Me gustaría utilizar certificados x509 autofirmados en nuestro entorno de prueba, así que seguí el proceso descrito en " de Ivan RisticLibro de recetas de OpenSSL". Gran recurso. Decidí seguir la ruta de CA privada también.
Sin embargo, Chrome se queja de que mi sitio/punto final https no es seguro y genera un error "NET::ERR_CERT_AUTHORITY_INVALID". openssl s_client también genera un error de verificación:num=48:violación del subárbol excluido. Firefox me muestra una página de error "SEC_ERROR_CERT_NOT_IN_NAME_SPACE".
No sé por qué se produjo la infracción del subárbol excluido. Con mi conocimiento limitado (la primera vez que uso la funcionalidad de CA privada), probablemente me equivoque al pensar que mi host.cnf tiene nombres de host SAN que están permitidos a través de nameConstraints en mi root-ca.conf. Agradezco cualquier información o corrección a mi malentendido sobre los archivos de configuración de openssl.
La sección "4.2.1.10. Restricciones de nombre" de rfc5280 establece que:
Las restricciones de nombres DNS se expresan como host.example.com. Cualquier nombre DNS que pueda construirse simplemente añadiendo cero o más etiquetas en el lado izquierdo del nombre satisface la restricción de nombre. Por ejemplo, www.host.example.com satisfaría la restricción pero host1.example.com no.
Pero veo muchos ejemplos de SAN, nameConstraints que utilizan la notación de puntos principal, así que probé dos DNS nameConstraints en mi root-ca.conf. Estoy desesperado, así que asumiré que cualquiera de las dos cosas puede ser correcta...
Detalles sangrientos:
configuré mis archivos de configuración root-ca, sub-ca, creé los CSR correspondientes, root-ca.crt, sub-ca.crt, mediante los siguientes comandos:
(on the target machine - but I haven't found any docs saying this is required)
openssl genrsa -aes128 -out host-private.key 2048
openssl req -new -key host-private.key -out host.csr -passin pass:XXXX -config host.cnf
Copié el host.csr en mi entorno de CA. Ejecuté los siguientes comandos para crear el certificado de CA raíz:
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
para crear el certificado de CA intermedio/subordinado:
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
Luego, creó el certificado de host:
openssl ca -config sub-ca.conf -in host.csr -out host.crt -extensions server_ext
Creé un certificado de cadena para implementarlo en mi entorno nginx. host.csr + sub-ca.crt + raíz-ca.crt
También agregué root-ca.crt al almacén de confianza de CA de mi host. Estoy usando nginx para servir como proxy inverso terminador SSL/TLS para varios servicios internos a través del módulo ngx_http_proxy. También agregué el root-ca.crt generado al almacén de confianza CE de mi instalación de Chrome. La información del sitio mostrada por Chrome tiene los certificados raíz-ca, sub-ca y host correctamente en la jerarquía de certificados.
host.cnf:
[req]
prompt = no
distinguished_name = dn
req_extensions = ext
# the use of -passin overrides this
input_password = PASSPHRASE
[dn]
CN = rt168openmbee.serc.stevens.edu
emailAddress = [email protected]
O = SERC
L = Hoboken
ST = NJ
C = US
[ext]
subjectAltName = DNS:rt168openmbee.serc.stevens.edu,IP:155.246.39.32
raíz-ca.conf:
[default]
name = root-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Root CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=serc.stevens.edu
permitted;DNS.1=.serc.stevens.edu
permitted;IP.0=155.246.39.0/255.255.255.0
excluded;IP.1=0.0.0.0/0.0.0.0
excluded;IP.2=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
noCheck = yes
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
sub-ca.conf:
[default]
name = sub-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Sub CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
usando openssl s_client -showcerts -connect, aquí están los certificados recuperados (los certificados PEM guardados se ejecutan a través de openssl x509 -text...).
certificado de anfitrión:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:d9:fb:61:7a:0f:ba:c3:51:28:a3:05:14:df:8a:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Sub CA
Validity
Not Before: Jul 18 19:52:13 2019 GMT
Not After : Jul 17 19:52:13 2020 GMT
Subject: C = US, ST = NJ, O = SERC, CN = rt168openmbee.serc.stevens.edu, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b9:19:1f:2b:2a:54:bc:7a:78:1c:13:33:09:8e:
12:e1:b5:f8:7c:58:f8:29:7e:b4:45:45:6b:5a:3f:
ac:41:f6:d6:bf:4a:08:77:a6:a0:94:dd:26:68:ed:
8a:ec:fc:e9:3e:db:98:45:0c:cf:8a:09:d6:46:14:
a7:bb:d2:f0:da:dd:db:7c:ed:31:7b:20:f7:7d:f0:
f9:13:1a:45:1b:ab:90:79:a7:d7:60:d2:94:70:0e:
79:4c:03:23:c0:b6:f7:dc:93:b4:c7:eb:6e:69:f1:
58:6c:14:07:98:4e:56:9d:01:39:d6:a1:be:da:a5:
76:83:aa:68:30:65:51:23:96:99:fe:05:9c:a7:61:
64:30:b1:f6:38:33:70:6d:8b:25:ce:d9:93:6e:b0:
5e:84:e8:71:4b:55:62:64:f1:6b:b4:ed:7b:dd:b7:
d9:b2:4a:24:29:bb:3b:ad:59:cc:4d:fb:84:6a:91:
45:e7:f1:cc:21:48:40:42:83:03:1e:07:6d:3f:c2:
a6:bf:8f:76:db:f8:9c:a2:a9:88:71:81:f5:d6:48:
d9:17:d9:0d:bb:9d:c5:24:bb:d8:58:93:85:1c:5f:
a4:39:df:8f:d6:9a:2a:2f:9c:34:bb:28:f0:87:fe:
df:9d:41:8a:0b:f6:c5:a3:0c:4c:6c:e1:f4:a6:89:
23:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.serc.stevens.edu/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.serc.stevens.edu:9081
X509v3 Authority Key Identifier:
keyid:FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.serc.stevens.edu/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
4F:60:83:45:A3:32:DB:C4:5C:AD:C1:BD:69:09:AF:E2:55:13:1A:6A
X509v3 Subject Alternative Name:
DNS:rt168openmbee.serc.stevens.edu, IP Address:155.246.39.32
Signature Algorithm: sha256WithRSAEncryption
07:d1:b6:ab:5d:b4:8a:f7:77:3c:57:06:f3:7c:69:a9:fa:85:
d0:04:b6:3b:24:2b:32:9f:31:4e:33:3b:a9:ed:d8:3e:8a:cf:
aa:19:be:84:86:42:86:9c:d3:c4:a6:35:2e:87:b5:10:40:d2:
05:92:13:e1:e6:00:cc:42:f9:55:ff:14:ba:3e:0e:d8:3c:9b:
d6:47:19:27:61:d3:c1:a4:9f:a9:80:c7:ae:68:c1:bf:a1:3c:
fd:c6:cc:df:16:4e:0b:ca:22:3e:d1:5f:b6:9f:ee:38:84:3b:
65:4d:86:d5:f3:df:03:7a:e1:13:ad:1e:62:8c:ad:ca:3c:d4:
78:89:8a:91:c9:a8:85:58:fa:78:49:ff:94:b5:37:68:72:89:
18:94:d7:08:ec:62:40:a5:35:1d:93:2c:7b:bf:b7:f1:b4:0f:
57:a7:17:69:8d:fb:a4:7d:1f:7b:bd:8c:f6:32:a9:6a:e4:04:
64:89:05:55:ee:43:cf:a3:51:67:35:6c:84:16:62:d3:6e:57:
de:0b:e9:fb:e3:11:a7:ed:94:9e:1e:ef:ec:5f:c4:03:33:cf:
0c:00:5c:8b:9f:ad:4e:b2:89:01:9f:be:49:9d:51:b8:2f:ba:
f3:9d:70:80:69:e3:bf:95:d6:a3:07:ee:fa:8b:84:ac:78:50:
7c:f3:08:0c
certificado de CA intermedio:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:49:50 2019 GMT
Not After : Jul 15 19:49:50 2029 GMT
Subject: C = US, O = SERC, CN = Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:90:03:fa:85:91:b7:0a:72:6c:0c:81:aa:6d:
19:c1:d6:40:a5:f9:c5:28:35:ce:d6:e1:70:ea:eb:
80:54:2b:ad:87:e5:67:b1:6c:94:df:14:e7:97:9f:
1d:00:a3:db:96:48:e1:76:6f:06:bf:3d:27:f8:62:
74:90:75:95:3c:f2:5d:40:d4:1b:11:61:f0:52:db:
9a:d9:7f:4e:04:76:7f:fa:4e:c2:f2:00:fc:79:fb:
0c:51:aa:b8:39:5a:9c:73:b5:1f:04:cd:76:5c:7b:
a2:4b:41:3e:14:47:e9:d4:b1:b5:46:3b:05:05:99:
cc:63:1e:d8:1c:3d:4a:5a:b4:23:23:3e:39:8a:78:
05:1a:44:ba:fd:a4:b5:98:05:a4:e0:b8:d8:f1:3a:
0a:09:54:2d:4d:db:09:df:88:1c:b4:73:a5:a7:41:
5d:f8:a8:ec:fc:52:b1:6f:36:22:1c:3e:e7:66:93:
90:a7:dc:32:50:21:60:31:57:51:09:76:50:15:f7:
fc:4e:b9:05:ae:b6:93:2e:f4:b0:44:aa:3c:73:a7:
1c:c5:87:d9:54:81:f3:97:42:df:08:77:0b:5d:dd:
01:04:be:5e:1a:94:57:4b:82:65:71:91:3b:ad:58:
82:b7:55:e7:c9:7e:ed:fd:59:0f:83:48:1a:33:d4:
95:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.serc.stevens.edu/root-ca.crt
OCSP - URI:http://ocsp.root-ca.serc.stevens.edu:9080
X509v3 Authority Key Identifier:
keyid:F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.serc.stevens.edu/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:serc.stevens.edu
DNS:.serc.stevens.edu
IP:155.246.39.0/255.255.255.0
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
Signature Algorithm: sha256WithRSAEncryption
ab:93:26:fa:85:ae:72:fa:e3:2d:65:9a:10:a5:c8:cc:e2:1c:
c6:4d:40:53:80:c2:6f:67:24:4e:29:23:b9:75:6e:2f:7f:ce:
7e:fb:2c:64:e8:e6:90:13:2d:39:da:13:3f:a9:71:5b:72:b1:
3b:11:e5:aa:98:e6:cc:47:a7:95:dc:7a:c0:27:2f:52:1e:08:
1f:34:b5:ab:1d:16:53:89:d4:b4:8a:d9:f7:ca:4d:7a:5a:bc:
9a:16:ed:45:5d:18:2a:50:0b:57:12:ea:23:8a:b8:f1:2b:26:
5b:1a:e8:7b:35:37:de:22:8f:cf:ae:f6:4f:7f:3e:88:0b:21:
40:40:46:53:ad:83:6a:3a:26:ba:0e:28:ba:0c:8d:04:56:e3:
59:d5:7d:13:06:d2:89:b1:5c:50:0c:54:60:09:bc:22:b8:96:
e8:42:8c:a6:dd:47:86:6f:16:bd:a9:45:3f:b6:f1:4d:58:82:
cf:e9:e2:e2:be:2b:2d:97:e5:0d:df:24:09:96:95:1d:1a:08:
94:87:73:6c:61:1a:70:36:ae:55:79:a8:ae:58:66:0d:2a:94:
32:27:91:bb:0a:5c:2f:64:b8:fe:a2:5f:3d:f7:d9:66:a9:2a:
e4:6b:9b:7f:66:ba:7a:61:e6:57:4f:c8:8b:5c:74:d7:0b:db:
a3:cb:d2:97:50:95:6f:34:64:24:ce:7a:0b:c3:dd:3a:7c:81:
d1:48:5e:74:af:7f:9c:fc:73:3b:01:b9:a9:d7:67:87:7b:81:
b0:99:9b:a5:29:1d:97:bb:70:61:48:32:13:e8:20:da:f5:7a:
96:2b:c0:04:1f:b2:27:a3:cb:35:a0:63:08:e3:5b:8e:ae:87:
60:c9:85:9e:b7:4a:a7:12:8f:81:3b:7d:5b:00:05:be:54:bd:
49:4e:1c:73:0e:c7:51:27:40:82:63:e4:48:d5:94:f3:63:53:
a1:84:5c:ca:3a:91:94:ca:23:de:65:48:5b:ff:7e:e6:79:8b:
a1:bf:c0:2d:9f:91:b5:c5:66:3c:58:e8:b8:e9:8f:81:18:cb:
7e:eb:46:4b:59:5d:d1:34:74:3f:92:c4:0d:9e:4a:ec:25:f4:
48:f4:d8:c9:a1:8f:72:2f:a5:8b:a2:14:16:f1:84:41:9b:df:
85:99:62:af:50:ab:c0:4d:4c:a9:7a:d0:31:24:4f:04:00:e3:
16:bb:53:08:fa:66:8b:d5:15:2b:22:62:ac:64:38:c2:2f:c0:
fa:ad:a1:be:b6:67:f6:f6:ac:af:a4:33:ea:4a:a0:8d:49:ad:
35:3c:6f:ae:b3:b6:a0:e6:84:df:32:36:46:73:48:26:28:a2:
10:9a:d2:2c:85:48:d7:d4
certificado de CA raíz:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:47:30 2019 GMT
Not After : Jul 15 19:47:30 2029 GMT
Subject: C = US, O = SERC, CN = Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:c7:6a:ca:cb:b6:3b:23:63:f4:21:32:37:a6:b8:
ed:34:0a:06:38:06:7a:cf:3a:0a:6e:36:ef:81:d0:
01:2d:e7:ea:dc:d9:46:d7:45:f3:ed:84:ed:7e:20:
6a:e2:00:34:43:4e:2a:fc:2b:53:ef:d2:af:1e:25:
c9:ed:e0:34:d0:9a:03:c2:50:16:46:96:89:cb:6d:
43:b4:17:61:49:07:53:85:62:d6:27:b5:0a:b0:87:
3b:b6:e3:ba:f7:b9:35:77:37:bb:ae:a8:7e:04:0f:
54:e2:b3:26:b0:3f:65:01:27:fc:dc:ac:b6:3a:a4:
d0:ea:6a:d2:f5:c5:7c:be:43:0f:41:d1:9d:1c:1c:
61:e1:ba:af:03:95:30:10:a9:3d:52:64:ce:70:40:
bd:dc:0d:53:35:00:c1:e9:e1:68:fd:f5:d5:d1:a1:
e4:c7:c7:22:fb:56:6f:a6:e1:ea:48:e8:61:fb:8c:
76:28:8a:4e:18:84:ab:f3:9b:d5:49:7c:04:40:15:
83:4d:26:2b:33:92:84:7e:f2:75:1b:0b:4c:d6:54:
c3:f2:4a:9f:13:72:ab:9c:92:a4:42:77:99:00:25:
91:c1:b6:87:bd:fa:f1:07:f0:ce:72:0f:3c:be:bc:
79:58:f6:8b:6e:07:bc:5d:ee:23:be:0d:d5:d6:91:
22:f4:73:1b:4f:5f:cc:82:87:57:61:50:96:8c:69:
0b:ae:f7:40:47:7c:62:4e:2e:77:3e:8c:f1:41:7d:
e8:64:d5:bf:24:36:99:bb:0c:46:0e:28:7b:52:95:
7d:b8:f2:e5:91:0d:07:ea:cb:9c:9d:08:dd:1f:e2:
3a:02:6a:5b:36:d1:ff:b9:0f:a4:08:ed:12:38:7a:
0b:a1:68:7e:be:b1:bb:90:e2:6a:9f:33:8f:d4:d2:
8b:ba:84:db:f9:c6:d7:94:19:d5:cd:db:ce:b3:ba:
53:36:51:9a:16:12:57:f9:16:27:1e:23:3b:09:c0:
2b:d8:f3:cf:d7:d2:ec:2d:b0:fd:bf:dc:85:7d:cb:
9d:cc:e1:70:0d:2a:fd:43:4f:48:3d:89:09:33:2e:
6b:e8:f0:ba:ca:21:9c:32:79:a2:64:e1:dc:75:8b:
ed:0b:32:50:5b:b1:b5:0b:11:7a:d4:f0:d9:df:f7:
61:04:4a:c5:41:c7:0e:cb:e5:c7:1a:3c:6e:7b:63:
8b:bd:e5:f2:99:c8:2e:5c:e4:ed:a0:1d:b4:c1:64:
b8:71:27:23:23:2f:93:54:b4:d8:99:b5:a4:35:7b:
dd:82:ef:b4:ee:d4:fb:f4:91:58:af:5e:f2:8f:37:
9d:5a:9f:62:99:f9:26:31:d8:74:08:71:2f:bc:1d:
40:a6:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
Signature Algorithm: sha256WithRSAEncryption
16:77:4d:7b:ef:89:3d:31:45:07:8f:a3:c4:ad:ed:89:a0:9b:
b6:ab:74:59:1a:fb:7b:48:e1:e0:3c:75:73:dc:e3:e2:1b:a3:
74:a1:0d:37:ea:ac:85:fb:1c:e0:86:f1:86:ee:78:51:fd:4d:
58:04:8b:5c:6b:b3:06:1c:07:04:a1:c5:51:a9:d1:4c:24:42:
7c:ef:1e:35:c5:df:00:79:44:91:a1:f5:cb:71:5b:a7:85:b1:
f3:36:3c:75:e7:f8:d5:29:85:18:2e:ff:79:e1:eb:1f:72:24:
6a:36:a4:17:4e:76:4d:5d:d1:85:c4:18:c3:f4:83:07:10:3f:
7a:e2:36:33:48:1d:da:5d:08:2a:59:4f:3a:97:74:b7:d8:97:
85:b0:b1:82:f8:46:d5:df:75:d9:56:77:34:0e:26:d5:3a:eb:
8b:02:5e:d1:c3:fd:16:22:1f:ab:86:76:c4:cf:5b:d5:d5:bd:
da:70:76:9e:18:bd:2f:16:c0:89:fe:cc:e0:93:63:f0:23:65:
37:4c:6c:f5:e4:a7:fd:b2:02:86:91:6a:f5:31:b2:93:cc:33:
87:38:57:6b:55:59:7e:ed:02:13:5d:6f:4f:15:91:ac:7e:7f:
52:57:35:de:ec:87:38:bf:fe:7e:bd:5d:3c:ef:43:a9:d1:13:
ab:ed:6f:ac:cf:bf:7e:e8:35:0b:92:97:08:05:78:db:68:e0:
b1:05:2a:49:6e:00:34:71:a5:0f:5b:1c:17:47:9e:23:6f:64:
d7:f0:93:60:12:7f:6d:0a:cd:15:e7:de:72:c4:76:86:ef:4d:
65:c6:2a:1a:c4:35:0e:08:07:c5:ee:34:aa:9e:e1:90:d4:66:
87:0f:1f:32:fa:21:7e:4f:01:9b:6d:19:20:ed:e5:9d:1a:ee:
b3:e6:c4:93:4b:a4:cc:62:db:65:c1:b9:3b:05:a8:45:38:87:
29:6d:8c:86:86:7b:c5:3d:89:85:c8:8e:f5:da:7d:c5:89:31:
49:7b:af:9e:ff:03:89:db:ac:65:c5:5f:78:0d:cf:91:6f:19:
6a:e4:eb:b6:d5:46:ff:3b:8c:44:cd:00:7b:3c:ed:6f:f6:79:
61:93:12:08:58:7c:d5:02:9b:a7:4c:a0:c6:1a:f8:d9:b1:b6:
1e:77:75:1d:24:e8:d2:ff:61:ee:a8:85:e5:1b:49:cf:3c:91:
56:ea:e5:0e:6e:39:96:d0:d4:b7:95:25:e3:1a:a3:82:26:c8:
3f:53:47:fe:93:10:c4:bf:91:b5:7d:40:d2:2e:22:8e:7f:e5:
8a:4c:6e:03:04:de:f7:81:95:fc:a9:0f:31:51:ab:21:9d:20:
06:64:c2:9e:41:db:07:86
Respuesta1
Su certificado de servidor no es válido porque ha excluido su dirección IP en el certificado de CA. Aquí está el texto relevante de RFC5280:
Any name matching a restriction in the excludedSubtrees
field is invalid regardless of information appearing in the
permittedSubtrees.
Sólo deja caer elexcluidoparte de su certificado CA y todo debería funcionar. Si las restricciones de nombre contienen sólo unpermitidosección, todos los demás nombres no se permitirán de todos modos.
Lea esta publicación de blogpara obtener una buena explicación sobre cómo se procesan los subárboles.