table of Contents
After the Internet often see after the self CA and self-signed document, but found themselves generate, ca will import the client certificate, Chrome always visit the following error occurs:
NET :: ERR_CERT_COMMON_NAME_INVALID
this server can not confirm it is the domain. com - it's security certificate is not specified subject alternative names. This may be because of an incorrect configuration or an attacker intercepting your connection. Chrome browser always thought it was too high due to the strength of security, because it was discovered Firefox and IE do not have this problem, but later found self-signed certificate is defective.
First, install dependencies
OpenSSL is the need to use the issue of natural OpenSSL software and library, under normal circumstances CentOS, Ubuntu and other systems have been built, openssl executable confirm if oepnssl appears: command not found no built-in instructions, you need to manually install to CentOS, for example, the installation command as follows:
[root@CA ~]# yum install openssl openssl-devel -yModify the configuration file openssl.cnf
[root@CA ~]# vim /etc/pki/tls/openssl.cnf
dir=/etc/pki/CACreating relevant documents
[root@CA ~]# cd /etc/pki/CA
[root@CA ~]# mkdir certs newcerts crl
[root@CA ~]# touch index.txt
[root@CA ~]# echo 01 > serialThere are many practical configuration file in openssl.cnf, such as to generate a certificate request file (csr) used countryName_default (default country), stateOrProvinceName_default (default province), localityName_default (default city), etc., to set a good follow-up in the file self-signed certificate can save input step, depending on the needs modification.
Second, the self CA
Generating a root key 2.1
[root@CA ~]# (umask 077; openssl genrsa -out private/cakey.pem 2048)Root CA certificate generation 2.2
[root@CA ~]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650CA server to build more complete
Third, certificates
3.1 create a certificate request
#先为网站生成一对密钥
[root@web ~]# (umask 077; openssl genrsa -out http.key 2048 )
#生成证书颁发请求.csr
[root@web ~]# openssl req -new -key http.key -out http.csr
#将此请求文件(http.csr)传递给CA服务器3.2 Additional Uses
Solve Chrome does not recognize the certificate common name NET :: ERR_CERT_COMMON_NAME_INVALID error
[root@CA ~]# vim http.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
IP.1=192.168.1.1
IP.2=192.168.1.2Under the domain name certificates issued difference (also different from other tutorials) in this step, do not change openssl.cnf in the case of (different certificate issued convenience) If the IP is to be issued a certificate must perform this step with reference to the above format.
If you want to issue a certificate by modifying openssl.cnf, except that the above-described configuration changes directly to the appropriate location outside openssl.cnf, must be configured in basicConstraints = CA: FLASE to basicConstraints = CA: TRUE, otherwise the changes will not take effect, which is other tutorials not mentioned.
If the certificate is a domain name, you can also this can add multiple domain names, such as:
[root@CA ~]# vim http.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
DNS.1=test.com
DNS.2=www.test.comextendedKeyUsage can specify the certificate purpose, namely to use, generally have:
serverAuth: to ensure the identity of the remote computer
clientAuth: prove your identity to a remote computer
codeSigning: make sure the software from the software publisher, protecting software changed after issuance
emailProtection: e-mail protection message
timeStamping: allows the current time signature data
if not specified, the default policy for all applications
3.3 certificate issued
CA to sign this certificate server
[root@CA ~]# openssl ca -in http.csr -out http.crt -days [number]
或者
[root@CA ~]# openssl x509 -req -days 365 -in http.csr -signkey http.key -out http.crt
或者(需要事前定义好http.ext中的内容,该操作Chrome不会报错)
[root@CA ~]# openssl x509 -req -in http.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out http.crt -days 3650 -sha256 -extfile http.extCA server and then a signed certificate to the client
| NOTE: When subsequent users need access to the generation of the browser or cakey.pem introduced into the system, access to the domain certificate to normal again. |
Fourth, troubleshooting
1. Problem: TXT_DB error number 2
solution: The reason is the same name already generated certificate, the common name set to a different, or modified index.txt.attr under CA, to the unique_subject = yes unique_subject = no