证书颁发机构不工作

Question

如果我的理解是正确的，那么CA的作用就像父证书一样，用于验证其他由CA证书签名的证书，而不必为诸如FTP服务器、web服务器、Nextcloud、OpenVPN服务器等web服务安装多个服务器证书。

我正在尝试创建一个CA证书，可以通过广域网分发给我的本地网络和朋友，这样当他们试图访问我的服务时，就可以安全地连接到。例如，与其为我所承载的每个服务提供几个证书，不如只给他们一个CA证书。

每个服务器证书都是由CA不经意地签名的，因此，通过在其机器上安装一个CA证书，这将自动验证服务器证书，因为它首先使用CA进行签名。对，是这样?

问题是，今天我试图将CA证书安装到我的Windows上，并尝试通过HTTPS访问我的OpenMediaVault GUI，但我仍然得到了一个不安全的警告屏幕。

下面的代码块显示了CA和服务器证书的整个创建过程。我将包括一个目录树的屏幕截图，这样你就可以看到所有的文件和文件夹。我还将包括配置文件的内容。

My指南

# Make OpenSSL Directory
mkdir ~/Desktop/OpenSSL

# Make Child Directories
mkdir -p ~/Desktop/OpenSSL/{ca,configs,"csr's",keys}

# Change Directory Into OpenSSL Directory
cd ~/Desktop/OpenSSL

# Create CA Certificate
openssl req -x509 -newkey rsa:4096 -keyout ca/cakey.pem -out ca/cacert.pem -days 3650 -sha256 -nodes -config configs/ca_openssl.cnf

# Create serial file
echo '01' > serial

# Create index.txt
touch index.txt

##
### Create server certificates ###
##

# OpenMediaVault
openssl genrsa -out keys/OpenMediaVault.pem 4096
openssl req -new -key keys/OpenMediaVault.pem -config configs/openmediavault_openssl.cnf -out "csr's"/OpenMediaVault.csr

# OpenWrt
openssl genrsa -out keys/OpenWrt.pem 4096
openssl req -new -key keys/OpenWrt.pem -config configs/openwrt_openssl.cnf -out "csr's"/OpenWrt.csr

##
### Sign Server Certificates With CA ###
##

# OpenMediaVault
openssl x509 -req -CA ca/cacert.pem -CAkey ca/cakey.pem -in "csr's"/OpenMediaVault.csr -out certificates/OpenMediaVault.crt -extfile configs/openmediavault_openssl.cnf -extensions v3_req -CAserial serial

# OpenWrt
openssl x509 -req -CA ca/cacert.pem -CAkey ca/cakey.pem -in "csr's"/OpenWrt.csr -out certificates/OpenWrt.crt -extfile configs/openwrt_openssl.cnf -extensions v3_req -CAserial serial

# Convert PEM to CRT
openssl x509 -outform der -in ca/cacert.pem -out "My Custom CA".crt

# Convert PEM to PKCS12
openssl pkcs12 -export -out certificate.pfx -inkey ca/cakey.pem -in ca/cacert.pem -certfile CACert.crt

'ca_openssl.cnf'

[ ca ]
default_ca    = CA_default        # The default ca section

[ CA_default ]
dir                   = ~/Desktop/"OpenSSL Certificates"
certs               = $dir/certs
crl_dir               = $dir/crl
database           = $dir/index.txt
new_certs_dir       = $dir/newcerts
certificate        = $dir/cacert.pem
serial             = $dir/serial
crlnumber          = $dir/crlnumber
cr                 = $dir/crl.pem
private_key        = $dir/private/cakey.pem

[ req ]

# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.

prompt              = no
string_mask         = default
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca

# The size of the key in bits
default_bits    = 4096

[ req_distinguished_name ]
countryName             = GB
stateOrProvinceName     = SOME_PROVINCE
localityName            = SOME_CITY
organizationName        = domain
organizationalUnitName  = domain
commonName              = domain Certificate Authority
emailAddress            = user@domain.com

[ v3_ca ]
# Extensions added to the request

basicConstraints = critical, CA:TRUE
keyUsage =         critical, keyCertSign, cRLSign

'openmediavault_openssl.cnf'

[ req ]

# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.

prompt              = no
string_mask         = default
distinguished_name  = req_distinguished_name
req_extensions      = v3_req

# The size of the key in bits
default_bits    = 4096

[ req_distinguished_name ]
countryName             = GB
stateOrProvinceName     = SOME_PROVINCE
localityName            = SOME_CITY
organizationName        = OpenMediaVault
organizationalUnitName  = OpenMediaVault
commonName              = OpenMediaVault.local

[ v3_req ]
# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternative_names

[ alternative_names ]
DNS.0   = domain.com
IP.0    = 192.168.1.123

'openwrt_openssl.cnf'

[ req ]
# Don't prompt for the Domanin Name (DN). Use configured values instead.
# This Saves having to type in your DN each time.

prompt              = no
string_mask         = default
distinguished_name  = req_distinguished_name
req_extensions      = v3_req

# The size of the key in bits
default_bits    = 4096

[ req_distinguished_name ]
countryName             = GB
stateOrProvinceName     = SOME_PROVINCE
localityName            = SOME_CITY
organizationName        = OpenWrt
organizationalUnitName  = OpenWrt
commonName              = OpenWrt.local

[ v3_req ]
# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alternative_names

[ alternative_names ]
DNS.0   = domain.com
IP.0    = 192.168.1.1

我安装了‘/OpenMediaVault.crt’目录中的'OpenMediaVault.pem‘和’/键‘目录中的’OpenMediaVault.pem‘。

“certificate.pfx”文件是“My”部分中最后一个命令的结果，并被导入到Windows中。我在火狐的认证选项中使用了“我的自定义CA.crt”文件。

我做错了什么？

非常感谢

将要

UPDATE 1

我想我已经找到了问题的原因。当我访问https://openmediavault.local (这是证书中设置的公共名称)时，我得到以下消息：“证书仅对以下名称有效：”屏幕上显示的两个名称(其中一个由于隐私原因模糊不清)是我添加的subjectAltNames。为什么可供选择的名称起作用，但CN不起作用？我从https://192.168.1.123访问它，我的火狐地址栏中有一个绿色挂锁。

UPDATE 2

为了让您知道，我在subjectAltName中添加了CN，一切都很完美。

作为一个与OpenSSL相关的附带问题，我现在希望做一些OpenVPN证书。OpenSSL制作的CA能签署我的OpenVPN证书吗？

Answer 1

是的，如果出现SAN (subject alternative name)扩展，浏览器将不再查看CN。这是在RFC 2818节3.1中指定的，Chrome大约在两年前(Chrome58)就开始执行了，而火狐三年前对公开颁发的证书(Firefox48)也是这样做的。我不知道Firefox是否还有私有CA的例外。(调试好自己的问题，顺便说一句！)

无论如何，您必须重新颁发您的证书，其中包含您想要在SubjectAltNames中使用的所有名称。