Openssl生成invalid_purpose時查看哪些證書字段?Openssl invalid_purpose
我正在使用OpenSSL生成證書。
首先我生成一個主證書,然後是客戶端證書。現在,當我嘗試連接服務器時,它會生成Invalid_Purpose。
Openssl生成invalid_purpose時查看哪些證書字段?Openssl invalid_purpose
我正在使用OpenSSL生成證書。
首先我生成一個主證書,然後是客戶端證書。現在,當我嘗試連接服務器時,它會生成Invalid_Purpose。
有一個擴展keyUsage
它指定可以用證書做什麼。請注意,有些程序不使用此字段。
從X509文檔:
X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
the supplied certificate cannot be used for the specified purpose.
手冊頁x509v3_config(5)列出了可能的值參數,也爲另一個名爲extendedKeyUsage
:
Key Usage.
Key usage is a multi valued extension consisting of a list of names of
the permitted key usages.
The supporte names are: digitalSignature, nonRepudiation,
keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign,
encipherOnly and decipherOnly.
Examples:
keyUsage=digitalSignature, nonRepudiation
keyUsage=critical, keyCertSign
Extended Key Usage.
This extensions consists of a list of usages indicating purposes for
which the certificate public key can be used for,
These can either be object short names of the dotted numerical form of
OIDs. While any OID can be used only certain values make sense. In
particular the following PKIX, NS and MS values are meaningful:
Value Meaning
----- -------
serverAuth SSL/TLS Web Server Authentication.
clientAuth SSL/TLS Web Client Authentication.
codeSigning Code signing.
emailProtection E-mail Protection (S/MIME).
timeStamping Trusted Timestamping
msCodeInd Microsoft Individual Code Signing (authenticode)
msCodeCom Microsoft Commercial Code Signing (authenticode)
msCTLSign Microsoft Trust List Signing
msSGC Microsoft Server Gated Crypto
msEFS Microsoft Encrypted File System
nsSGC Netscape Server Gated Crypto
Examples:
extendedKeyUsage=critical,codeSigning,1.2.3.4
extendedKeyUsage=nsSGC,msSGC
在螺母和螺栓的水平,在openssl.cnf中值你用過的可能還有其他一些用法,比如電子郵件。這就是爲什麼它們對於您嘗試創建的服務器連接無效。
檢查您的openssl.cnf內容,並查看OpenSSL源代碼中提供的樣本,以瞭解可能與連接到傳統Web瀏覽器的股票TLS Web服務器一起工作的內容。