SSL 인증서가 SAN의 IP 주소에서 작동하지 않습니다.

tag-icon tag-icon ssl curl
SSL 인증서가 SAN의 IP 주소에서 작동하지 않습니다.

Chrome에서 경고를 표시하지 않고 내부적으로 작동하는 서버용 SSL 인증서를 만들려고 합니다. localhost의 여러 주체 대체 이름과 IP 주소를 사용하여 SAN을 사용하여 만들었습니다. 어떤 이유로 localhost에서는 작동하지만 curlChrome과 Chrome 모두에서 IP 주소를 사용하면 오류가 발생합니다.

$ curl https://192.168.1.50 
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

$ curl https://localhost
<a href="https://localhost:9090/">Moved Permanently</a>.

명령줄에서 확인하면 SAN 섹션 아래에 두 이름이 모두 표시되므로 이것이 작동하지 않는 이유는 확실하지 않습니다.

$ openssl x509 -text -noout -in server.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8d:93:a1:be:d1:03:8f:59
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Los Angeles, O=Alt Systems, OU=Internal, CN=Elliott/emailAddress=xxxxxx
        Validity
            Not Before: Nov  5 21:32:19 2019 GMT
            Not After : Mar 19 21:32:19 2021 GMT
        Subject: C=US, ST=CA, L=Los Angeles, O=Alt Systems, OU=Internal/emailAddress=xxxxxx, CN=alt-pix-la
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:53:b6:0b:f0:94:c1:a8:26:93:79:5a:45:86:
                    36:ac:60:c2:40:a2:bf:25:69:90:9f:8b:b9:3f:63:
                    30:ae:48:cc:f9:f0:9d:d4:15:3d:1c:20:bc:29:6f:
                    57:8f:7d:e9:a5:db:2b:2c:ac:1a:6f:6d:b9:17:98:
                    0e:a0:17:1f:3e:28:4e:42:bd:af:2e:54:dd:ec:ff:
                    7b:00:a5:ed:59:97:8a:6f:95:04:c9:eb:3a:6c:ec:
                    9e:c9:7e:12:ee:ce:cc:be:b7:c1:d3:fe:f6:cf:1d:
                    0d:68:07:68:52:7a:30:5f:f1:29:36:64:b2:a5:e8:
                    5e:a7:f9:75:ab:4b:aa:4b:12:aa:44:59:a3:df:18:
                    45:81:52:b1:4d:00:a4:f2:eb:7e:0d:3e:05:f9:94:
                    1a:aa:e4:2e:9a:ee:0c:59:91:b9:63:f3:5d:98:3b:
                    32:4e:f7:1b:47:e5:a7:54:5c:ba:75:9b:88:09:07:
                    cc:93:06:c3:8a:76:78:83:98:69:1a:8b:e2:fd:cf:
                    70:51:35:09:ba:67:ca:c1:81:f4:65:72:0a:15:7a:
                    12:2d:bc:65:04:7f:b8:c3:22:2b:79:8d:9a:62:54:
                    d2:89:3f:4a:02:72:36:27:6c:ad:50:4d:96:e5:a1:
                    df:8b:fe:51:0b:67:1b:44:4e:57:fc:bb:d7:1d:77:
                    9f:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:BC:39:94:F0:DC:DF:5D:8E:12:E1:DA:5F:8F:7C:C8:02:B4:0E:19:19

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:192.168.1.50
    Signature Algorithm: sha256WithRSAEncryption
         54:8e:98:93:53:c2:af:fc:b7:03:5c:6d:d3:7d:9a:d9:2f:99:
         ac:29:dc:0f:02:55:36:9e:70:57:68:df:27:5f:5e:a8:43:05:
         ff:a4:7e:bd:15:99:ff:aa:67:35:93:90:35:e0:e7:20:b4:77:
         7c:bf:6f:29:13:46:fc:56:81:58:60:67:14:ae:a1:1b:44:80:
         92:81:7f:ed:5c:bc:75:36:a9:11:52:9b:28:e1:18:d6:a4:17:
         35:13:6c:bd:be:64:db:70:a5:d4:7f:3e:16:26:73:f9:27:ed:
         7b:03:44:b3:59:2d:53:8d:e2:77:f1:6d:8d:21:c0:d0:2c:96:
         27:0c:c6:4e:6f:63:35:61:3e:b5:62:05:88:76:b5:99:ca:7d:
         64:f9:6b:f4:9b:18:8e:3a:77:82:59:d2:13:c0:14:3c:0a:dc:
         8d:82:38:ca:af:e9:43:06:83:ae:6e:4f:73:29:1d:0a:da:91:
         ea:72:f4:26:f3:59:98:8d:ca:1a:ad:19:17:fd:bb:9f:62:bf:
         85:e0:12:bd:9b:93:26:73:2b:9a:77:ff:c4:34:29:25:fc:c7:
         13:8f:94:b3:28:d7:79:dc:54:57:6c:3d:01:f0:37:5c:a9:28:
         23:13:89:7b:c5:63:51:eb:fc:ad:37:d1:31:cf:f4:2f:8c:9c:
         5f:35:07:79

답변1

잘못된 SAN 유형을 사용하고 있습니다. 실제 도메인만 사용 중입니다.이름"DNS" 유형 SAN에서 허용됩니다. IP 주소에는 "iPAddress" 유형( )이 있습니다 [7] OCTET STRING.

OpenSSL의 경우 다음을 사용할 수 있습니다.

subjectAltName=IP:192.168.1.50

subjectAltName=IP:2001:db8:1234::4567

답변2

SAN에 IP 주소를 추가해야 합니다. 이 코드는 나를 위해 작동합니다. IP 주소를 이렇게 추가하세요.

[alternate_names]
IP.1 = 127.0.0.1

답변3

OpenSSL을 사용한 종단 간 예제: openssl-san.cnf라는 구성을 생성해야 합니다(출처:https://help.bizagi.com/bpm-suite/en/index.html?subjectaltname_support.htm):

[ req ]

default_bits           = 4096

distinguished_name     = req_distinguished_name

req_extensions         = req_ext

 

[ req_distinguished_name ]

countryName            = Country Name (2 letter code)

stateOrProvinceName    = State or Province Name (full name)

localityName           = Locality Name (eg, city)

organizationName       = Organization Name (eg, company)

commonName             = Common Name (e.g. server FQDN or YOUR name)

 

# Optionally, specify some defaults.
countryName_default           = [Country]
stateOrProvinceName_default   = [State]
localityName_default           = [City]
0.organizationName_default     = [Organization]
organizationalUnitName_default = [Organization unit]
emailAddress_default           = [Email]

 

[ req_ext ]

subjectAltName = @alt_names

 

[alt_names]

DNS.1   = [DNS1]

DNS.2   = [DNS2]

IP.1    = [IP Adddress]

그런 다음 이 명령을 실행하여 키와 인증서 서명 요청(csr)을 생성합니다.

openssl req -newkey rsa:4096 -keyout key.key -out keycsr.csr -config openssl-san.cnf

생성한 CSR을 확인하려면 다음을 수행하십시오.

openssl req -text -noout -verify -in keycsr.csr

그런 다음 CSR에 직접 서명하고 CA에 전달하여 서명할 수 있습니다.

관련 정보