Apa yang menyebabkan peringatan pada kendala dasar sertifikat?

8

Saya membuat sertifikat server yang ditandatangani sendiri menggunakan req -x509perintah OpenSSL dan file CONF. File CONF ditunjukkan di bawah ini.

Ketika saya memeriksa sertifikat menggunakan penampil sertifikat Microsoft, itu menunjukkan peringatan aktif basicConstraints(perhatikan titik seru kecil):

masukkan deskripsi gambar di sini

File CONF menggunakan berikut ini untuk membangun basicConstraints:

basicConstraints = critical,CA:FALSE

Menurut RFC 5280 , pathLenseharusnya hanya ada jika CA:TRUEdan keyCertSignada. Sertifikat server tidak memenuhi kedua kondisi (plus, pengujian dengan pathLenmenghasilkan peringatan yang sama).

Mengapa alat sertifikat Microsoft menyala basicConstraints? Apa yang salah dengannya atau apa yang harus saya lakukan untuk memperbaikinya?


# Self Signed (note the addition of -x509):
#     openssl req -config example.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example.key.pem -days 365 -out example.cert.pem

# Self Signed with existing key (note the addition of -x509):
#     openssl req -config example.conf -new -x509 -sha256 -key example.key.pem -days 365 -out example.cert.pem

# Signing Request (note the lack of -x509):
#     openssl req -config example.conf -new -newkey rsa:2048 -nodes -keyout example.key.pem -days 365 -out example.req.pem

# Signing Request with existing key (note the lack of -x509):
#     openssl req -config example.conf -new -key example.key.pem -days 365 -out example.req.pem

# Print it:
#     openssl x509 -in example.cert.pem -text -noout
#     openssl req -in example.req.pem -text -noout

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = MD

localityName            = Locality Name (eg, city)
localityName_default        = Baltimore

organizationName         = Organization Name (eg, company)
organizationName_default    =

# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums.
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example, LLC

emailAddress            = Email Address
emailAddress_default        = [email protected]

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

basicConstraints        = critical,CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
extendedKeyUsage    = serverAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = critical,CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
extendedKeyUsage    = serverAuth

[ alternate_names ]

DNS.1       = example.com
DNS.2       = www.example.com
DNS.3       = mail.example.com
DNS.4       = ftp.example.com

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
# DNS.5       = localhost
# DNS.6       = localhost.localdomain
# DNS.7       = 127.0.0.1

# IPv6 localhost
# DNS.8     = ::1
jww
sumber

Jawaban:

6

Segitiga kuning kecil dengan tanda seru ada di sana untuk memberi tahu Anda bahwa ekstensi ditandai sebagai kritis. Untuk menghilangkan ikon, hapus kata kerja 'kritis' dari konfigurasi OpenSSL.

Juga, tidak ada persyaratan untuk menandai sertifikat entitas akhir dengan kendala dasar di mana cAboolean disetel ke false karena hal ini tersirat dalam semua sertifikat yang tidak disetel ke true. Itu bukan pelanggaran untuk memilikinya di sana; tapi itu tidak dibutuhkan.

garethTheRed
sumber