:
ed:0b:32:50:5b:b1:b5:0b:11:7a:d4:f0:d9:df:f7:
61:04:4a:c5:41:c7:0e:cb:e5:c7:1a:3c:6e:7b:63:
8b:bd:e5:f2:99:c8:2e:5c:e4:ed:a0:1d:b4:c1:64:
b8:71:27:23:23:2f:93:54:b4:d8:99:b5:a4:35:7b:
dd:82:ef:b4:ee:d4:fb:f4:91:58:af:5e:f2:8f:37:
9d:5a:9f:62:99:f9:26:31:d8:74:08:71:2f:bc:1d:
40:a6:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
Signature Algorithm: sha256WithRSAEncryption
16:77:4d:7b:ef:89:3d:31:45:07:8f:a3:c4:ad:ed:89:a0:9b:
b6:ab:74:59:1a:fb:7b:48:e1:e0:3c:75:73:dc:e3:e2:1b:a3:
74:a1:0d:37:ea:ac:85:fb:1c:e0:86:f1:86:ee:78:51:fd:4d:
58:04:8b:5c:6b:b3:06:1c:07:04:a1:c5:51:a9:d1:4c:24:42:
7c:ef:1e:35:c5:df:00:79:44:91:a1:f5:cb:71:5b:a7:85:b1:
f3:36:3c:75:e7:f8:d5:29:85:18:2e:ff:79:e1:eb:1f:72:24:
6a:36:a4:17:4e:76:4d:5d:d1:85:c4:18:c3:f4:83:07:10:3f:
7a:e2:36:33:48:1d:da:5d:08:2a:59:4f:3a:97:74:b7:d8:97:
85:b0:b1:82:f8:46:d5:df:75:d9:56:77:34:0e:26:d5:3a:eb:
8b:02:5e:d1:c3:fd:16:22:1f:ab:86:76:c4:cf:5b:d5:d5:bd:
da:70:76:9e:18:bd:2f:16:c0:89:fe:cc:e0:93:63:f0:23:65:
37:4c:6c:f5:e4:a7:fd:b2:02:86:91:6a:f5:31:b2:93:cc:33:
87:38:57:6b:55:59:7e:ed:02:13:5d:6f:4f:15:91:ac:7e:7f:
52:57:35:de:ec:87:38:bf:fe:7e:bd:5d:3c:ef:43:a9:d1:13:
ab:ed:6f:ac:cf:bf:7e:e8:35:0b:92:97:08:05:78:db:68:e0:
b1:05:2a:49:6e:00:34:71:a5:0f:5b:1c:17:47:9e:23:6f:64:
d7:f0:93:60:12:7f:6d:0a:cd:15:e7:de:72:c4:76:86:ef:4d:
65:c6:2a:1a:c4:35:0e:08:07:c5:ee:34:aa:9e:e1:90:d4:66:
87:0f:1f:32:fa:21:7e:4f:01:9b:6d:19:20:ed:e5:9d:1a:ee:
b3:e6:c4:93:4b:a4:cc:62:db:65:c1:b9:3b:05:a8:45:38:87:
29:6d:8c:86:86:7b:c5:3d:89:85:c8:8e:f5:da:7d:c5:89:31:
49:7b:af:9e:ff:03:89:db:ac:65:c5:5f:78:0d:cf:91:6f:19:
6a:e4:eb:b6:d5:46:ff:3b:8c:44:cd:00:7b:3c:ed:6f:f6:79:
61:93:12:08:58:7c:d5:02:9b:a7:4c:a0:c6:1a:f8:d9:b1:b6:
1e:77:75:1d:24:e8:d2:ff:61:ee:a8:85:e5:1b:49:cf:3c:91:
56:ea:e5:0e:6e:39:96:d0:d4:b7:95:25:e3:1a:a3:82:26:c8:
3f:53:47:fe:93:10:c4:bf:91:b5:7d:40:d2:2e:22:8e:7f:e5:
8a:4c:6e:03:04:de:f7:81:95:fc:a9:0f:31:51:ab:21:9d:20:
06:64:c2:9e:41:db:07:86
Antwort1
Ihr Serverzertifikat ist ungültig, da Sie dessen IP-Adresse im CA-Zertifikat ausgeschlossen haben. Hier ist der relevante Text aus RFC5280:
Any name matching a restriction in the excludedSubtrees
field is invalid regardless of information appearing in the
permittedSubtrees.
Lassen Sie einfach dieausgeschlossenTeil Ihres CA-Zertifikats und alles sollte funktionieren. Wenn die Namensbeschränkungen nur einengestattetAbschnitt, alle anderen Namen sind sowieso nicht zulässig.
Lesen Sie diesen Blogbeitragfür eine gute Erklärung, wie die Teilbäume verarbeitet werden.