在 FireFox 上使用自签名证书获取 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
Get MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY with Self-Signed Certificate on FireFox
我在尝试使用我通过以下命令行创建的证书时遇到主题错误:
openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=mysite.local" -newkey rsa:2048 -keyout mysite.local.key -out mysite.local.crt
我在此站点上发现了另一个引用相同错误的问题:
Looks like that certificate has a basicConstraints extension with the value cA: TRUE. We stopped allowing CA certificates to act as end-entity certificates. That certificate should be regenerated without the basicConstraints extension. This is also explained at https://wiki.mozilla.org/SecurityEngineering/x509Certs
我遵循了引用的 link 并尝试按照自签名证书下的说明进行操作。第 1 步奏效了。第 2 步出现错误:忽略 -days;未生成证书。
我在 Windows 10 Pro,使用 OpenSSL 1.1.1f 2020 年 3 月 31 日。我没有在网络上的任何地方找到任何关于该错误的参考。有什么想法吗?
关于来自 OP 的评论:“我正在尝试设置 HTTPS 以便在网络上不同计算机上的前端和后端 API 服务器之间进行通信。这就是我尝试生成自签名证书的原因。是否有更标准的方法来解决这个问题?
您可以使用下面的脚本创建一个证书,将其导入 API 服务器上的受信任根存储,并配置给定端口上的流量以使用该证书进行加密(我认为是 SSL。 ..).然后,从证书管理 GUI(管理计算机证书)中,您可以导出刚刚创建的证书并将其导入前端服务器。
编辑以反映 OP 对管道输出问题的评论。
param(
[string] $certPass,
[string] $portForTraffic,
[string] $dnsName = '<HOST>.<DOMAIN>.<DOMAIN_SUFFIX>', # <== ex: server.contoso.com
[int] $certValidForDays = 365
)
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop";
#Requires -Version 5.0
[string] $certStoreLocation = 'Cert:\LocalMachine'
function CreateSelfSignedCert(
[Parameter(Mandatory=$true)]
[string] $dnsName,
[Parameter(Mandatory=$false)]
[string] $storeLocation = $certStoreLocation,
[Parameter(Mandatory=$false)]
[int] $certValidDays = $certValidForDays
){
$certificate = New-SelfSignedCertificate `
-DnsName $dnsName `
-CertStoreLocation "$storeLocation\My" `
-NotAfter $((Get-Date).AddDays($certValidDays)) `
-Verbose
$certThumbPrint = $certificate.Thumbprint
$returnObj = [PSCustomObject] @{
ThumbPrint = $certThumbPrint;
}
return $returnObj;
}
function ExportCert(
[Parameter(Mandatory=$true)]
[string] $certThumbPrint,
[Parameter(Mandatory=$true)]
[string] $certPass,
[Parameter(Mandatory=$true)]
[string] $workDir,
[Parameter(Mandatory=$false)]
[string] $storeLocation = $certStoreLocation
){
$certificatePath = "$storeLocation\My$certThumbPrint"
$secureString = ConvertTo-SecureString -String $certPass -Force -AsPlainText
$tempDir = "$workDir\pfx_temp"
$pfxFilePath = "$tempDir\temp.pfx"
if( (Test-Path -Path $tempDir) -eq $false ){
New-Item -ItemType Directory -Path $tempDir -Verbose | Out-Null
}
# ...so export it...
$fileInfo = Export-PfxCertificate `
-FilePath $pfxFilePath `
-Cert $certificatePath `
-Password $secureString `
-Verbose
Write-Host "$fileInfo"
return $pfxFilePath
}
function ImportCertToRoot(
[Parameter(Mandatory=$true)]
[string] $pfxPath,
[Parameter(Mandatory=$true)]
[string] $certPass,
[Parameter(Mandatory=$false)]
[string] $storeLocation = $certStoreLocation
) {
$secureString = ConvertTo-SecureString -String $certPass -Force -AsPlainText
Write-Host "Attempting to import cert from: $pfxPath"
Import-PfxCertificate `
-FilePath $pfxPath `
-CertStoreLocation "$storeLocation\Root" `
-Password $secureString `
-Verbose | Out-Null
Remove-Item -Path $pfxPath -Force -Verbose
}
function ConfigureSslForPortOnHost(
[Parameter(Mandatory=$true)]
[string] $port,
[Parameter(Mandatory=$true)]
[string] $certThumbPrint
) {
Write-Host -ForegroundColor Yellow "Attempting to add ssl rule using NETSH. Using cert with thumbprint: $($certThumbPrint)"
Invoke-Expression "netsh http delete sslcert ipport=0.0.0.0:$port"
Invoke-Expression "netsh http add sslcert ipport=0.0.0.0:$port appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=$($certThumbPrint)"
}
# Create a self-signed cert
$cert = CreateSelfSignedCert -dnsName $dnsName
# Export the cert so we can later import it to the root store
$pfxPath = ExportCert -certThumbPrint $cert.ThumbPrint -certPass $certPass -workDir $PSScriptRoot
# Import cert to trusted root
ImportCertToRoot -pfxPath $pfxPath -certPass $certPass
# Ensure HTTP traffic to specified port on API server is encrypted
ConfigureSslForPortOnHost -port $portForTraffic -certThumbPrint $cert.ThumbPrint
我在尝试使用我通过以下命令行创建的证书时遇到主题错误:
openssl.exe req -x509 -nodes -sha256 -days 3650 -subj "/CN=mysite.local" -newkey rsa:2048 -keyout mysite.local.key -out mysite.local.crt
我在此站点上发现了另一个引用相同错误的问题:
Looks like that certificate has a basicConstraints extension with the value cA: TRUE. We stopped allowing CA certificates to act as end-entity certificates. That certificate should be regenerated without the basicConstraints extension. This is also explained at https://wiki.mozilla.org/SecurityEngineering/x509Certs
我遵循了引用的 link 并尝试按照自签名证书下的说明进行操作。第 1 步奏效了。第 2 步出现错误:忽略 -days;未生成证书。
我在 Windows 10 Pro,使用 OpenSSL 1.1.1f 2020 年 3 月 31 日。我没有在网络上的任何地方找到任何关于该错误的参考。有什么想法吗?
关于来自 OP 的评论:“我正在尝试设置 HTTPS 以便在网络上不同计算机上的前端和后端 API 服务器之间进行通信。这就是我尝试生成自签名证书的原因。是否有更标准的方法来解决这个问题?
您可以使用下面的脚本创建一个证书,将其导入 API 服务器上的受信任根存储,并配置给定端口上的流量以使用该证书进行加密(我认为是 SSL。 ..).然后,从证书管理 GUI(管理计算机证书)中,您可以导出刚刚创建的证书并将其导入前端服务器。
编辑以反映 OP 对管道输出问题的评论。
param(
[string] $certPass,
[string] $portForTraffic,
[string] $dnsName = '<HOST>.<DOMAIN>.<DOMAIN_SUFFIX>', # <== ex: server.contoso.com
[int] $certValidForDays = 365
)
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop";
#Requires -Version 5.0
[string] $certStoreLocation = 'Cert:\LocalMachine'
function CreateSelfSignedCert(
[Parameter(Mandatory=$true)]
[string] $dnsName,
[Parameter(Mandatory=$false)]
[string] $storeLocation = $certStoreLocation,
[Parameter(Mandatory=$false)]
[int] $certValidDays = $certValidForDays
){
$certificate = New-SelfSignedCertificate `
-DnsName $dnsName `
-CertStoreLocation "$storeLocation\My" `
-NotAfter $((Get-Date).AddDays($certValidDays)) `
-Verbose
$certThumbPrint = $certificate.Thumbprint
$returnObj = [PSCustomObject] @{
ThumbPrint = $certThumbPrint;
}
return $returnObj;
}
function ExportCert(
[Parameter(Mandatory=$true)]
[string] $certThumbPrint,
[Parameter(Mandatory=$true)]
[string] $certPass,
[Parameter(Mandatory=$true)]
[string] $workDir,
[Parameter(Mandatory=$false)]
[string] $storeLocation = $certStoreLocation
){
$certificatePath = "$storeLocation\My$certThumbPrint"
$secureString = ConvertTo-SecureString -String $certPass -Force -AsPlainText
$tempDir = "$workDir\pfx_temp"
$pfxFilePath = "$tempDir\temp.pfx"
if( (Test-Path -Path $tempDir) -eq $false ){
New-Item -ItemType Directory -Path $tempDir -Verbose | Out-Null
}
# ...so export it...
$fileInfo = Export-PfxCertificate `
-FilePath $pfxFilePath `
-Cert $certificatePath `
-Password $secureString `
-Verbose
Write-Host "$fileInfo"
return $pfxFilePath
}
function ImportCertToRoot(
[Parameter(Mandatory=$true)]
[string] $pfxPath,
[Parameter(Mandatory=$true)]
[string] $certPass,
[Parameter(Mandatory=$false)]
[string] $storeLocation = $certStoreLocation
) {
$secureString = ConvertTo-SecureString -String $certPass -Force -AsPlainText
Write-Host "Attempting to import cert from: $pfxPath"
Import-PfxCertificate `
-FilePath $pfxPath `
-CertStoreLocation "$storeLocation\Root" `
-Password $secureString `
-Verbose | Out-Null
Remove-Item -Path $pfxPath -Force -Verbose
}
function ConfigureSslForPortOnHost(
[Parameter(Mandatory=$true)]
[string] $port,
[Parameter(Mandatory=$true)]
[string] $certThumbPrint
) {
Write-Host -ForegroundColor Yellow "Attempting to add ssl rule using NETSH. Using cert with thumbprint: $($certThumbPrint)"
Invoke-Expression "netsh http delete sslcert ipport=0.0.0.0:$port"
Invoke-Expression "netsh http add sslcert ipport=0.0.0.0:$port appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=$($certThumbPrint)"
}
# Create a self-signed cert
$cert = CreateSelfSignedCert -dnsName $dnsName
# Export the cert so we can later import it to the root store
$pfxPath = ExportCert -certThumbPrint $cert.ThumbPrint -certPass $certPass -workDir $PSScriptRoot
# Import cert to trusted root
ImportCertToRoot -pfxPath $pfxPath -certPass $certPass
# Ensure HTTP traffic to specified port on API server is encrypted
ConfigureSslForPortOnHost -port $portForTraffic -certThumbPrint $cert.ThumbPrint