videos reproduce lento gratis espaƱol actualizar acerca linux ssl openssl x509

linux - reproduce - Certificado con Extended Key Usage solo funciona en Firefox



facebook mozilla firefox gratis (1)

Traté de generar un certificado de auto-firma en mi servidor para múltiples dominios. Utilicé OpenSL basándose en la extensión v3_req. Utilicé esta línea de comando para generar certificados con dominio múltiple y uso de claves extendidas:

openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt -extensions v3_req -extensions mysection -extfile openssl.cnf

Como resultado, mi certificado contiene el dominio múltiple, pero no el uso de claves extendido para serverauth y la orientación de la red, también mi sitio web solo es accesible desde Firefox. ¿Alguien tiene idea sobre esto? Gracias

Mi archivo openssl.conf se estructuró de esta manera:

# # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn''t # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by ''ca'' and ''req''. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 streetAddress = 2.5.4.9 postalCode = 2.5.4.17 POBox = 2.5.4.18 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the ''anything'' policy # At this point in time, you must list all acceptable ''object'' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_keyfile = privkey.pem default_md = sha1 distinguished_name = req_distinguished_name req_extensions = v3_req #attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Nom du pays (code ISO a 2 lettres) countryName_default = FR countryName_min = 2 countryName_max = 2 stateOrProvinceName = Nom du departement stateOrProvinceName_default = Alpes Maritimes stateOrProvinceName_max = 64 localityName = Nom de la ville localityName_default = Nice localityName_max = 64 organizationName = Raison Sociale (nom officiel de l organisation) organizationName_default = Michel Durand SA organizationName_max = 64 # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Nom commercial, service, ou texte libre (optionnel) organizationalUnitName_default = Fourni par TBS internet organizationalUnitName_max = 64 commonName = Adresse du site a securiser (FQDN de votre site) commonName_default = www.monsitessl.fr commonName_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when ''ca'' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape''s comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = abc.bce.com DNS.2 = abc.bced.com DNS.3 = abc.bced.com [ mysection ] keyUsage = digitalSignature extendedKeyUsage = codeSigning [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where ''obj'' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always


¿Alguien tiene idea sobre esto?

El navegador participa en el foro CA / Browsers. La otra parte son las CA públicas. Algunos los llaman "el cártel". Los navegadores tienen un modelo de seguridad denominado "modelo de seguridad del navegador" o el "modelo de seguridad de la aplicación web". En este modelo de seguridad, se utiliza una colección de punto de anclaje confiable predefinido.

El cártel espera que los certificados de entidad final (servidor) sean firmados por una CA pública en la tienda de confianza que los navegadores lleven consigo. Hay una renuncia de mano con "carry-around" porque Chromium utiliza la tienda de confianza del sistema operativo.

Supongo que probablemente no instaló el certificado autofirmado correctamente para los otros navegadores que está probando.

No nos mostró el certificado que le está causando problemas, por lo que solo podemos especular si está bien formado o es válido. Pero intentaré responder a su pregunta sobre Uso de clave y Uso de clave extendida.

Mi archivo openssl.conf estaba estructurado así ...

[ mysection ] keyUsage = digitalSignature extendedKeyUsage = codeSigning

Esta es una combinación extraña. ¿Lo estás usando? Si es así, ¿por qué lo estás usando? (Sería útil si publicaste tu certificado).

A continuación se muestran algunos greps de certificados de Google, Microsoft y Yahoo. Sus certificados de servidor no incluyen la firma de código, e incluyen algún uso adicional.

$ openssl s_client -connect www.google.com:443 | openssl x509 -text -noout | grep -A 1 -i key ... X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication -- X509v3 Subject Key Identifier: 30:11:ED:AE:FE:C3:60:32:1D:CF:9C:B7:4B:B4:E3:DD:2D:1D:FC:40 -- X509v3 Authority Key Identifier: keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F $ openssl s_client -connect www.microsoft.com:443 | openssl x509 -text -noout | grep -A 1 -i key ... X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication -- X509v3 Subject Key Identifier: 2B:DB:4A:3F:90:02:48:9E:0F:89:21:E2:EB:4A:73:1E:E0:0F:85:6B -- X509v3 Authority Key Identifier: keyid:EB:DB:11:5E:F8:09:9E:D8:D6:62:9C:FD:62:9D:E3:84:4A:28:E1:27 $ openssl s_client -connect www.yahoo.com:443 | openssl x509 -text -noout | grep -A 1 -i key ... X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication -- X509v3 Authority Key Identifier: keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5

Certificado con Extended Key Usage solo funciona en Firefox ...

De acuerdo con RFC 5280 , Extended Key Usage es opcional. El otro estándar son los requisitos básicos de CA / foros del navegador , y es la política utilizada por la mayoría de las autoridades públicas para emitir certificados. No puedo decir lo que dice el CA / B BR con respecto a los certificados de entidad final porque es muy confuso.

Uso clave

En primer lugar, el uso de la clave para los certificados RSA suele ser digitalSignature y keyEncipherment .

Si tiene un certificado con parámetros Diffie-Hellman, entonces usaría keyAgreement . Nunca he visto firmas con Diffie-Hellman (creo que es la firma de ElGamal), así que no creo que un cert con los parámetros de Diffie-Hellman deba incluir digitalSignature .

No debe usar dataEncipherment porque no quiere hacer un cifrado masivo con la clave; en su lugar, solo desea transportar una clave que se utiliza para el cifrado masivo (vis-à-vis keyEncipherment ).

Y no nonRepudiation no significa nada, así que no lo use.

Uso extendido de clave

Segundo, el estado de los RFC (en la Sección 4.2.1.12): "[EKU] indica uno o más propósitos para los cuales se puede usar la clave pública certificada, además o en lugar de los propósitos básicos indicados en la extensión de uso de la clave" . Según los requisitos básicos de CA / foros de navegador , creo que el uso de clave extendida es opcional para los certificados de entidad final. Solo puedo decir "Creo" porque el Apéndice (B) (3) (G) es confuso. Sin embargo, estoy bastante seguro de que EKU es obligatorio para los certificados de CA subordinados.

Debido a que trato el uso de teclas extendidas como un atributo opcional, generalmente lo omito. Si fuera a incluirlo, usaría serverAuth y posiblemente clientAuth (deberían ser mutuamente excluyentes, pero a menudo los veo a ambos en un certificado).

Archivo de configuración

Aquí está el archivo CONF que utilizo para generar certificados autofirmados para las pruebas. Es mínimo y no incluye las secciones adicionales del archivo de configuración de OpenSSL. Nunca he tenido un problema con esto en bibliotecas o navegadores.

Deberá descomentar # extendedKeyUsage = serverAuth, clientAuth y modificarlo según su gusto.

# Self Signed (note the addition of -x509): # openssl req -config example-com.conf -new -x509 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem # Signing Request (note the lack of -x509): # openssl req -config example-com.conf -new -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.req.pem # Print it: # openssl x509 -in example-com.cert.pem -text -noout # openssl req -in example-com.req.pem -text -noout [ req ] default_bits = 2048 default_keyfile = server-key.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NY localityName = Locality Name (eg, city) localityName_default = New York organizationName = Organization Name (eg, company) organizationName_default = Example, LLC # Use a friendly name here because its presented to the user. The server''s DNS # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated # by both IETF and CA/Browser Forums. commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = Example Company emailAddress = Email Address emailAddress_default = [email protected] # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # extendedKeyUsage = serverAuth, clientAuth # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # extendedKeyUsage = serverAuth, clientAuth [ alternate_names ] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = mail.example.com DNS.4 = ftp.example.com # Add these if you need them. But usually you don''t want them or # need them in production. You may need them for development. # DNS.5 = localhost # DNS.6 = localhost.localdomain # DNS.7 = 127.0.0.1 # IPv6 localhost # DNS.8 = ::1 # DNS.9 = fe80::1