更新时间:2022-06-10 05:14:51
CA根证书 CA证书必须包括CA的basicConstraints值字段设置为TRUE.最终用户证书必须将CA设置为FALSE或完全排除扩展名.某些软件可能需要将最终实体的CA设置为FALSE的basicConstraints包括在内证书.
A CA certificate must include the basicConstraints value with the CA
field set to TRUE. An end user certificate must either set CA to FALSE
or exclude the extension entirely. Some software may require the
inclusion of basicConstraints with CA set to FALSE for end entity
certificates. 这是通过基本约束标准扩展来完成的.要检查您的根证书是否设置了 This is done through the basic constraints standard extension. To check whether your root cert has the 对于您的配置文件,只需在命令中包含 With your config file, simply including 这篇关于具有自签名证书链的无效CA证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!
CA
属性,请运行 openssl x509 -text -noout -in ca.crt
并查找 CA:True
在输出中.请注意,OpenSSL实际上会让您使用非CA根证书签署其他证书(或至少曾经使用过),但需要进行验证这样的证书将失败(因为CA检查将失败).CA
attribute set, run openssl x509 -text -noout -in ca.crt
and look for CA:True
in the output. Note that OpenSSL will actually let you sign other certs with a non-CA root cert (or at least used to) but verification of such certs will fail (because the CA check will fail). -extensions v3_ca
即可生成根证书,就足够了:-extensions v3_ca
in the command to generate the root cert should suffice:openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf