제외된 하위 트리 위반 문제가 있는 x509 인증서

2024-6-22 • tag-icon

테스트 환경에서 자체 서명된 x509 인증서를 사용하고 싶기 때문에 Ivan Ristic의 "OpenSSL 요리책". 훌륭한 리소스입니다. 저도 개인 CA 경로로 가기로 결정했습니다.

그러나 Chrome에서는 "NET::ERR_CERT_AUTHORITY_INVALID" 오류로 인해 내 사이트/https 엔드포인트가 안전하지 않다고 불평합니다. openssl s_client에서도 확인 오류가 발생합니다:num=48:제외된 하위 트리 위반. Firefox에서 "SEC_ERROR_CERT_NOT_IN_NAME_SPACE" 오류 페이지를 표시합니다.

제외된 하위 트리 위반이 왜 발생했는지 알 수 없습니다. 제한된 지식으로(사설 CA 기능을 처음 사용하는 경우) 내 Host.cnf에 root-ca.conf의 nameConstraints를 통해 허용되는 SAN 호스트 이름이 있다고 잘못 생각했을 수도 있습니다. openssl 구성 파일에 대한 오해에 대한 통찰력과 수정에 감사드립니다.

rfc5280 섹션 "4.2.1.10. 이름 제약 조건"에는 다음과 같이 명시되어 있습니다.

DNS 이름 제한은 host.example.com으로 표현됩니다. 이름 왼쪽에 0개 이상의 레이블을 추가하여 구성할 수 있는 모든 DNS 이름은 이름 제약 조건을 충족합니다. 예를 들어, www.host.example.com은 제약 조건을 충족하지만 host1.example.com은 충족하지 않습니다.

그러나 선두 점 표기법을 사용하는 SAN, nameConstraints의 많은 예를 보고 있으므로 root-ca.conf에서 두 개의 DNS nameConstraint를 시도했습니다. 필사적이어서 둘 중 하나가 정확할 수 있다고 가정하겠습니다 ...

잔혹한 세부 사항:
다음 명령을 통해 루트-ca, sub-ca 구성 파일을 설정하고 해당 CSR인 root-ca.crt, sub-ca.crt를 생성했습니다.

(on the target machine - but I haven't found any docs saying this is required)
openssl genrsa -aes128 -out host-private.key 2048
openssl req -new -key host-private.key -out host.csr -passin pass:XXXX -config host.cnf

내 CA 환경에 호스트.csr을 복사했습니다. 루트 CA 인증서를 생성하기 위해 다음 명령을 실행했습니다.

openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext

중간/하위 CA 인증서를 생성하려면:

openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext

그런 다음 호스트 인증서를 만들었습니다.

openssl ca -config sub-ca.conf -in host.csr -out host.crt -extensions server_ext

내 nginx 환경에 배포할 체인 인증서를 만들었습니다. 호스트.csr + 하위 ca.crt + 루트-ca.crt

또한 호스트의 CA 신뢰 저장소에 root-ca.crt를 추가했습니다. 저는 nginx를 사용하여 ngx_http_proxy 모듈을 통해 여러 내부 서비스에 대한 SSL/TLS 종결자 역방향 프록시 역할을 하고 있습니다. 또한 생성된 root-ca.crt를 Chrome 설치의 CE 신뢰 저장소에 추가했습니다. Chrome에 표시되는 사이트 정보에는 인증서 계층 구조에 루트 CA, 하위 CA, 호스트 인증서가 올바르게 있습니다.

호스트.cnf:

[req]
prompt = no
distinguished_name = dn
req_extensions = ext
# the use of -passin overrides this 
input_password = PASSPHRASE
[dn]
CN = rt168openmbee.serc.stevens.edu
emailAddress = [email protected]
O = SERC
L = Hoboken
ST = NJ
C = US
[ext]
subjectAltName = DNS:rt168openmbee.serc.stevens.edu,IP:155.246.39.32

루트-ca.conf:

[default]
name                    = root-ca
domain_suffix           = serc.stevens.edu 
aia_url                 = http://$name.$domain_suffix/$name.crt
crl_url                 = http://$name.$domain_suffix/$name.crl
ocsp_url                = http://ocsp.$name.$domain_suffix:9080
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "US"
organizationName        = "SERC"
commonName              = "Root CA"

[ca_default]
home                    = .
database                = $home/db/index
serial                  = $home/db/serial
crlnumber               = $home/db/crlnumber
certificate             = $home/$name.crt
private_key             = $home/private/$name.key
RANDFILE                = $home/private/random
new_certs_dir           = $home/certs
unique_subject          = no
copy_extensions         = none
default_days            = 3650
default_crl_days        = 365
default_md              = sha256
policy                  = policy_c_o_match

[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 4096
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn
req_extensions          = ca_ext

[ca_ext]
basicConstraints        = critical,CA:true
keyUsage                = critical,keyCertSign,cRLSign
subjectKeyIdentifier    = hash

[sub_ca_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:true,pathlen:0
crlDistributionPoints   = @crl_info
extendedKeyUsage        = clientAuth,serverAuth
keyUsage                = critical,keyCertSign,cRLSign
nameConstraints         = @name_constraints
subjectKeyIdentifier    = hash

[crl_info]
URI.0                   = $crl_url

[issuer_info]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[name_constraints]
permitted;DNS.0=serc.stevens.edu
permitted;DNS.1=.serc.stevens.edu
permitted;IP.0=155.246.39.0/255.255.255.0
excluded;IP.1=0.0.0.0/0.0.0.0
excluded;IP.2=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = OCSPSigning
noCheck                 = yes
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash

하위 ca.conf:

[default]
name                    = sub-ca
domain_suffix           = serc.stevens.edu
aia_url                 = http://$name.$domain_suffix/$name.crt
crl_url                 = http://$name.$domain_suffix/$name.crl
ocsp_url                = http://ocsp.$name.$domain_suffix:9081
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "US"
organizationName        = "SERC"
commonName              = "Sub CA"

[ca_default]
home                    = .
database                = $home/db/index
serial                  = $home/db/serial
crlnumber               = $home/db/crlnumber
certificate             = $home/$name.crt
private_key             = $home/private/$name.key
RANDFILE                = $home/private/random
new_certs_dir           = $home/certs
unique_subject          = no
copy_extensions         = copy
default_days            = 365
default_crl_days        = 30
default_md              = sha256
policy                  = policy_c_o_match

[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 2048
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn

[server_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
crlDistributionPoints   = @crl_info
extendedKeyUsage        = clientAuth,serverAuth
keyUsage                = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier    = hash

[client_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
crlDistributionPoints   = @crl_info
extendedKeyUsage        = clientAuth
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash

[crl_info]
URI.0                   = $crl_url

[issuer_info]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[ocsp_ext]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = OCSPSigning
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash

openssl s_client -showcerts -connect를 사용하여 검색된 인증서는 다음과 같습니다(저장된 PEM 인증서는 openssl x509 -text ...를 통해 실행됩니다).
호스트 인증서:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            29:d9:fb:61:7a:0f:ba:c3:51:28:a3:05:14:df:8a:b1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = SERC, CN = Sub CA
        Validity
            Not Before: Jul 18 19:52:13 2019 GMT
            Not After : Jul 17 19:52:13 2020 GMT
        Subject: C = US, ST = NJ, O = SERC, CN = rt168openmbee.serc.stevens.edu, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b9:19:1f:2b:2a:54:bc:7a:78:1c:13:33:09:8e:
                    12:e1:b5:f8:7c:58:f8:29:7e:b4:45:45:6b:5a:3f:
                    ac:41:f6:d6:bf:4a:08:77:a6:a0:94:dd:26:68:ed:
                    8a:ec:fc:e9:3e:db:98:45:0c:cf:8a:09:d6:46:14:
                    a7:bb:d2:f0:da:dd:db:7c:ed:31:7b:20:f7:7d:f0:
                    f9:13:1a:45:1b:ab:90:79:a7:d7:60:d2:94:70:0e:
                    79:4c:03:23:c0:b6:f7:dc:93:b4:c7:eb:6e:69:f1:
                    58:6c:14:07:98:4e:56:9d:01:39:d6:a1:be:da:a5:
                    76:83:aa:68:30:65:51:23:96:99:fe:05:9c:a7:61:
                    64:30:b1:f6:38:33:70:6d:8b:25:ce:d9:93:6e:b0:
                    5e:84:e8:71:4b:55:62:64:f1:6b:b4:ed:7b:dd:b7:
                    d9:b2:4a:24:29:bb:3b:ad:59:cc:4d:fb:84:6a:91:
                    45:e7:f1:cc:21:48:40:42:83:03:1e:07:6d:3f:c2:
                    a6:bf:8f:76:db:f8:9c:a2:a9:88:71:81:f5:d6:48:
                    d9:17:d9:0d:bb:9d:c5:24:bb:d8:58:93:85:1c:5f:
                    a4:39:df:8f:d6:9a:2a:2f:9c:34:bb:28:f0:87:fe:
                    df:9d:41:8a:0b:f6:c5:a3:0c:4c:6c:e1:f4:a6:89:
                    23:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:http://sub-ca.serc.stevens.edu/sub-ca.crt
                OCSP - URI:http://ocsp.sub-ca.serc.stevens.edu:9081

            X509v3 Authority Key Identifier: 
                keyid:FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://sub-ca.serc.stevens.edu/sub-ca.crl

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                4F:60:83:45:A3:32:DB:C4:5C:AD:C1:BD:69:09:AF:E2:55:13:1A:6A
            X509v3 Subject Alternative Name: 
                DNS:rt168openmbee.serc.stevens.edu, IP Address:155.246.39.32
    Signature Algorithm: sha256WithRSAEncryption
         07:d1:b6:ab:5d:b4:8a:f7:77:3c:57:06:f3:7c:69:a9:fa:85:
         d0:04:b6:3b:24:2b:32:9f:31:4e:33:3b:a9:ed:d8:3e:8a:cf:
         aa:19:be:84:86:42:86:9c:d3:c4:a6:35:2e:87:b5:10:40:d2:
         05:92:13:e1:e6:00:cc:42:f9:55:ff:14:ba:3e:0e:d8:3c:9b:
         d6:47:19:27:61:d3:c1:a4:9f:a9:80:c7:ae:68:c1:bf:a1:3c:
         fd:c6:cc:df:16:4e:0b:ca:22:3e:d1:5f:b6:9f:ee:38:84:3b:
         65:4d:86:d5:f3:df:03:7a:e1:13:ad:1e:62:8c:ad:ca:3c:d4:
         78:89:8a:91:c9:a8:85:58:fa:78:49:ff:94:b5:37:68:72:89:
         18:94:d7:08:ec:62:40:a5:35:1d:93:2c:7b:bf:b7:f1:b4:0f:
         57:a7:17:69:8d:fb:a4:7d:1f:7b:bd:8c:f6:32:a9:6a:e4:04:
         64:89:05:55:ee:43:cf:a3:51:67:35:6c:84:16:62:d3:6e:57:
         de:0b:e9:fb:e3:11:a7:ed:94:9e:1e:ef:ec:5f:c4:03:33:cf:
         0c:00:5c:8b:9f:ad:4e:b2:89:01:9f:be:49:9d:51:b8:2f:ba:
         f3:9d:70:80:69:e3:bf:95:d6:a3:07:ee:fa:8b:84:ac:78:50:
         7c:f3:08:0c

중간 CA 인증서:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:cb
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = SERC, CN = Root CA
        Validity
            Not Before: Jul 18 19:49:50 2019 GMT
            Not After : Jul 15 19:49:50 2029 GMT
        Subject: C = US, O = SERC, CN = Sub CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:be:90:03:fa:85:91:b7:0a:72:6c:0c:81:aa:6d:
                    19:c1:d6:40:a5:f9:c5:28:35:ce:d6:e1:70:ea:eb:
                    80:54:2b:ad:87:e5:67:b1:6c:94:df:14:e7:97:9f:
                    1d:00:a3:db:96:48:e1:76:6f:06:bf:3d:27:f8:62:
                    74:90:75:95:3c:f2:5d:40:d4:1b:11:61:f0:52:db:
                    9a:d9:7f:4e:04:76:7f:fa:4e:c2:f2:00:fc:79:fb:
                    0c:51:aa:b8:39:5a:9c:73:b5:1f:04:cd:76:5c:7b:
                    a2:4b:41:3e:14:47:e9:d4:b1:b5:46:3b:05:05:99:
                    cc:63:1e:d8:1c:3d:4a:5a:b4:23:23:3e:39:8a:78:
                    05:1a:44:ba:fd:a4:b5:98:05:a4:e0:b8:d8:f1:3a:
                    0a:09:54:2d:4d:db:09:df:88:1c:b4:73:a5:a7:41:
                    5d:f8:a8:ec:fc:52:b1:6f:36:22:1c:3e:e7:66:93:
                    90:a7:dc:32:50:21:60:31:57:51:09:76:50:15:f7:
                    fc:4e:b9:05:ae:b6:93:2e:f4:b0:44:aa:3c:73:a7:
                    1c:c5:87:d9:54:81:f3:97:42:df:08:77:0b:5d:dd:
                    01:04:be:5e:1a:94:57:4b:82:65:71:91:3b:ad:58:
                    82:b7:55:e7:c9:7e:ed:fd:59:0f:83:48:1a:33:d4:
                    95:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:http://root-ca.serc.stevens.edu/root-ca.crt
                OCSP - URI:http://ocsp.root-ca.serc.stevens.edu:9080

            X509v3 Authority Key Identifier: 
                keyid:F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://root-ca.serc.stevens.edu/root-ca.crl

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Name Constraints: 
                Permitted:
                  DNS:serc.stevens.edu
                  DNS:.serc.stevens.edu
                  IP:155.246.39.0/255.255.255.0
                Excluded:
                  IP:0.0.0.0/0.0.0.0
                  IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

            X509v3 Subject Key Identifier: 
                FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
    Signature Algorithm: sha256WithRSAEncryption
         ab:93:26:fa:85:ae:72:fa:e3:2d:65:9a:10:a5:c8:cc:e2:1c:
         c6:4d:40:53:80:c2:6f:67:24:4e:29:23:b9:75:6e:2f:7f:ce:
         7e:fb:2c:64:e8:e6:90:13:2d:39:da:13:3f:a9:71:5b:72:b1:
         3b:11:e5:aa:98:e6:cc:47:a7:95:dc:7a:c0:27:2f:52:1e:08:
         1f:34:b5:ab:1d:16:53:89:d4:b4:8a:d9:f7:ca:4d:7a:5a:bc:
         9a:16:ed:45:5d:18:2a:50:0b:57:12:ea:23:8a:b8:f1:2b:26:
         5b:1a:e8:7b:35:37:de:22:8f:cf:ae:f6:4f:7f:3e:88:0b:21:
         40:40:46:53:ad:83:6a:3a:26:ba:0e:28:ba:0c:8d:04:56:e3:
         59:d5:7d:13:06:d2:89:b1:5c:50:0c:54:60:09:bc:22:b8:96:
         e8:42:8c:a6:dd:47:86:6f:16:bd:a9:45:3f:b6:f1:4d:58:82:
         cf:e9:e2:e2:be:2b:2d:97:e5:0d:df:24:09:96:95:1d:1a:08:
         94:87:73:6c:61:1a:70:36:ae:55:79:a8:ae:58:66:0d:2a:94:
         32:27:91:bb:0a:5c:2f:64:b8:fe:a2:5f:3d:f7:d9:66:a9:2a:
         e4:6b:9b:7f:66:ba:7a:61:e6:57:4f:c8:8b:5c:74:d7:0b:db:
         a3:cb:d2:97:50:95:6f:34:64:24:ce:7a:0b:c3:dd:3a:7c:81:
         d1:48:5e:74:af:7f:9c:fc:73:3b:01:b9:a9:d7:67:87:7b:81:
         b0:99:9b:a5:29:1d:97:bb:70:61:48:32:13:e8:20:da:f5:7a:
         96:2b:c0:04:1f:b2:27:a3:cb:35:a0:63:08:e3:5b:8e:ae:87:
         60:c9:85:9e:b7:4a:a7:12:8f:81:3b:7d:5b:00:05:be:54:bd:
         49:4e:1c:73:0e:c7:51:27:40:82:63:e4:48:d5:94:f3:63:53:
         a1:84:5c:ca:3a:91:94:ca:23:de:65:48:5b:ff:7e:e6:79:8b:
         a1:bf:c0:2d:9f:91:b5:c5:66:3c:58:e8:b8:e9:8f:81:18:cb:
         7e:eb:46:4b:59:5d:d1:34:74:3f:92:c4:0d:9e:4a:ec:25:f4:
         48:f4:d8:c9:a1:8f:72:2f:a5:8b:a2:14:16:f1:84:41:9b:df:
         85:99:62:af:50:ab:c0:4d:4c:a9:7a:d0:31:24:4f:04:00:e3:
         16:bb:53:08:fa:66:8b:d5:15:2b:22:62:ac:64:38:c2:2f:c0:
         fa:ad:a1:be:b6:67:f6:f6:ac:af:a4:33:ea:4a:a0:8d:49:ad:
         35:3c:6f:ae:b3:b6:a0:e6:84:df:32:36:46:73:48:26:28:a2:
         10:9a:d2:2c:85:48:d7:d4

루트 CA 인증서:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:ca
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = SERC, CN = Root CA
        Validity
            Not Before: Jul 18 19:47:30 2019 GMT
            Not After : Jul 15 19:47:30 2029 GMT
        Subject: C = US, O = SERC, CN = Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:c7:6a:ca:cb:b6:3b:23:63:f4:21:32:37:a6:b8:
                    ed:34:0a:06:38:06:7a:cf:3a:0a:6e:36:ef:81:d0:
                    01:2d:e7:ea:dc:d9:46:d7:45:f3:ed:84:ed:7e:20:
                    6a:e2:00:34:43:4e:2a:fc:2b:53:ef:d2:af:1e:25:
                    c9:ed:e0:34:d0:9a:03:c2:50:16:46:96:89:cb:6d:
                    43:b4:17:61:49:07:53:85:62:d6:27:b5:0a:b0:87:
                    3b:b6:e3:ba:f7:b9:35:77:37:bb:ae:a8:7e:04:0f:
                    54:e2:b3:26:b0:3f:65:01:27:fc:dc:ac:b6:3a:a4:
                    d0:ea:6a:d2:f5:c5:7c:be:43:0f:41:d1:9d:1c:1c:
                    61:e1:ba:af:03:95:30:10:a9:3d:52:64:ce:70:40:
                    bd:dc:0d:53:35:00:c1:e9:e1:68:fd:f5:d5:d1:a1:
                    e4:c7:c7:22:fb:56:6f:a6:e1:ea:48:e8:61:fb:8c:
                    76:28:8a:4e:18:84:ab:f3:9b:d5:49:7c:04:40:15:
                    83:4d:26:2b:33:92:84:7e:f2:75:1b:0b:4c:d6:54:
                    c3:f2:4a:9f:13:72:ab:9c:92:a4:42:77:99:00:25:
                    91:c1:b6:87:bd:fa:f1:07:f0:ce:72:0f:3c:be:bc:
                    79:58:f6:8b:6e:07:bc:5d:ee:23:be:0d:d5:d6:91:
                    22:f4:73:1b:4f:5f:cc:82:87:57:61:50:96:8c:69:
                    0b:ae:f7:40:47:7c:62:4e:2e:77:3e:8c:f1:41:7d:
                    e8:64:d5:bf:24:36:99:bb:0c:46:0e:28:7b:52:95:
                    7d:b8:f2:e5:91:0d:07:ea:cb:9c:9d:08:dd:1f:e2:
                    3a:02:6a:5b:36:d1:ff:b9:0f:a4:08:ed:12:38:7a:
                    0b:a1:68:7e:be:b1:bb:90:e2:6a:9f:33:8f:d4:d2:
                    8b:ba:84:db:f9:c6:d7:94:19:d5:cd:db:ce:b3:ba:
                    53:36:51:9a:16:12:57:f9:16:27:1e:23:3b:09:c0:
                    2b:d8:f3:cf:d7:d2:ec:2d:b0:fd:bf:dc:85:7d:cb:
                    9d:cc:e1:70:0d:2a:fd:43:4f:48:3d:89:09:33:2e:
                    6b:e8:f0:ba:ca:21:9c:32:79:a2:64:e1:dc:75:8b:
                    ed:0b:32:50:5b:b1:b5:0b:11:7a:d4:f0:d9:df:f7:
                    61:04:4a:c5:41:c7:0e:cb:e5:c7:1a:3c:6e:7b:63:
                    8b:bd:e5:f2:99:c8:2e:5c:e4:ed:a0:1d:b4:c1:64:
                    b8:71:27:23:23:2f:93:54:b4:d8:99:b5:a4:35:7b:
                    dd:82:ef:b4:ee:d4:fb:f4:91:58:af:5e:f2:8f:37:
                    9d:5a:9f:62:99:f9:26:31:d8:74:08:71:2f:bc:1d:
                    40:a6:43
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
    Signature Algorithm: sha256WithRSAEncryption
         16:77:4d:7b:ef:89:3d:31:45:07:8f:a3:c4:ad:ed:89:a0:9b:
         b6:ab:74:59:1a:fb:7b:48:e1:e0:3c:75:73:dc:e3:e2:1b:a3:
         74:a1:0d:37:ea:ac:85:fb:1c:e0:86:f1:86:ee:78:51:fd:4d:
         58:04:8b:5c:6b:b3:06:1c:07:04:a1:c5:51:a9:d1:4c:24:42:
         7c:ef:1e:35:c5:df:00:79:44:91:a1:f5:cb:71:5b:a7:85:b1:
         f3:36:3c:75:e7:f8:d5:29:85:18:2e:ff:79:e1:eb:1f:72:24:
         6a:36:a4:17:4e:76:4d:5d:d1:85:c4:18:c3:f4:83:07:10:3f:
         7a:e2:36:33:48:1d:da:5d:08:2a:59:4f:3a:97:74:b7:d8:97:
         85:b0:b1:82:f8:46:d5:df:75:d9:56:77:34:0e:26:d5:3a:eb:
         8b:02:5e:d1:c3:fd:16:22:1f:ab:86:76:c4:cf:5b:d5:d5:bd:
         da:70:76:9e:18:bd:2f:16:c0:89:fe:cc:e0:93:63:f0:23:65:
         37:4c:6c:f5:e4:a7:fd:b2:02:86:91:6a:f5:31:b2:93:cc:33:
         87:38:57:6b:55:59:7e:ed:02:13:5d:6f:4f:15:91:ac:7e:7f:
         52:57:35:de:ec:87:38:bf:fe:7e:bd:5d:3c:ef:43:a9:d1:13:
         ab:ed:6f:ac:cf:bf:7e:e8:35:0b:92:97:08:05:78:db:68:e0:
         b1:05:2a:49:6e:00:34:71:a5:0f:5b:1c:17:47:9e:23:6f:64:
         d7:f0:93:60:12:7f:6d:0a:cd:15:e7:de:72:c4:76:86:ef:4d:
         65:c6:2a:1a:c4:35:0e:08:07:c5:ee:34:aa:9e:e1:90:d4:66:
         87:0f:1f:32:fa:21:7e:4f:01:9b:6d:19:20:ed:e5:9d:1a:ee:
         b3:e6:c4:93:4b:a4:cc:62:db:65:c1:b9:3b:05:a8:45:38:87:
         29:6d:8c:86:86:7b:c5:3d:89:85:c8:8e:f5:da:7d:c5:89:31:
         49:7b:af:9e:ff:03:89:db:ac:65:c5:5f:78:0d:cf:91:6f:19:
         6a:e4:eb:b6:d5:46:ff:3b:8c:44:cd:00:7b:3c:ed:6f:f6:79:
         61:93:12:08:58:7c:d5:02:9b:a7:4c:a0:c6:1a:f8:d9:b1:b6:
         1e:77:75:1d:24:e8:d2:ff:61:ee:a8:85:e5:1b:49:cf:3c:91:
         56:ea:e5:0e:6e:39:96:d0:d4:b7:95:25:e3:1a:a3:82:26:c8:
         3f:53:47:fe:93:10:c4:bf:91:b5:7d:40:d2:2e:22:8e:7f:e5:
         8a:4c:6e:03:04:de:f7:81:95:fc:a9:0f:31:51:ab:21:9d:20:
         06:64:c2:9e:41:db:07:86

답변1

CA 인증서에서 IP 주소를 제외했기 때문에 서버 인증서가 유효하지 않습니다. RFC5280의 관련 텍스트는 다음과 같습니다.

Any name matching a restriction in the excludedSubtrees
field is invalid regardless of information appearing in the
permittedSubtrees.

그냥 버리세요제외됨CA 인증서의 일부이며 모든 것이 작동해야 합니다. 이름 제약 조건에허용됨섹션에서는 다른 모든 이름은 허용되지 않습니다.

이 블로그 게시물 읽기하위 트리가 처리되는 방법에 대한 좋은 설명을 보려면

답변1

관련 정보