服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Chrome客户端证书提示不会列出我的证书
Intereting Posts
通过VPN从本地networking路由出站连接 Apache是​​否在每个HTTP请求上产生pipe道logging器? 路由器/防火墙硬件故障testing 授予Windows服务的权限 Postfix的SMTP服务器获取“550请求的邮件操作没有采取:无效的IP” 添加驱动器到Logwatch磁盘空间检查 Nginx的letsencrypt OCSP蠢蠢欲动 远程桌面连接被拒绝,因为用户帐户未被授权进行远程login Apache:从.htaccess创build一个虚拟目录 请解释我的VPS的邮件队列pipe理器 如何在vmware ESXi中testing虚拟机监控? Exchange服务器停止 如何在没有modprobe.conf的情况下加载(linux内核)networking模块 在iis中将错误响应设置为自定义时出现401错误 分发一个cookie给用户

Chrome客户端证书提示不会列出我的证书

我负责组织的证书计划,我正在努力遵守Google Chrome针对RFC2818(服务器证书中“主题备用名称”的要求)强制执行的新要求。

在我的尝试中,我使用EasyRSA (使用OpenSSL )来生成我的根CA和我的服务器和用户证书。 我成功生成了在Windows MMC中完全有效的客户端证书,但是Chrome在访问我们的网站(configuration为需要证书)时提示input客户端证书时,

这些是工作的旧证书的属性(显示在Chrome提示符窗口中),其在MMC列表视图中显示的预期用途是<全部>: 

This certificate is intended for the following purpose(s): * All application policies Version: V3 Serial number: a1 ed ... Signature algorithm: sha1RSA Signature hash algorithm: sha1 Issuer: MyOrganization Valid from: Sunday, June 23, 2013 3:35:55 PM Valid to: Sunday, January 01, 2040 2:59:59 AM Subject: My Name, [email protected] Public key: RSA (1024 Bits) Authority Key Identifier: KeyId=0f d9 ... Thumbprint algorithm: sha1 Thumbprint: 40 11 ...

这些是没有显示的证书的属性,在MMC列表视图中显示为“客户端身份validation”的目的是: 

 This certificate is intended for the following purpose(s): * Proves your identity to a remote computer Version: V3 Serial number: 07 Signature algorithm: sha256RSA Signature hash algorithm: sha256 Issuer: MyOrganization2 Valid from: ‎Thursday, ‎April ‎27, ‎2017 7:29:09 PM Valid to: ‎Sunday, ‎April ‎25, ‎2027 7:29:09 PM Subject: My Name Public key: RSA (2048 Bits) Basic Constraints: Subject Type=End Entity Path Length Constraint=None Subject Key Identifier: c6 cf ... Authority Key Identifier: KeyId=0a 21 ... Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2) Key Usage: Digital Signature (80) Thumbprint algorithm: sha1 Thumbprint: 0a 12 ...

我在这个问题上已经用尽了我的互联网search能力,如果可以的话,请帮助。 或者,如何使用符合RFC2818的OpenSSL(或EasyRSA)创build有效的证书链(CA,服务器,客户端),并获得Google Chrome(v.58)的认可。 谢谢!

编辑

这是运行openssl s_client到我的服务器的输出: 

 CONNECTED(0000011C) --- Certificate chain 0 s:/C=IL/L=*****/O=*****/CN=www.*****.com i:/C=IL/O=*****/CN=***** Intermediate CA 1 s:/C=IL/O=*****/CN=***** Intermediate CA i:/C=IL/L=*****/O=*****/CN=***** Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFhz... -----END CERTIFICATE----- subject=/C=IL/L=*****/O=*****/CN=www.*****.com issuer=/C=IL/O=*****/CN=***** Intermediate CA --- No client certificate CA names sent --- SSL handshake has read 3006 bytes and written 401 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: B30B0... Session-ID-ctx: Master-Key: 3C40F... Key-Arg : None Start Time: 1493541902 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---