【发布时间】:2020-03-23 23:49:59
【问题描述】:
我们在 Windows Server 下有一个 Intranet 应用程序,它有自己的 CA。根 (CA) 证书已安装在所有客户端 /Windows 和 macOS 上)。现有服务器证书不再符合 Apple's current requirements(例如 2 年期限和 SAN 使用)。
对于一个新的 Web 服务,我使用现有的根证书和私钥,并通过 Bouncy Castle 创建一个新的服务器证书。
好的
Windows
这个新的服务器证书在Windows下显示为有效,证书链是完整的。
所有基于 Windows 的客户端都按预期工作。
OpenSSL
使用 OpenSSL 验证成功:
T:\>openssl.exe verify -CAfile ess2016-ess2016server-ca.cer ess2016server.cer
ess2016server.cer: OK
不好的
火狐
如果我在 Windows 下将根证书导入 Firefox,服务器证书显示为无效 (SEC_ERROR_UNKNOWN_ISSUER)。
macOS
macOS 下也不接受新证书(根证书已在钥匙串中且受信任):
$ security verify-cert -p ssl -c ess2016server.cer
Cert Verify Result: CSSMERR_TP_NOT_TRUSTED
CSSMERR_TP_NOT_TRUSTED = 无法将证书验证回根证书。
问题
我做错了什么或者我在 FireFox/macOS 上缺少什么?为什么链条断了?
证书
这是根 (CA) 证书:ess2016-ess2016server-ca
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
46:29:70:cb:8f:f1:1c:85:44:21:ba:4e:9c:72:8a:9b
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ess2016-ESS2016SERVER-CA
Validity
Not Before: Oct 11 11:22:35 2016 GMT
Not After : Oct 3 11:22:35 2056 GMT
Subject: CN=ess2016-ESS2016SERVER-CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:fc:42:3a:31:0e:db:df:9c:bd:84:24:5d:cb:
cd:39:75:c8:ac:33:a5:b1:55:1d:53:b1:d8:d6:f6:
79:e0:34:f8:38:91:1c:50:d4:85:81:9e:c6:b3:db:
12:13:7c:4a:dd:40:de:73:37:33:1d:bc:59:43:bf:
a9:31:c7:5b:f9:fe:85:cb:12:a5:2b:f0:0f:7a:7a:
10:ca:fd:16:8b:21:38:ae:41:23:2f:47:4f:5b:4f:
0d:1e:0c:5b:cc:a1:80:66:38:3a:c6:73:35:85:e9:
31:e0:ef:77:77:7e:3f:31:66:ed:06:6a:e8:74:dc:
7f:d8:d5:cf:16:27:1f:48:d2:54:80:f8:d1:69:21:
d9:e8:e7:3b:72:2e:39:dc:e4:f0:10:72:a8:e9:5f:
dc:e8:1b:0e:71:6e:93:40:34:90:35:c5:17:ea:73:
a3:ee:65:e4:f4:15:3a:ad:e8:71:60:37:10:05:e3:
ee:af:96:a4:2a:88:f3:36:6b:33:33:65:ca:c4:c5:
c9:b5:7c:bd:95:34:b5:e8:a7:a1:b3:97:55:4c:57:
5a:62:0d:6b:70:0e:07:06:57:51:fc:b1:aa:97:9a:
d6:00:c5:4b:bb:2d:65:77:da:e4:67:59:a6:65:e9:
c5:af:f1:ae:2e:99:d7:1f:eb:6e:b5:bf:5d:e0:0d:
4d:bd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
AF:6A:45:6F:23:44:85:18:A6:80:D1:66:59:67:6B:4B:12:76:33:5C
Signature Algorithm: sha256WithRSAEncryption
21:68:50:44:43:05:e8:b9:9c:9c:9f:90:da:19:c1:9d:20:d9:
a8:4a:33:d9:37:84:bd:14:60:54:f8:91:16:1c:d4:e9:ca:5c:
07:63:64:e5:bf:0c:b4:90:71:b3:63:15:bc:0f:65:6b:eb:27:
2d:29:9c:b0:0d:fe:b2:1c:4b:61:c0:70:17:53:1e:2e:1d:93:
e2:e8:ad:ae:ad:d1:ad:31:8b:51:bd:bb:bb:01:e0:96:bc:9a:
2b:86:0f:b6:8d:50:d3:34:5b:7f:21:1b:46:30:f1:e8:59:b4:
bb:69:6a:ec:fe:5e:ea:79:60:99:b0:88:30:59:68:4c:58:8a:
82:d5:14:2d:63:1e:65:fb:c9:23:e9:4d:b9:d4:34:bb:7e:ca:
1d:54:60:bc:07:55:c9:67:04:fb:66:85:4e:b3:3c:ef:0a:63:
93:19:eb:72:cc:34:4d:d4:5c:9f:b9:3c:35:f1:51:19:b7:44:
88:47:0c:91:9d:53:7d:26:ef:2c:78:c3:b7:e7:14:fe:1a:30:
0e:db:d7:8f:85:29:fb:41:15:87:55:95:45:a8:90:28:06:43:
d8:6b:76:42:7d:5d:c2:dd:57:a1:e6:f5:ff:d9:78:c3:55:2f:
eb:42:40:dc:71:2d:94:4b:5e:95:1b:b0:d1:a6:cc:64:89:e4:
5c:87:62:a9
-----BEGIN CERTIFICATE-----
MIIDFDCCAfygAwIBAgIQRilwy4/xHIVEIbpOnHKKmzANBgkqhkiG9w0BAQsFADAj
MSEwHwYDVQQDExhlc3MyMDE2LUVTUzIwMTZTRVJWRVItQ0EwIBcNMTYxMDExMTEy
MjM1WhgPMjA1NjEwMDMxMTIyMzVaMCMxITAfBgNVBAMTGGVzczIwMTYtRVNTMjAx
NlNFUlZFUi1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALD8Qjox
DtvfnL2EJF3LzTl1yKwzpbFVHVOx2Nb2eeA0+DiRHFDUhYGexrPbEhN8St1A3nM3
Mx28WUO/qTHHW/n+hcsSpSvwD3p6EMr9FoshOK5BIy9HT1tPDR4MW8yhgGY4OsZz
NYXpMeDvd3d+PzFm7QZq6HTcf9jVzxYnH0jSVID40Wkh2ejnO3IuOdzk8BByqOlf
3OgbDnFuk0A0kDXFF+pzo+5l5PQVOq3ocWA3EAXj7q+WpCqI8zZrMzNlysTFybV8
vZU0teinobOXVUxXWmINa3AOBwZXUfyxqpea1gDFS7stZXfa5GdZpmXpxa/xri6Z
1x/rbrW/XeANTb0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFK9qRW8jRIUYpoDRZllna0sSdjNcMA0GCSqGSIb3DQEB
CwUAA4IBAQAhaFBEQwXouZycn5DaGcGdINmoSjPZN4S9FGBU+JEWHNTpylwHY2Tl
vwy0kHGzYxW8D2Vr6yctKZywDf6yHEthwHAXUx4uHZPi6K2urdGtMYtRvbu7AeCW
vJorhg+2jVDTNFt/IRtGMPHoWbS7aWrs/l7qeWCZsIgwWWhMWIqC1RQtYx5l+8kj
6U251DS7fsodVGC8B1XJZwT7ZoVOszzvCmOTGetyzDRN1FyfuTw18VEZt0SIRwyR
nVN9Ju8seMO35xT+GjAO29ePhSn7QRWHVZVFqJAoBkPYa3ZCfV3C3Veh5vX/2XjD
VS/rQkDccS2US16VG7DRpsxkieRch2Kp
-----END CERTIFICATE-----
这是服务器证书:ess2016server
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:79:81:5c:2f:ff:23:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ess2016-ESS2016SERVER-CA
Validity
Not Before: Nov 28 00:00:00 2019 GMT
Not After : Feb 23 00:00:00 2022 GMT
Subject: CN=ESS2016SERVER
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:80:b4:97:6a:f3:cb:c1:15:22:b9:46:4c:1a:
79:d3:19:b5:13:b3:e3:af:19:83:b5:dc:0e:50:ef:
2b:52:0a:e1:86:71:38:a3:36:ef:bb:22:9d:ce:7f:
71:5d:7c:92:1f:41:54:8f:62:ff:07:12:c5:c7:7f:
44:b1:92:5d:67:bd:72:1b:a2:e0:cd:36:ac:c5:c5:
52:f3:11:7b:5c:88:8d:e6:aa:bd:13:4a:9e:3e:49:
95:53:84:29:c7:13:8b:8b:f2:b9:00:94:de:85:e5:
53:c0:48:1f:01:37:c7:ee:11:91:9c:cf:e0:6f:9b:
01:9b:c1:ac:d0:0a:3c:d8:1c:04:72:43:1a:7c:f7:
d2:5f:58:4b:de:96:74:e5:27:70:33:66:3c:33:0c:
3d:a5:34:d5:a5:e0:4f:44:db:01:d5:ac:1d:67:91:
82:8e:82:69:2e:15:06:7c:0f:64:0c:f7:ae:7a:b1:
b2:bf:d4:02:d3:95:8b:70:50:28:a1:c5:4f:35:e8:
01:7e:9f:1f:15:24:01:3a:b0:3c:b7:b5:a7:b3:70:
42:4d:7c:b1:d1:3a:9a:0f:f3:2d:fb:cd:6e:a1:10:
ee:61:78:82:a2:7c:0c:36:63:85:b6:c4:16:31:fe:
01:7f:69:00:e1:b8:50:65:25:26:a4:5c:d5:a9:f5:
b4:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
7B:7E:35:03:B5:71:1C:15:29:0E:DA:70:88:F2:67:7D:8E:4A:9C:42
X509v3 Subject Alternative Name:
DNS:ESS2016SERVER, DNS:ess2016server, DNS:ess2016server.ess2016.internal
X509v3 Authority Key Identifier:
keyid:AF:6A:45:6F:23:44:85:18:A6:80:D1:66:59:67:6B:4B:12:76:33:5C
Signature Algorithm: sha256WithRSAEncryption
8f:b8:88:17:a4:3c:a3:d8:40:70:ee:a1:e1:39:c5:49:ee:db:
92:3f:25:b5:9c:b7:9c:2b:94:c4:dc:2c:7e:7d:1e:5e:97:f6:
3a:ff:9b:99:d6:74:5a:26:16:c3:33:fd:7f:6f:e3:b8:75:81:
63:19:06:b7:0a:d7:76:9f:bc:03:72:ae:a7:5f:7d:2a:0e:33:
34:db:18:49:7b:76:32:95:d8:00:71:a7:2f:06:e8:79:d3:5f:
2a:53:a7:d0:d1:ea:c0:be:32:27:4f:4d:cb:ba:39:9f:b2:71:
3b:32:7d:5c:a2:2d:81:99:ae:0b:70:af:69:e1:1b:e6:ad:71:
89:ba:0b:9a:47:a7:28:1a:ba:5c:fb:f7:ce:09:f4:42:9f:48:
08:27:c9:c0:99:64:84:d4:10:2b:7b:3c:d2:e0:c1:ee:86:f9:
25:4e:1d:2c:54:4a:5d:46:54:b6:d8:8c:26:01:1f:50:bd:71:
62:50:4b:bd:2e:84:92:11:a1:53:a2:c8:22:0a:44:d8:50:f2:
b2:7d:42:c2:35:85:c9:02:1f:d9:91:72:ce:0b:b9:c6:42:1a:
44:c0:d0:e5:e9:3c:f0:6c:63:ce:b4:d4:25:ef:c4:ef:d9:e2:
b5:e7:68:a9:ed:30:b1:30:7e:79:dc:01:e0:c1:e1:00:4e:e1:
d2:7b:8a:d4
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIIOXmBXC//I7EwDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UE
AwwYZXNzMjAxNi1FU1MyMDE2U0VSVkVSLUNBMB4XDTE5MTEyODAwMDAwMFoXDTIy
MDIyMzAwMDAwMFowGDEWMBQGA1UEAwwNRVNTMjAxNlNFUlZFUjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALmAtJdq88vBFSK5RkwaedMZtROz468Zg7Xc
DlDvK1IK4YZxOKM277sinc5/cV18kh9BVI9i/wcSxcd/RLGSXWe9chui4M02rMXF
UvMRe1yIjeaqvRNKnj5JlVOEKccTi4vyuQCU3oXlU8BIHwE3x+4RkZzP4G+bAZvB
rNAKPNgcBHJDGnz30l9YS96WdOUncDNmPDMMPaU01aXgT0TbAdWsHWeRgo6CaS4V
BnwPZAz3rnqxsr/UAtOVi3BQKKHFTzXoAX6fHxUkATqwPLe1p7NwQk18sdE6mg/z
LfvNbqEQ7mF4gqJ8DDZjhbbEFjH+AX9pAOG4UGUlJqRc1an1tB8CAwEAAaOBuzCB
uDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MB0GA1UdDgQWBBR7fjUDtXEcFSkO2nCI8md9jkqcQjBHBgNVHREEQDA+gg1FU1My
MDE2U0VSVkVSgg1lc3MyMDE2c2VydmVygh5lc3MyMDE2c2VydmVyLmVzczIwMTYu
aW50ZXJuYWwwHwYDVR0jBBgwFoAUr2pFbyNEhRimgNFmWWdrSxJ2M1wwDQYJKoZI
hvcNAQELBQADggEBAI+4iBekPKPYQHDuoeE5xUnu25I/JbWct5wrlMTcLH59Hl6X
9jr/m5nWdFomFsMz/X9v47h1gWMZBrcK13afvANyrqdffSoOMzTbGEl7djKV2ABx
py8G6HnTXypTp9DR6sC+MidPTcu6OZ+ycTsyfVyiLYGZrgtwr2nhG+atcYm6C5pH
pygaulz7984J9EKfSAgnycCZZITUECt7PNLgwe6G+SVOHSxUSl1GVLbYjCYBH1C9
cWJQS70uhJIRoVOiyCIKRNhQ8rJ9QsI1hckCH9mRcs4LucZCGkTA0OXpPPBsY860
1CXvxO/Z4rXnaKntMLEwfnncAeDB4QBO4dJ7itQ=
-----END CERTIFICATE-----
【问题讨论】:
标签: c# macos ssl-certificate bouncycastle x509