In the chrome browser to import a self-signed CA certificate, it is recognized as a secure connection

Others 2019-07-24 03:41:25 views: null

Test domain name www.huawei.com, first generate a certificate to use the service provided, CA certificates, private keys and so on.

Operation:
1, the need to extract the CA certificate chain to the windows environment.

CAChainCert.pem in the parent directory for the CA certificate chain contains more than RootCA.pem, L2CACert.pem, L3CACert.pem and so on.

We can use the openssl command of the service certificate, CA certificate verification General Certificate do:
SZX1000398961: / Home / CRT / rsa_crt # openssl the Verify -CAfile ../CAChainCert.pem ServiceDomainCert.pem
ServiceDomainCert.pem: the OK
SZX1000398961: / Home / CRT / rsa_crt # OpenSSL the Verify -CAfile ../CAChainCert.pem UniversalCert.pem
UniversalCert.pem: the OK

2, the root certificate, the CA certificate two, three turned out of the CA certificate, the name of the format identifiable to windows ".crt".

Double-click one by one crt certificate, click on the "Install Certificate", click "Next", select the certificate store to the Trusted Root Certification Authorities, click OK to complete the import certificate.

3, using the generated service certificate or common certificate deployment https service.

在linux环境使用curl测试https请求,看CA证书校验能否通过。
测试请求url:curl --CAcert CAChainCert.pem -v "https://www.huawei.com/test"
如果校验不通过,则会报“SSL certificate problem: unable to get local issuer certificate”之类的错误信息。
如果校验通过,则可正常访问。

在chrome浏览器使用测试域名访问,需要先在C:\Windows\System32\drivers\etc\hosts下配置好测试域名和访问ip。
如果CA证书校验通过,则会显示连接是安全的。

问题总结:
1、找不到签发证书,或者不在证书有效期内。

解决方法:点击查看各层级证书,确认导入证书没有问题。

2、chrome告警该连接是不安全的,报“NET::ERR_CERT_COMMON_NAME_INVALID ”信息。

解决方法:
参考https://support.google.com/chrome/a/answer/7391219?hl=zh-Hans
可能是因为chrome浏览器版本较高,不再采用证书里的Common Name部分校验域名,而是采用Subject Alternative Name部分校验域名。
可使用通用证书UniversalCert.pem代替服务证书ServiceDomainCert.pem,来提供https服务。
需在通用证书的SAN部分添加测试域名,例如*.huawei.com。

可通过openssl命令openssl x509 -in UniversalCert.pem -noout -text,查看SAN部分。

3、chrome告警该连接是不安全的,报“NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM”信息。

解决方法:
可能是因为chrome浏览器版本较高,认为证书签名算法采用了不安全的SHA1,而是应该采用SHA256。
可通过修改openssl签名命令,添加-sha256参数来使用SHA256签名算法。

以上2个问题解决后,正确的证书应该如下:

Guess you like

Origin www.cnblogs.com/linyihan/p/11234102.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com