CA根证书

CA证书必须包括CA的basicConstraints值字段设置为TRUE.最终用户证书必须将CA设置为FALSE或完全排除扩展名.某些软件可能需要将最终实体的CA设置为FALSE的basicConstraints包括在内证书.

A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.

这是通过基本约束标准扩展来完成的.要检查您的根证书是否设置了 CA 属性，请运行 openssl x509 -text -noout -in ca.crt 并查找 CA:True 在输出中.请注意，OpenSSL实际上会让您使用非CA根证书签署其他证书(或至少曾经使用过)，但需要进行验证这样的证书将失败(因为CA检查将失败).

This is done through the basic constraints standard extension. To check whether your root cert has the CA attribute set, run openssl x509 -text -noout -in ca.crt and look for CA:True in the output. Note that OpenSSL will actually let you sign other certs with a non-CA root cert (or at least used to) but verification of such certs will fail (because the CA check will fail).

对于您的配置文件，只需在命令中包含 -extensions v3_ca 即可生成根证书，就足够了:

With your config file, simply including -extensions v3_ca in the command to generate the root cert should suffice:

openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf

这篇关于具有自签名证书链的无效CA证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！

上岸，阿里云！