He configurado una Autoridad de certificación (CA) privada, donde tengo una 'CA raíz' y una 'CA intermedia' para firmar los certificados del sitio web, y un certificado generado para mi sitio web.
He añadido mi 'CA raíz' a Firefox y Chromium. Ambos navegadores web no validan la cadena de certificados (Firefox dice SEC_ERROR_CERT_NOT_IN_NAME_SPACE
); Sin embargo, openssl verify
dice que la cadena es OK
.
Seguí las instrucciones del "Libro de cocina de Openssl" de Ivan Ristić al configurar este certificado de autoridad (si eso ayuda).
La CA raíz:
$ cat root-ca.crt.pem
certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:91:ff:c0:24:c9:7f:5b:ae:26:0d:e8:5f:bd:5d:cc
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=ME, O=OpSec, CN=Root CA
Validity
Not Before: Jun 19 13:46:50 2018 GMT
Not After : Jun 18 13:46:50 2028 GMT
Subject: C=ME, O=OpSec, CN=Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:be:ff:07:60:f1:04:1a:5b:6c:3f:4d:90:24:e3:
...
0f:07:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
B6:28:5C:B9:29:E0:18:05:A7:BD:5F:85:69:52:B2:F1:15:DA:5F:47
Signature Algorithm: sha512WithRSAEncryption
8b:8a:dc:8e:62:b3:71:0b:ed:74:7a:50:f3:11:81:19:06:9d:
...
db:15:e7:52:0b:16:46:74
-----BEGIN CERTIFICATE-----
MIIFKjCCAxKgAwIBAgIQFJH/wCTJf1uuJg3oX71dzDANBgkqhkiG9w0BAQ0FADAv
...
pu054FZ6DpQKWUK6JhmlsSrtpB+iLdsV51ILFkZ0
-----END CERTIFICATE-----
La CA intermedia / sub:
$ cat www-sub-ca.crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:91:ff:c0:24:c9:7f:5b:ae:26:0d:e8:5f:bd:5d:d0
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=ME, O=OpSec, CN=Root CA
Validity
Not Before: Jul 2 15:45:21 2018 GMT
Not After : Jul 1 15:45:21 2028 GMT
Subject: C=ME, O=OpSec, CN=WWW Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:f3:fa:a6:60:04:d0:2d:3a:12:9a:d5:f1:a0:77:
...
cd:a4:47
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.saltycybernaut.net/root-ca.crt
OCSP - URI:http://ocsp.root-ca.saltycybernaut.net:9080
X509v3 Authority Key Identifier:
keyid:B6:28:5C:B9:29:E0:18:05:A7:BD:5F:85:69:52:B2:F1:15:DA:5F:47
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.saltycybernaut.net/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:saltycybernaut.net
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
04:1D:DD:EF:DF:0B:D8:F8:5D:80:9B:93:63:60:07:F3:EB:4A:D7:17
Signature Algorithm: sha512WithRSAEncryption
4b:0c:c6:60:38:b8:ba:48:44:83:b8:5d:98:69:5a:41:92:3f:
...
1f:1c:80:cb:f4:1c:e1:ff
-----BEGIN CERTIFICATE-----
MIIGjjCCBHagAwIBAgIQFJH/wCTJf1uuJg3oX71d0DANBgkqhkiG9w0BAQ0FADAv
...
4f8=
-----END CERTIFICATE-----
El certificado del sitio web:
$ cat website.crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
25:31:18:97:4b:ab:09:b2:7b:40:d9:8c:d4:47:0c:8f
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=ME, O=OpSec, CN=WWW Sub CA
Validity
Not Before: Jul 2 15:48:29 2018 GMT
Not After : Jul 2 15:48:29 2019 GMT
Subject: C=ME, O=OpSec, OU=Website Division, CN=faraday.saltycybernaut.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:cb:ef:7f:75:56:a0:ff:59:75:44:cb:5d:0c:da:
...
51:cd:19
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://www-sub-ca.saltycybernaut.net/www-sub-ca.crt
OCSP - URI:http://ocsp.www-sub-ca.saltycybernaut.net:9081
X509v3 Authority Key Identifier:
keyid:04:1D:DD:EF:DF:0B:D8:F8:5D:80:9B:93:63:60:07:F3:EB:4A:D7:17
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://www-sub-ca.saltycybernaut.net/www-sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
D5:A2:F6:6A:75:19:36:F9:9B:DE:85:99:02:E1:25:1F:B7:63:52:18
X509v3 Subject Alternative Name:
DNS:faraday.saltycybernaut.net, IP Address:10.8.1.1
Signature Algorithm: sha512WithRSAEncryption
8b:d4:b6:73:48:ca:9c:8f:4c:26:e0:74:10:2d:e1:4e:f3:e9:
...
29:5a:36:7d:f9:68:63:c7
-----BEGIN CERTIFICATE-----
MIIGnTCCBIWgAwIBAgIQJTEYl0urCbJ7QNmM1EcMjzANBgkqhkiG9w0BAQ0FADAy
HxR+hl3vUFbAKVo2ffloY8c=
-----END CERTIFICATE-----
La cadena completa que el sitio web ofrece a los clientes conectados:
$ cat fullchain.crt.pem
-----BEGIN CERTIFICATE-----
MIIFKjCCAxKgAwIBAgIQFJH/wCTJf1uuJg3oX71dzDANBgkqhkiG9w0BAQ0FADAv
MQswCQYDVQQGEwJNRTEOMAwGA1UECgwFT3BTZWMxEDAOBgNVBAMMB1Jvb3QgQ0Ew
HhcNMTgwNjE5MTM0NjUwWhcNMjgwNjE4MTM0NjUwWjAvMQswCQYDVQQGEwJNRTEO
MAwGA1UECgwFT3BTZWMxEDAOBgNVBAMMB1Jvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQC+/wdg8QQaW2w/TZAk4yX9n0pkD5GcrSJR/hHRzbLO
eFB81CdcZFvwUFsjhhF/rjALZXE6dwJ8jazztktOkuhYTFAnH0GTyu8x+hzucEY7
G4QvIPMPU/eVvBHTre5RrHFtiaf9wmcMeI4cPHvpZng+JIT4eprGxXLR79pStGIT
+20kk5LILryM/67paF6B0XzCGtu0a28MJeZd3W5oS41ldfxzmtzCAGQfmAXaB7bW
ttzj6K3tVv2brfBT4UufUkwqnMyrAJBeDwMk/m2xwWzq2CdXMqQhtZahtmmAWKWb
GbZaK4WVb59/hIUD4Wb7Q/StT3b8QaEqtruoKCBqlbF7TZsmgt3dbS5ky3uNg9NJ
WcQ4eyledpM1c42hGn0h8dp36B7KXingvKCxfCb4yX7r+1nXSkM9zyZX/nyCZTfb
YRJMy3OXB8PQ0e84aeQmQtjr1PolnRb0ETrJjmb1z+lOjze+C/kp/UNplUVillqZ
oEayZiEHgKNBH8m/XZhg4svTt3gN5BWimFKG0JSQA30ZMtBDqrnuqHLagao/+DFG
5/5PRiYGxDbwFrybGw7JuF6WShd2vEDApDqSqiuYYA4RKd7Vp8Rk8H1k/n1UliuO
yXwJQfV+cgnG5/ligelU4BFVyAKskXLXv9yseN+a51fU6s/8hPWXyyCq/Eo6ow8H
SwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUtihcuSngGAWnvV+FaVKy8RXaX0cwDQYJKoZIhvcNAQENBQADggIBAIuK
3I5is3EL7XR6UPMRgRkGnfcxmoc2R4qbmbKX+Dkjcku4Rh6XT46aPGlr3whOyZvK
qOjb9vpRg281jFMFswJ1bIZ/5GBiI4waJBsIiRAL51DeGI8QB9AKi8YmoyG+j35U
vbsJmot+oa0M1l0fZLojsSsEX5bIjg3+dZvErpB5xLRqu4g3hL/Lwgevqe1drNxz
4eXQQYa7C2jAJHOmlkY5G1MLAga0foFS/xekpRCL71CYu/EQ0ycDVQ8Q+aM6hwDB
K/SaZ4RcIfLwA8GitH7R9svPeBQMvjs6cSpfmjdJWBw/yybrwIsZRcWaFy1Sd2DU
vnGGCAYrRcc2F+e979an7nlEirG25xo+reW7pry2WQa4UevV/NHGrP1/PTD0GKo8
3KD6rp04T1Ynru+M8xRKtkdja15SEVidwNgL7K8ipQqnAGrWGD63EuvuaPPVTf6V
eJFpXtIPWCAxdd0jVB1vNdirlEqW2nZPSu0BvQogNIowN0S7yxVeYPHI8iFhmQl0
TQPu+4b9bX0nOktCsYFNXRnwp6QmjifwyXTylKW5Lt8qPSFgXpsNw08bNTHTytpY
LGaZTlg36Z3NE2CGzVdGIHxEHuzokmXkmDrtkzFvbYCFpFq2PFC7QhXtHrxrMlMd
pu054FZ6DpQKWUK6JhmlsSrtpB+iLdsV51ILFkZ0
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGjjCCBHagAwIBAgIQFJH/wCTJf1uuJg3oX71d0DANBgkqhkiG9w0BAQ0FADAv
MQswCQYDVQQGEwJNRTEOMAwGA1UECgwFT3BTZWMxEDAOBgNVBAMMB1Jvb3QgQ0Ew
HhcNMTgwNzAyMTU0NTIxWhcNMjgwNzAxMTU0NTIxWjAyMQswCQYDVQQGEwJNRTEO
MAwGA1UECgwFT3BTZWMxEzARBgNVBAMMCldXVyBTdWIgQ0EwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQDz+qZgBNAtOhKa1fGgd9aKT+zHnpdIdoALgumB
sTkUhuNHjlxu5M0nHtCYOWkYeCVdFNM9BhVOf9G9bIbBxshLX78hDrk+oT+67dqQ
F7djXCC90aWH4TJteZq+iU4/SjMwZ/XStQpdwpbmOmegonpVuS++A3bkIgly55Cd
B9G6ei2HOj3r43Q/KJqK1y7bRqqMvlUe0EEaXJ4PHsaNoE4n0i9Q1GOOqi+yQGev
rjilkRvoFfFuAddxR4RkqeCHBfUnpVGKnRm8ZNN8Mjns0DGHGt8QWbRSYJ9kOis9
BBFMMONNeLtJhnp8DzS4HyE4qMuJHfqeiE1HwVfPlJ5sdFFoD3L9PhxXwBhhKz4w
ifRAYCjeKrpVaPDRbSekZPq79a36g5SNPX3fYBEBSbLCII9Afhez9hHdtazk/XZb
ZCn/Gu5RpI1pl6DzM+N1+wUsCt8o9dW/c66I4/PbosFjzIG3JMhrD2ynB0KKZv4Y
xgO9PHR0rsc8CLnf/4ZiY90M4VJbRDCVk+VUteBLXzBHFIhdKA4xKBoMIfzNFt01
UgAZTw55ksiddpMDmbYIqJQVD2x9QkLVgFtdr1XkmUtmi+4P8jMTcQ4yWi4mMenH
0akqr6r2brTBHCgw2TkJAUVYAswEjXSUk7I6mhtGrnmKDwXDka8AHKaEOZO5GY16
Z82kRwIDAQABo4IBoTCCAZ0wgYIGCCsGAQUFBwEBBHYwdDA5BggrBgEFBQcwAoYt
aHR0cDovL3Jvb3QtY2Euc2FsdHljeWJlcm5hdXQubmV0L3Jvb3QtY2EuY3J0MDcG
CCsGAQUFBzABhitodHRwOi8vb2NzcC5yb290LWNhLnNhbHR5Y3liZXJuYXV0Lm5l
dDo5MDgwMB8GA1UdIwQYMBaAFLYoXLkp4BgFp71fhWlSsvEV2l9HMBIGA1UdEwEB
/wQIMAYBAf8CAQAwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL3Jvb3QtY2Euc2Fs
dHljeWJlcm5hdXQubmV0L3Jvb3QtY2EuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwUwYDVR0eBEwwSqAWMBSCEnNhbHR5
Y3liZXJuYXV0Lm5ldKEwMAqHCAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAMB0GA1UdDgQWBBQEHd3v3wvY+F2Am5NjYAfz60rXFzAN
BgkqhkiG9w0BAQ0FAAOCAgEASwzGYDi4ukhEg7hdmGlaQZI/lMwdvnTgFMi1cYSl
gR8Jim5Q5C7wIRV7F2b9eULl+b642bLGw6yX6ck48BQ0pIpPUqgIBJp91XQrhYko
OBemU6sVNH9ufafJknrtEbSHsL0O98LpA6/OiNR6S4cGMiTpZ/uipOQ6RbwM/a87
lVAFkpCk5+vIXw5wD1fa9mE8y/jeV16PNFeUgce4NU3dxpCmbsAiTTMv/b4n0c2D
wffY3q5Urvt+poPBAEgl5eOue6+QpwZY6m2D7PjA/MGbWPgusQAQ1z/cSqPC9ykZ
xqNT4etsGwvaZITA1E/5G8Qmo/15LTteEuKB1J9JCmbQxLDhW798PNWzL9QjNPRB
dkBPhJAJ9gEmhPakWML/Mt84pQxEt6yupLDm9xHX1a920DEVJsd4/p87aW4PDPXN
VxmixOEkaZ7VDILRsjSO05l+R89GuGFmgzl3LDxRHAlXXpu5DtARPkO6iG/Z2DfR
4lhhSsTX8Jz2OtmefFjf1UrXJW3iBbLKFLqmz7CkG9zdH2iFzjSoMXggmBqEtQFe
ON0/41gfcjS0jEIQgeQ5W6ylfogwVV3WDcuKwz4tfK+MmVFALXk8O27iWWlAZGvi
fG6VDaGqeUWZEX3XThzYzBG4L1+LN0/9FK21/6cTV1sqW8p+nAUTxWE5HxyAy/Qc
4f8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGnTCCBIWgAwIBAgIQJTEYl0urCbJ7QNmM1EcMjzANBgkqhkiG9w0BAQ0FADAy
MQswCQYDVQQGEwJNRTEOMAwGA1UECgwFT3BTZWMxEzARBgNVBAMMCldXVyBTdWIg
Q0EwHhcNMTgwNzAyMTU0ODI5WhcNMTkwNzAyMTU0ODI5WjBdMQswCQYDVQQGEwJN
RTEOMAwGA1UECgwFT3BTZWMxGTAXBgNVBAsMEFdlYnNpdGUgRGl2aXNpb24xIzAh
BgNVBAMMGmZhcmFkYXkuc2FsdHljeWJlcm5hdXQubmV0MIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAy+9/dVag/1l1RMtdDNqjLbNujc1vWz4GTsvzEtFK
M68LJmscOpj/sgBukSIbTBVcY7h5QVEFkQgiCPeXuIUzSSBL1vkZJO6Cu/li20TD
y7iUFnEGqmOSoNY/aUQlQ6DhXGVquIReaZOYqFMapFSIXF2tEXPpHjrCTU74xFaf
QhWa2i9zFXBEjEv+grHf0ylGTSRxOJXoT7/1LsSyXgY4e0B116SpQtJJFV0Y4n3N
pFqUR2t50oLeGEMBp/osKMizb6WPg2qt8c0wPB0J/ODHC/BaYAf3X08wQuZ52UsK
Whah2LieTTGOC+jz1I0kVxLGDUBjDztmCM3FWxwoj9vtJdPSYPGMFyoF+I2yqKBZ
ZEtRyKVEb1Gc4rkp6ZYwQvgyaVyrL3lueGLIDOA2Da3uHUFQYkn2722CJlvqShn4
2X4/gjg1QoepMTX2ZzdnrHT3B/2JfNE9lcOTPEem0GKw1Hl6/wkUyOPUJqKd0Q0W
qLAUXbFV+vtVAR4a7Ckra6JP1PKCK2FZIs0VPNoHzUC31xvEwZPYsdylv9afMrGS
jzRn8HXUmtEe75Uz/nX6f4KV343QtUE8uB1rOPb7i2SfC8CC9cBeg1a+oVCEbUZy
eDHu48lgjj0nnRMmon7DTePlrAOrM9ZPBXagn8wvatzAETi4A42DJpD1N4LUh6lR
zRkCAwEAAaOCAYIwggF+MIGLBggrBgEFBQcBAQR/MH0wPwYIKwYBBQUHMAKGM2h0
dHA6Ly93d3ctc3ViLWNhLnNhbHR5Y3liZXJuYXV0Lm5ldC93d3ctc3ViLWNhLmNy
dDA6BggrBgEFBQcwAYYuaHR0cDovL29jc3Aud3d3LXN1Yi1jYS5zYWx0eWN5YmVy
bmF1dC5uZXQ6OTA4MTAfBgNVHSMEGDAWgBQEHd3v3wvY+F2Am5NjYAfz60rXFzAM
BgNVHRMBAf8EAjAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly93d3ctc3ViLWNh
LnNhbHR5Y3liZXJuYXV0Lm5ldC93d3ctc3ViLWNhLmNybDAdBgNVHSUEFjAUBggr
BgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBTVovZq
dRk2+ZvehZkC4SUft2NSGDArBgNVHREEJDAighpmYXJhZGF5LnNhbHR5Y3liZXJu
YXV0Lm5ldIcECggBATANBgkqhkiG9w0BAQ0FAAOCAgEAi9S2c0jKnI9MJuB0EC3h
TvPpT2xc03rTrosRKe+rLG3BAuUbIqJtbSBpJZs4EUFph1JN9YI9Jsj8lFDlaU82
33fDoz8UEPXBrzVdEvBVbO9ynzDDkXD9jXjPcs95Ku2eq1LhjX7x4hbF8PIBNcbs
4PHmAhjsx1ODgCi3VyB8RoK7IqMpoHaYgQp0+tzAt43X+uqlFERgIv5rDX032TWK
8f2QpebLNG6v5NyA+oB+Dbv10JQ5zqCU780sNVp2DorjQHa6HvVGQay4eb+RzWRo
UaCbeOHczkuH4svrXMts8GXVeucMYXhCt+KGM5Fbb1rtEAS/DIoLSepihh19l7rl
z3ITbnQyajI6Nk0JFf2RBKA7bR8YX7Gx0N2bCHk4SVdmkqT4fi9py0lQe7C50LNJ
AKp5r7c9e2qFiBF+JOQZUvAHjUpmm4VtxqeiEkS1sY3zQbEyYyviPHl2kA9pdh/5
CbyDSSpFnZIueX23Nl24QqOtLFI9D3VXZlnsKDgivswrGxh8cyN8k7fmU0XjWTYd
38HJmSw/rc6DkszYepYJZBUog1DotABYmqaeCqqIU92JrSJdelYxCbr6+nKBElzx
dYa4vUgh6CcNME0SGIsiBu8AX9q38b+QJZNn148xMPr+9K3vyuVuMXOgg/LJijd1
HxR+hl3vUFbAKVo2ffloY8c=
-----END CERTIFICATE-----
Validación de Openssl:
$ openssl verify -CAfile root-ca.crt.pem fullchain.crt.pem
fullchain.crt.pem: OK
¿Cómo he emitido un certificado fuera del "espacio de nombre" del certificado raíz y el certificado intermedio? ¿Cómo puedo corregir esto?