iis - IIS 的个人 CA 签名证书给出 "This Certificate is not valid for the selected purpose"错误-6ren

iis - IIS 的个人 CA 签名证书给出 "This Certificate is not valid for the selected purpose"错误

转载作者：太空宇宙更新时间：2023-11-03 12:46:26

我使用 OpenSSL 创建了一个 CA，并用它为我的本地主机签署证书，并在我的本地主机 preview-localhost 上创建了一个辅助 DNS 条目。我已将 CA 证书安装到我机器上的受信任的根证书中，并将我的本地主机证书添加到 IIS。当我查看签名的本地主机证书时，我看到以下错误:

Signed localhost certificate Signed localhost path

已安装的 CA 证书表示它适用于其查看器上的所有颁发和应用策略。我已经包含了来自 OpenSSL 的两个证书的输出。我已将任何敏感(和一些不敏感的信息)替换为<描述文字>.

CA证书

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Serial Number
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 16:17:41 2015 GMT
        Not After : Apr 24 16:17:41 2025 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            <Subject Key Identifier>
        X509v3 Authority Key Identifier:
            keyid:<keyid>
        X509v3 Basic Constraints:
            CA:TRUE
        X509v3 Key Usage:
            Digital Signature, Key Encipherment
        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

本地主机证书

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Some Serial Number>
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 18:09:18 2015 GMT
        Not After : Apr 26 18:09:18 2016 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
CN=localhost/emailAddress=<Email Address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Basic Constraints:
            CA:FALSE
        X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
        Netscape Comment:
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
            <SKI>
        X509v3 Authority Key Identifier:
            keyid:<KEY ID>

        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

任何帮助弄清楚为什么我的本地主机证书不能遵循通往 CA 的路径的帮助将不胜感激。谢谢!

最佳答案

创建 CA 时，您可能需要在 openssl.cnf 的 X509_extensions 部分指定以下 keyUsage:

keyUsage = keyCertSign, cRLSign

为澄清起见，您的配置文件应包含以下内容:

[ CA_default]
...
x509_extensions = ca_extensions
...
[ ca_extensions ]
keyUsage = keyCertSign, cRLSign
...

参见 How do you sign Certificate Signing Request with your Certification Authority?以获得对该过程的非常详细的解释。

关于iis - IIS 的个人 CA 签名证书给出 "This Certificate is not valid for the selected purpose"错误，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/29907106/

文章推荐： c# - 保证并行线程/任务/任何东西的立即启动

文章推荐： c# - 如何自定义MessageBox提示？

文章推荐： c# - 以正确的顺序循环遍历 groupBox 控件

文章推荐： c# - Task.Factory.StartNew 未调用该方法

太空宇宙

个人简介

我是一名优秀的程序员,十分优秀！

作者热门文章

滴滴打车优惠券免费领取

全站热门文章

首页

博学

6Ren·AI

商城

iis - IIS 的个人 CA 签名证书给出 "This Certificate is not valid for the selected purpose"错误