%2063%EC%9D%98%20%EB%A1%9C%EC%BB%AC%20SSL%20%EC%9D%B8%EC%A6%9D%EC%84%9C.png)
저도 비슷한 질문을 했어요여기앞으로. 그러나 제공된 솔루션이 작동을 멈췄습니다. 내 로컬 호스트에 대한 SSL 인증서를 얻으려고 합니다. 공식적으로 필요하지는 않습니다. 단지 내 로컬 컴퓨터에서 작업하면 됩니다.
저는 웹사이트를 개발하고 있으며 모든 로컬 사본은 domain.local 형식입니다.
Chrome에서는 *.local 인증서를 허용하지 않는 것으로 나타났습니다.
Chromium 63으로 업그레이드하기 전에는 다음 프로세스가 제대로 작동했습니다.
conf/caconfig.cnf
#..................................
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /home/*****/Sites/root-ca
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3000
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copyall
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = *****
localityName_default = *****
stateOrProvinceName_default = *****
countryName_default = *****
emailAddress_default = *****
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = @alternate_names
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = site1.local
DNS.2 = site2.local
DNS.3 = site3.local
DNS.4 = site4.local
인증 기관 만들기
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 3000 -config conf/caconfig.cnf
메시지가 표시되면
Common Name (hostname, IP, or your name) []:Jonathan Hodgson
요청 생성
openssl req -extensions v3_req -new -nodes -out local.req.pem -keyout private/local.key.pem -config conf/caconfig.cnf
메시지가 표시되면
Common Name (hostname, IP, or your name) []:*.local
서명 요청
openssl ca -out certs/local.cert.pem -config conf/caconfig.cnf -infiles local.req.pem
Apache 구성의 관련 부분
<VirtualHost *:443>
ServerName test.local
ServerAlias *.local
VirtualDocumentRoot /home/jonathan/Sites/%-2/public_html
CustomLog /home/jonathan/Sites/access.log vhost_combined
ErrorLog /home/jonathan/Sites/error.log
SSLEngine On
SSLCertificateFile /home/jonathan/Sites/root-ca/certs/local.cert.pem
SSLCertificateKeyFile /home/jonathan/Sites/root-ca/private/local.key.pem
</VirtualHost>
그런 다음 certs/cacert.pem해당 파일을 브라우저 인증서 관리자에 권한으로 가져왔습니다.
이는 Chrome 61 및 Firefox 55에서는 제대로 작동하지만 Chromium 63에서는 작동하지 않습니다. 확인할 수는 없지만 Chromium 62에서도 작동한다고 생각합니다. 이는 Chromium 63에서 변경되었음을 의미합니다.
흥미롭게도 개발 도구의 보안 패널은 인증서가 괜찮다는 것을 암시하는 것 같습니다.
편집하다: @garethTheRed의 요청에 따라
$ openssl x509 -noout -text -in certs/local.cert.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Jonathan Hodgson Ltd, emailAddress = ########, L = #########, ST = #######, C = GB, CN = Jonathan Hodgson
Validity
Not Before: Sep 21 10:18:36 2017 GMT
Not After : Dec 8 10:18:36 2025 GMT
Subject: C = GB, ST = #######, O = Jonathan Hodgson Ltd, CN = *.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:2c:e0:9e:e2:3e:6b:d6:2d:37:ab:a3:92:96:
46:ee:7e:77:6c:4b:04:6b:7e:ba:5c:a5:d6:4b:03:
a2:6a:54:12:c9:ff:2a:dc:12:8b:ee:f6:16:7b:28:
f8:78:ec:df:7b:29:09:b9:01:56:d3:08:b7:5a:46:
fe:1f:70:13:63:47:3c:f6:fe:f1:f4:0e:16:b8:5d:
8e:72:fa:c8:c3:07:eb:9c:61:66:63:52:19:47:66:
ef:bb:99:f7:cb:21:c6:b8:f3:84:c2:65:49:d9:b5:
fb:1d:75:dd:8a:79:b1:f8:02:e1:59:ae:ce:b8:7a:
1b:54:7b:58:58:cb:f8:ab:bf:7f:97:b3:0c:8f:c2:
b0:ee:ee:24:5b:7a:9d:b0:9a:ed:c7:56:52:72:f1:
ac:d2:f5:06:3a:5e:07:f6:f0:12:70:bc:4d:4b:bb:
99:b7:81:b7:e8:58:f1:a1:4a:2e:41:ee:1b:a4:9e:
e0:a7:0b:51:d5:94:5d:54:36:83:bd:38:9d:1d:4d:
e2:d8:4d:b0:b1:df:2b:42:1d:71:46:94:77:4a:c3:
19:1e:04:3d:29:2c:0b:c3:96:aa:9f:a1:b9:5a:a8:
37:8d:8a:7c:71:32:64:c4:d3:85:d3:78:0e:f3:9c:
8f:05:d7:5a:03:1b:67:d6:42:3b:3f:0e:cc:95:f3:
2d:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5C:17:CD:7A:5D:9F:DC:01:DF:37:3E:7C:3D:61:50:CB:7D:0C:78:87
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:fellowship.local, DNS:magento-vanilla.local, DNS:dotjs.local, DNS:dotcss.local
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
4d:f2:7c:bf:68:72:63:ad:e8:82:d3:59:0b:28:4d:22:f9:a4:
a4:64:49:5e:f2:8a:29:09:21:2f:2e:c8:41:e9:8b:fb:52:ed:
b4:8d:38:22:ad:3b:fa:2d:6f:d6:71:90:2a:cf:a0:86:20:b9:
41:12:b2:e6:20:1b:88:a1:da:40:27:a0:89:a8:8e:51:38:ed:
16:ab:96:6b:15:bd:80:96:32:5c:e9:a3:42:88:22:b4:98:f6:
f1:07:0b:8c:35:44:36:65:f5:21:56:f8:68:22:3c:7e:49:c6:
8e:1d:da:28:7a:fa:e0:15:d2:69:a9:13:0f:e1:de:ee:3b:0f:
ef:b9:2e:09:49:af:88:ce:2f:c0:d2:79:7a:9c:7a:31:1d:34:
bc:af:70:9d:da:63:bc:10:c1:9e:12:4f:90:03:37:c4:ea:b4:
d6:f0:fc:c3:94:ac:95:e2:ab:bd:54:62:dd:cb:58:96:b2:92:
f9:7c:bc:21:e4:a4:a9:d0:70:83:62:b3:98:fd:20:e1:e5:37:
0b:95:3a:28:3d:41:17:03:47:c2:c1:f3:4a:59:da:eb:d8:55:
d6:a9:9b:83:e5:49:3d:23:92:91:98:14:2e:d5:06:55:d9:77:
90:48:21:ec:1b:9e:1b:84:85:36:ec:4f:86:50:de:fb:71:d9:
2a:06:9f:77
내 이메일과 위치를 #ed했습니다.
편집 2:
다음은 새 CN 및 일련 번호로 생성한 새 인증서입니다.
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Jonathan Hodgson Ltd, emailAddress = ##########, L = ######, ST = ######, C = #########, CN = JonathanHodgsonAuthority
Validity
Not Before: Sep 25 13:13:46 2017 GMT
Not After : Dec 12 13:13:46 2025 GMT
Subject: C = GB, ST = ########, O = Jonathan Hodgson Ltd, CN = MyNewCN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:b3:b5:18:06:e5:91:05:90:80:57:6a:8d:78:
50:94:09:b6:73:e6:4c:4e:5f:8c:f0:e3:8e:5b:bb:
09:f7:4c:6d:c2:c4:4a:ba:bb:7d:c3:53:1c:98:98:
2a:ea:be:8a:7f:cd:de:58:d8:74:2b:c1:5c:a9:44:
24:17:49:7e:6a:87:8d:a0:55:f8:71:b3:93:e3:b2:
fe:5b:88:7a:2a:45:15:3e:eb:94:c7:a2:26:74:db:
9e:58:84:45:cc:db:f9:4b:51:22:25:c0:27:ca:47:
76:6e:05:a6:5b:6d:74:a2:92:0e:67:d4:5c:bf:08:
cf:78:d9:95:f2:55:d1:ec:d4:78:ff:02:64:16:b9:
79:44:06:39:4e:bb:d0:a2:9d:91:93:b5:43:68:39:
f2:22:f3:0a:b4:eb:5c:1b:d1:54:51:4f:ac:23:43:
08:66:8e:a3:57:8c:51:ab:12:ec:7d:32:de:1f:a8:
e1:d8:99:c6:b2:94:87:e0:7a:8e:80:75:fe:44:10:
e6:1c:86:dd:90:c9:1f:0e:2f:3f:3e:fb:af:c7:dc:
0a:60:d3:2c:78:a3:62:0f:9a:e6:91:12:bc:e3:1c:
77:a7:31:04:23:b3:82:11:3c:d4:cc:5e:ae:71:fd:
8f:7c:12:b5:88:33:92:f5:6b:71:6f:cb:0b:93:bd:
13:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6E:66:B9:C8:57:03:81:E4:2D:99:7C:78:28:B1:E3:36:D4:4B:C5:76
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:fellowship.local, DNS:magento-vanilla.local, DNS:dotjs.local, DNS:dotcss.local
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
4d:73:39:76:88:5e:01:d5:80:8e:4e:b9:11:2d:99:6f:a5:6a:
f9:6f:1b:07:e4:7c:5e:ca:24:36:c0:55:bf:10:71:c8:57:0b:
16:67:97:75:80:ce:7b:f2:d7:38:6f:cd:d3:00:7d:5a:76:db:
7f:90:ad:12:47:8a:e6:4c:b0:16:cb:ab:be:89:4c:3f:6d:7d:
a0:72:a2:18:93:8a:1c:a8:b9:12:70:c8:b2:8d:81:49:61:62:
80:b1:04:c3:a2:de:22:d2:7f:2d:65:6e:1d:49:6a:65:7c:3f:
2f:8b:9f:5f:6d:1d:4b:c5:04:ad:37:c9:e4:c3:1b:5e:03:0e:
60:8b:6c:09:46:71:e1:02:b9:94:9c:14:87:94:aa:e0:93:05:
b9:df:f6:c2:99:b4:c8:62:c0:49:bb:97:dc:b9:a7:75:4e:55:
d8:06:49:07:2d:d4:7e:cf:be:89:63:f6:91:22:ca:e0:d5:65:
e4:73:88:0a:c1:d9:d5:a0:75:db:b3:41:d6:05:cb:62:7b:19:
01:de:62:d2:4d:7d:86:88:32:a8:8e:84:f6:96:6a:53:77:31:
7a:62:46:66:6a:7b:56:0e:89:77:0b:fb:e0:34:f3:ae:f2:08:
c5:81:ab:dd:3e:19:0a:59:eb:b2:44:e7:c8:f0:a5:30:a2:ae:
06:f3:e1:9e
답변1
귀하의 인증서가 버전 1 인증서이지만 확장 기능(확장 기능은 X.509 표준 버전 3에 도입됨)을 포함하기 때문에 이 메시지가 표시됩니다.
이것은 것 같다특징OpenSSL CA 명령. 인증서에 확장이 추가되었다고 생각되는 경우에만 버전을 3으로 설정합니다. 단지 copy_extensions = copyall(또는) 옵션을 사용하여 요청한 확장자를 인증서에 복사한다면 = copy, 생성된 인증서에 확장자가 있는지 발견하고 이를 버전 1로 표시할 수 없는 것 같습니다. 나는 제안했다오류 보고서이를 위해 (이것은안정적인몇 시간 안에! ).
적용된 패치로 OpenSSL을 다시 컴파일하거나, 이 문제를 해결하려면 구성 파일에 확장 섹션을 정의하되 해당 섹션에 확장을 정의하지 마세요. 이 섹션에 [ CA_defaults ]다음과 같이 줄을 추가합니다 .
x509_extensions = cert_ext
파일 맨 아래에 빈 cert_ext섹션을 정의합니다.
[ cert_ext ]
지금 생성하는 모든 인증서는 버전 3이 되며 Chrome 63에서는 문제가 발생하지 않습니다.
Chrome이 주체의 commonName 필드에서 호스트 이름 허용을 중단했기 때문에 버전 1 인증서(확장자 없음)로 다운그레이드할 수 없습니다(그렇습니다).예Chrome 버전 58부터 테마 대체 이름 확장자 없이 정의됩니다. 반면에 Firefox는 버전 1 인증서를 기꺼이 사용할 것입니다.