Eu gostaria de usar certificados x509 autoassinados em nosso ambiente de teste, então segui o processo descrito em "Livro de receitas OpenSSL". Ótimo recurso. Decidi seguir o caminho da CA privada também.
No entanto, o Chrome reclama que meu endpoint site/https não é seguro com um erro "NET::ERR_CERT_AUTHORITY_INVALID". openssl s_client também gera um erro de verificação:num=48:violação de subárvore excluída. O Firefox me fornece uma página de erro "SEC_ERROR_CERT_NOT_IN_NAME_SPACE".
Não sei por que a violação da subárvore excluída? Com meu conhecimento limitado (primeira vez usando a funcionalidade de CA privada), provavelmente estou errado ao pensar que meu host.cnf tem nomes de host SAN permitidos por meio de nameConstraints em meu root-ca.conf? Agradeço quaisquer insights e correções para meu mal-entendido sobre os arquivos de configuração do openssl.
A seção rfc5280 "4.2.1.10. Restrições de nome" afirma que:
As restrições de nome DNS são expressas como host.example.com. Qualquer nome DNS que possa ser construído simplesmente adicionando zero ou mais rótulos ao lado esquerdo do nome satisfaz a restrição de nome. Por exemplo, www.host.example.com satisfaria a restrição, mas host1.example.com não.
Mas estou vendo muitos exemplos de SAN, nameConstraints que usam a notação de ponto inicial - então tentei dois nameConstraints DNS em meu root-ca.conf. Estou desesperado, então presumo que qualquer um dos dois pode estar correto ...
Detalhes sangrentos:
configurei meus arquivos de configuração root-ca e sub-ca, criei os CSRs correspondentes, root-ca.crt, sub-ca.crt, por meio dos seguintes comandos:
(on the target machine - but I haven't found any docs saying this is required)
openssl genrsa -aes128 -out host-private.key 2048
openssl req -new -key host-private.key -out host.csr -passin pass:XXXX -config host.cnf
Copiei o host.csr para meu ambiente CA. Executei os seguintes comandos para criar o certificado CA raiz:
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
para criar o certificado CA intermediário/subordinado:
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
Em seguida, criei o certificado de host:
openssl ca -config sub-ca.conf -in host.csr -out host.crt -extensions server_ext
Criei um certificado de cadeia para implantação em meu ambiente nginx. host.csr + sub-ca.crt + root-ca.crt
Também adicionei root-ca.crt ao armazenamento confiável de CA do meu host. Estou usando o nginx para servir como proxy reverso do terminador SSL/TLS para vários serviços internos por meio do módulo ngx_http_proxy. Também adicionei o root-ca.crt gerado ao armazenamento confiável CE da minha instalação do Chrome. As informações do site exibidas pelo Chrome possuem os certificados root-ca, sub-ca e host corretamente na hierarquia de certificados.
host.cnf:
[req]
prompt = no
distinguished_name = dn
req_extensions = ext
# the use of -passin overrides this
input_password = PASSPHRASE
[dn]
CN = rt168openmbee.serc.stevens.edu
emailAddress = [email protected]
O = SERC
L = Hoboken
ST = NJ
C = US
[ext]
subjectAltName = DNS:rt168openmbee.serc.stevens.edu,IP:155.246.39.32
root-ca.conf:
[default]
name = root-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Root CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=serc.stevens.edu
permitted;DNS.1=.serc.stevens.edu
permitted;IP.0=155.246.39.0/255.255.255.0
excluded;IP.1=0.0.0.0/0.0.0.0
excluded;IP.2=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
noCheck = yes
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
sub-ca.conf:
[default]
name = sub-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Sub CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
usando openssl s_client -showcerts -connect, aqui estão os certificados recuperados (certificados PEM salvos executados por meio de openssl x509 -text ...).
certificado de host:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:d9:fb:61:7a:0f:ba:c3:51:28:a3:05:14:df:8a:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Sub CA
Validity
Not Before: Jul 18 19:52:13 2019 GMT
Not After : Jul 17 19:52:13 2020 GMT
Subject: C = US, ST = NJ, O = SERC, CN = rt168openmbee.serc.stevens.edu, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b9:19:1f:2b:2a:54:bc:7a:78:1c:13:33:09:8e:
12:e1:b5:f8:7c:58:f8:29:7e:b4:45:45:6b:5a:3f:
ac:41:f6:d6:bf:4a:08:77:a6:a0:94:dd:26:68:ed:
8a:ec:fc:e9:3e:db:98:45:0c:cf:8a:09:d6:46:14:
a7:bb:d2:f0:da:dd:db:7c:ed:31:7b:20:f7:7d:f0:
f9:13:1a:45:1b:ab:90:79:a7:d7:60:d2:94:70:0e:
79:4c:03:23:c0:b6:f7:dc:93:b4:c7:eb:6e:69:f1:
58:6c:14:07:98:4e:56:9d:01:39:d6:a1:be:da:a5:
76:83:aa:68:30:65:51:23:96:99:fe:05:9c:a7:61:
64:30:b1:f6:38:33:70:6d:8b:25:ce:d9:93:6e:b0:
5e:84:e8:71:4b:55:62:64:f1:6b:b4:ed:7b:dd:b7:
d9:b2:4a:24:29:bb:3b:ad:59:cc:4d:fb:84:6a:91:
45:e7:f1:cc:21:48:40:42:83:03:1e:07:6d:3f:c2:
a6:bf:8f:76:db:f8:9c:a2:a9:88:71:81:f5:d6:48:
d9:17:d9:0d:bb:9d:c5:24:bb:d8:58:93:85:1c:5f:
a4:39:df:8f:d6:9a:2a:2f:9c:34:bb:28:f0:87:fe:
df:9d:41:8a:0b:f6:c5:a3:0c:4c:6c:e1:f4:a6:89:
23:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.serc.stevens.edu/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.serc.stevens.edu:9081
X509v3 Authority Key Identifier:
keyid:FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.serc.stevens.edu/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
4F:60:83:45:A3:32:DB:C4:5C:AD:C1:BD:69:09:AF:E2:55:13:1A:6A
X509v3 Subject Alternative Name:
DNS:rt168openmbee.serc.stevens.edu, IP Address:155.246.39.32
Signature Algorithm: sha256WithRSAEncryption
07:d1:b6:ab:5d:b4:8a:f7:77:3c:57:06:f3:7c:69:a9:fa:85:
d0:04:b6:3b:24:2b:32:9f:31:4e:33:3b:a9:ed:d8:3e:8a:cf:
aa:19:be:84:86:42:86:9c:d3:c4:a6:35:2e:87:b5:10:40:d2:
05:92:13:e1:e6:00:cc:42:f9:55:ff:14:ba:3e:0e:d8:3c:9b:
d6:47:19:27:61:d3:c1:a4:9f:a9:80:c7:ae:68:c1:bf:a1:3c:
fd:c6:cc:df:16:4e:0b:ca:22:3e:d1:5f:b6:9f:ee:38:84:3b:
65:4d:86:d5:f3:df:03:7a:e1:13:ad:1e:62:8c:ad:ca:3c:d4:
78:89:8a:91:c9:a8:85:58:fa:78:49:ff:94:b5:37:68:72:89:
18:94:d7:08:ec:62:40:a5:35:1d:93:2c:7b:bf:b7:f1:b4:0f:
57:a7:17:69:8d:fb:a4:7d:1f:7b:bd:8c:f6:32:a9:6a:e4:04:
64:89:05:55:ee:43:cf:a3:51:67:35:6c:84:16:62:d3:6e:57:
de:0b:e9:fb:e3:11:a7:ed:94:9e:1e:ef:ec:5f:c4:03:33:cf:
0c:00:5c:8b:9f:ad:4e:b2:89:01:9f:be:49:9d:51:b8:2f:ba:
f3:9d:70:80:69:e3:bf:95:d6:a3:07:ee:fa:8b:84:ac:78:50:
7c:f3:08:0c
certificado CA intermediário:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:49:50 2019 GMT
Not After : Jul 15 19:49:50 2029 GMT
Subject: C = US, O = SERC, CN = Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:90:03:fa:85:91:b7:0a:72:6c:0c:81:aa:6d:
19:c1:d6:40:a5:f9:c5:28:35:ce:d6:e1:70:ea:eb:
80:54:2b:ad:87:e5:67:b1:6c:94:df:14:e7:97:9f:
1d:00:a3:db:96:48:e1:76:6f:06:bf:3d:27:f8:62:
74:90:75:95:3c:f2:5d:40:d4:1b:11:61:f0:52:db:
9a:d9:7f:4e:04:76:7f:fa:4e:c2:f2:00:fc:79:fb:
0c:51:aa:b8:39:5a:9c:73:b5:1f:04:cd:76:5c:7b:
a2:4b:41:3e:14:47:e9:d4:b1:b5:46:3b:05:05:99:
cc:63:1e:d8:1c:3d:4a:5a:b4:23:23:3e:39:8a:78:
05:1a:44:ba:fd:a4:b5:98:05:a4:e0:b8:d8:f1:3a:
0a:09:54:2d:4d:db:09:df:88:1c:b4:73:a5:a7:41:
5d:f8:a8:ec:fc:52:b1:6f:36:22:1c:3e:e7:66:93:
90:a7:dc:32:50:21:60:31:57:51:09:76:50:15:f7:
fc:4e:b9:05:ae:b6:93:2e:f4:b0:44:aa:3c:73:a7:
1c:c5:87:d9:54:81:f3:97:42:df:08:77:0b:5d:dd:
01:04:be:5e:1a:94:57:4b:82:65:71:91:3b:ad:58:
82:b7:55:e7:c9:7e:ed:fd:59:0f:83:48:1a:33:d4:
95:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.serc.stevens.edu/root-ca.crt
OCSP - URI:http://ocsp.root-ca.serc.stevens.edu:9080
X509v3 Authority Key Identifier:
keyid:F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.serc.stevens.edu/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:serc.stevens.edu
DNS:.serc.stevens.edu
IP:155.246.39.0/255.255.255.0
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
Signature Algorithm: sha256WithRSAEncryption
ab:93:26:fa:85:ae:72:fa:e3:2d:65:9a:10:a5:c8:cc:e2:1c:
c6:4d:40:53:80:c2:6f:67:24:4e:29:23:b9:75:6e:2f:7f:ce:
7e:fb:2c:64:e8:e6:90:13:2d:39:da:13:3f:a9:71:5b:72:b1:
3b:11:e5:aa:98:e6:cc:47:a7:95:dc:7a:c0:27:2f:52:1e:08:
1f:34:b5:ab:1d:16:53:89:d4:b4:8a:d9:f7:ca:4d:7a:5a:bc:
9a:16:ed:45:5d:18:2a:50:0b:57:12:ea:23:8a:b8:f1:2b:26:
5b:1a:e8:7b:35:37:de:22:8f:cf:ae:f6:4f:7f:3e:88:0b:21:
40:40:46:53:ad:83:6a:3a:26:ba:0e:28:ba:0c:8d:04:56:e3:
59:d5:7d:13:06:d2:89:b1:5c:50:0c:54:60:09:bc:22:b8:96:
e8:42:8c:a6:dd:47:86:6f:16:bd:a9:45:3f:b6:f1:4d:58:82:
cf:e9:e2:e2:be:2b:2d:97:e5:0d:df:24:09:96:95:1d:1a:08:
94:87:73:6c:61:1a:70:36:ae:55:79:a8:ae:58:66:0d:2a:94:
32:27:91:bb:0a:5c:2f:64:b8:fe:a2:5f:3d:f7:d9:66:a9:2a:
e4:6b:9b:7f:66:ba:7a:61:e6:57:4f:c8:8b:5c:74:d7:0b:db:
a3:cb:d2:97:50:95:6f:34:64:24:ce:7a:0b:c3:dd:3a:7c:81:
d1:48:5e:74:af:7f:9c:fc:73:3b:01:b9:a9:d7:67:87:7b:81:
b0:99:9b:a5:29:1d:97:bb:70:61:48:32:13:e8:20:da:f5:7a:
96:2b:c0:04:1f:b2:27:a3:cb:35:a0:63:08:e3:5b:8e:ae:87:
60:c9:85:9e:b7:4a:a7:12:8f:81:3b:7d:5b:00:05:be:54:bd:
49:4e:1c:73:0e:c7:51:27:40:82:63:e4:48:d5:94:f3:63:53:
a1:84:5c:ca:3a:91:94:ca:23:de:65:48:5b:ff:7e:e6:79:8b:
a1:bf:c0:2d:9f:91:b5:c5:66:3c:58:e8:b8:e9:8f:81:18:cb:
7e:eb:46:4b:59:5d:d1:34:74:3f:92:c4:0d:9e:4a:ec:25:f4:
48:f4:d8:c9:a1:8f:72:2f:a5:8b:a2:14:16:f1:84:41:9b:df:
85:99:62:af:50:ab:c0:4d:4c:a9:7a:d0:31:24:4f:04:00:e3:
16:bb:53:08:fa:66:8b:d5:15:2b:22:62:ac:64:38:c2:2f:c0:
fa:ad:a1:be:b6:67:f6:f6:ac:af:a4:33:ea:4a:a0:8d:49:ad:
35:3c:6f:ae:b3:b6:a0:e6:84:df:32:36:46:73:48:26:28:a2:
10:9a:d2:2c:85:48:d7:d4
certificado CA raiz:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:47:30 2019 GMT
Not After : Jul 15 19:47:30 2029 GMT
Subject: C = US, O = SERC, CN = Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:c7:6a:ca:cb:b6:3b:23:63:f4:21:32:37:a6:b8:
ed:34:0a:06:38:06:7a:cf:3a:0a:6e:36:ef:81:d0:
01:2d:e7:ea:dc:d9:46:d7:45:f3:ed:84:ed:7e:20:
6a:e2:00:34:43:4e:2a:fc:2b:53:ef:d2:af:1e:25:
c9:ed:e0:34:d0:9a:03:c2:50:16:46:96:89:cb:6d:
43:b4:17:61:49:07:53:85:62:d6:27:b5:0a:b0:87:
3b:b6:e3:ba:f7:b9:35:77:37:bb:ae:a8:7e:04:0f:
54:e2:b3:26:b0:3f:65:01:27:fc:dc:ac:b6:3a:a4:
d0:ea:6a:d2:f5:c5:7c:be:43:0f:41:d1:9d:1c:1c:
61:e1:ba:af:03:95:30:10:a9:3d:52:64:ce:70:40:
bd:dc:0d:53:35:00:c1:e9:e1:68:fd:f5:d5:d1:a1:
e4:c7:c7:22:fb:56:6f:a6:e1:ea:48:e8:61:fb:8c:
76:28:8a:4e:18:84:ab:f3:9b:d5:49:7c:04:40:15:
83:4d:26:2b:33:92:84:7e:f2:75:1b:0b:4c:d6:54:
c3:f2:4a:9f:13:72:ab:9c:92:a4:42:77:99:00:25:
91:c1:b6:87:bd:fa:f1:07:f0:ce:72:0f:3c:be:bc:
79:58:f6:8b:6e:07:bc:5d:ee:23:be:0d:d5:d6:91:
22:f4:73:1b:4f:5f:cc:82:87:57:61:50:96:8c:69:
0b:ae:f7:40:47:7c:62:4e:2e:77:3e:8c:f1:41:7d:
e8:64:d5:bf:24:36:99:bb:0c:46:0e:28:7b:52:95:
7d:b8:f2:e5:91:0d:07:ea:cb:9c:9d:08:dd:1f:e2:
3a:02:6a:5b:36:d1:ff:b9:0f:a4:08:ed:12:38:7a:
0b:a1:68:7e:be:b1:bb:90:e2:6a:9f:33:8f:d4:d2:
8b:ba:84:db:f9:c6:d7:94:19:d5:cd:db:ce:b3:ba:
53:36:51:9a:16:12:57:f9:16:27:1e:23:3b:09:c0:
2b:d8:f3:cf:d7:d2:ec:2d:b0:fd:bf:dc:85:7d:cb:
9d:cc:e1:70:0d:2a:fd:43:4f:48:3d:89:09:33:2e:
6b:e8:f0:ba:ca:21:9c:32:79:a2:64:e1:dc:75:8b:
ed:0b:32:50:5b:b1:b5:0b:11:7a:d4:f0:d9:df:f7:
61:04:4a:c5:41:c7:0e:cb:e5:c7:1a:3c:6e:7b:63:
8b:bd:e5:f2:99:c8:2e:5c:e4:ed:a0:1d:b4:c1:64:
b8:71:27:23:23:2f:93:54:b4:d8:99:b5:a4:35:7b:
dd:82:ef:b4:ee:d4:fb:f4:91:58:af:5e:f2:8f:37:
9d:5a:9f:62:99:f9:26:31:d8:74:08:71:2f:bc:1d:
40:a6:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
Signature Algorithm: sha256WithRSAEncryption
16:77:4d:7b:ef:89:3d:31:45:07:8f:a3:c4:ad:ed:89:a0:9b:
b6:ab:74:59:1a:fb:7b:48:e1:e0:3c:75:73:dc:e3:e2:1b:a3:
74:a1:0d:37:ea:ac:85:fb:1c:e0:86:f1:86:ee:78:51:fd:4d:
58:04:8b:5c:6b:b3:06:1c:07:04:a1:c5:51:a9:d1:4c:24:42:
7c:ef:1e:35:c5:df:00:79:44:91:a1:f5:cb:71:5b:a7:85:b1:
f3:36:3c:75:e7:f8:d5:29:85:18:2e:ff:79:e1:eb:1f:72:24:
6a:36:a4:17:4e:76:4d:5d:d1:85:c4:18:c3:f4:83:07:10:3f:
7a:e2:36:33:48:1d:da:5d:08:2a:59:4f:3a:97:74:b7:d8:97:
85:b0:b1:82:f8:46:d5:df:75:d9:56:77:34:0e:26:d5:3a:eb:
8b:02:5e:d1:c3:fd:16:22:1f:ab:86:76:c4:cf:5b:d5:d5:bd:
da:70:76:9e:18:bd:2f:16:c0:89:fe:cc:e0:93:63:f0:23:65:
37:4c:6c:f5:e4:a7:fd:b2:02:86:91:6a:f5:31:b2:93:cc:33:
87:38:57:6b:55:59:7e:ed:02:13:5d:6f:4f:15:91:ac:7e:7f:
52:57:35:de:ec:87:38:bf:fe:7e:bd:5d:3c:ef:43:a9:d1:13:
ab:ed:6f:ac:cf:bf:7e:e8:35:0b:92:97:08:05:78:db:68:e0:
b1:05:2a:49:6e:00:34:71:a5:0f:5b:1c:17:47:9e:23:6f:64:
d7:f0:93:60:12:7f:6d:0a:cd:15:e7:de:72:c4:76:86:ef:4d:
65:c6:2a:1a:c4:35:0e:08:07:c5:ee:34:aa:9e:e1:90:d4:66:
87:0f:1f:32:fa:21:7e:4f:01:9b:6d:19:20:ed:e5:9d:1a:ee:
b3:e6:c4:93:4b:a4:cc:62:db:65:c1:b9:3b:05:a8:45:38:87:
29:6d:8c:86:86:7b:c5:3d:89:85:c8:8e:f5:da:7d:c5:89:31:
49:7b:af:9e:ff:03:89:db:ac:65:c5:5f:78:0d:cf:91:6f:19:
6a:e4:eb:b6:d5:46:ff:3b:8c:44:cd:00:7b:3c:ed:6f:f6:79:
61:93:12:08:58:7c:d5:02:9b:a7:4c:a0:c6:1a:f8:d9:b1:b6:
1e:77:75:1d:24:e8:d2:ff:61:ee:a8:85:e5:1b:49:cf:3c:91:
56:ea:e5:0e:6e:39:96:d0:d4:b7:95:25:e3:1a:a3:82:26:c8:
3f:53:47:fe:93:10:c4:bf:91:b5:7d:40:d2:2e:22:8e:7f:e5:
8a:4c:6e:03:04:de:f7:81:95:fc:a9:0f:31:51:ab:21:9d:20:
06:64:c2:9e:41:db:07:86
Responder1
O certificado do seu servidor é inválido porque você excluiu seu endereço IP no certificado CA. Aqui está o texto relevante do RFC5280:
Any name matching a restriction in the excludedSubtrees
field is invalid regardless of information appearing in the
permittedSubtrees.
Basta largar oexcluídoparte do seu certificado CA e tudo deve funcionar. Se as restrições de nome contiverem apenas umpermitidoseção, todos os outros nomes não serão permitidos de qualquer maneira.
Leia esta postagem do blogpara uma boa explicação sobre como as subárvores são processadas.