Google Chrome 中“導入憑證時私鑰遺失或無效”

Question 1

我認為您可能想要做的是將其添加到錯誤的證書存儲中。如果您嘗試將其新增至「您的憑證」下，您將會遇到麻煩。此選項卡用於新增身分識別證書；您的瀏覽器提供伺服器什麼來建立瀏覽器的身份。

根據您的描述，我認為您想要做的是您希望瀏覽器信任伺服器端的自簽名憑證。如果是這種情況，您需要將其新增至「權限」標籤。

Answer

我認為您可能想要做的是將其添加到錯誤的證書存儲中。如果您嘗試將其新增至「您的憑證」下，您將會遇到麻煩。此選項卡用於新增身分識別證書；您的瀏覽器提供伺服器什麼來建立瀏覽器的身份。

根據您的描述，我認為您想要做的是您希望瀏覽器信任伺服器端的自簽名憑證。如果是這種情況，您需要將其新增至「權限」標籤。

Question 2

對我有用的是

設立CA
使用此 CA 簽署我自己的證書，然後
將 CA 金鑰導入 Chrome（權威機構）。

我從那裡得到了程序這回答SO。

由於我的具體問題是為了滿足多層次子域的需求，因此我將從這個角度來看待它。

子域：

bar.fooz.mydomain.com
foo.fooz.mydomain.com

成為證書頒發機構

export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA

# generate private key
openssl genrsa -des3 -out $CA.key 2048

# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem

建立 CA 簽署的憑證

export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME

# generate private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = 192.168.0.13 # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)
EOF

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

下載$CA.pem檔案並在瀏覽器中以權威身分匯入：

    1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
    2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites

重新啟動瀏覽器（Firefox 無需重新啟動即可運作）

Answer

對我有用的是

設立CA
使用此 CA 簽署我自己的證書，然後
將 CA 金鑰導入 Chrome（權威機構）。

我從那裡得到了程序這回答SO。

由於我的具體問題是為了滿足多層次子域的需求，因此我將從這個角度來看待它。

子域：

bar.fooz.mydomain.com
foo.fooz.mydomain.com

成為證書頒發機構

export CA=myca
# you probably want to have this in its own directory
mdkir /etc/ssl/$CA && cd /etc/ssl/$CA

# generate private key
openssl genrsa -des3 -out $CA.key 2048

# generate root certificate
openssl req -x509 -new -nodes -key $CA.key -sha256 -days 825 -out $CA.pem

建立 CA 簽署的憑證

export NAME=fooz.mydomain.com
# if CA files were in a separate directory
cd .. && mkdir /etc/ssl/$NAME && cd /etc/ssl/$NAME

# generate private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
# Once prompted, set FQDN to the value of $NAME
openssl req -new -key $NAME.key -out $NAME.csr

# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
# Optionally, add additional domains (I've added a subdomain here)
DNS.2 = foo.$NAME
DNS.3 = bar.$NAME
IP.1 = 192.168.0.13 # (Optional, but probably important), add an IP address (if the connection which you have planned requires it)
EOF

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA $CA.pem -CAkey $CA.key -CAcreateserial -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

下載$CA.pem檔案並在瀏覽器中以權威身分匯入：

    1. Chrome settings (Settings > Privacy and Security > Security > Manage certificates > Authorities > Import). Check Trust this certificate for identifying websites
    2. Firefox: Preferences > Privacy and Security > Certificates > View Certificates > Authorities > import. Check Trust this CA to identify websites

重新啟動瀏覽器（Firefox 無需重新啟動即可運作）

Question 3

Chrome 需要 PKCS12 格式的文件，用於將憑證、任何中間憑證和私鑰儲存到單一可加密檔案。這些檔案通常具有.p12和.pfx擴展名。

要產生一個，請使用以下命令

openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12

該命令將要求輸入密碼，我們需要記住該密碼並在將生成的p12檔案匯入 chrome 時使用它。

Answer

Chrome 需要 PKCS12 格式的文件，用於將憑證、任何中間憑證和私鑰儲存到單一可加密檔案。這些檔案通常具有.p12和.pfx擴展名。

要產生一個，請使用以下命令

openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12

該命令將要求輸入密碼，我們需要記住該密碼並在將生成的p12檔案匯入 chrome 時使用它。

Google Chrome 中“導入憑證時私鑰遺失或無效”

答案1

答案2

答案3

相關內容