openssl自建证书SSL+apache

foolkaka

当OpenSSL提示您“CommonName”时，确保你输入了服务器的FQDN("Fully Qualified Domain Name" ，即，当您为一个以后用https://www.foo.dom/访问的网站生成一个CSR时，这里输入"www.foo.dom"。

否则会发生证书验证的时候（跳出来一个对话框） 有一个感叹号

第三项：该安全证书上的名称无效，或与站点名称不匹配 （黄色叹号）

水中风铃

原帖由 "foolkaka" 发表：
当OpenSSL提示您“CommonName”时，确保你输入了服务器的FQDN("Fully Qualified Domain Name" ，即，当您为一个以后用https://www.foo.dom/访问的网站生成一个CSR时，这里输入"www.foo.dom"。

否则会发生证书验证..........

https://DomainName要和证书里的CommonName项对应吧！表示是为
DomainName发的证书？

foolkaka

对

denisming

为什么我用FreeBSD配一点效果都没有。。。
还提示我服务起了~用https访问却连个提示要证书的没，直接打不开。

求救一下

floriawll

怎么会出现这样的问题呢？不用验证就可以打开页面了。

77902543

为什么我制作证书的时候会出现这样的问题呢?

[root@wangw crt]# cp /usr/local/ssl/misc/CA.sh .
[root@wangw crt]# ./CA.sh -newca               
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
....................++++++
............++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:ah
Locality Name (eg, city) [Newbury]:hf
Organization Name (eg, company) [My Company Ltd]:test
Organizational Unit Name (eg, section) []:test.com
Common Name (eg, your name or your server's hostname) []:192.168.0.25
Email Address []:root@test.com

[root@wangw crt]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
......................................++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:


[root@wangw crt]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:ah
Locality Name (eg, city) [Newbury]:hf
Organization Name (eg, company) [My Company Ltd]:test
Organizational Unit Name (eg, section) []:test.com
Common Name (eg, your name or your server's hostname) []:192.168.0.25
Email Address []:root@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:passwd
An optional company name []:passwd

[root@wangw crt]# mv server.csr newreq.pem
[root@wangw crt]# ./CA.sh -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
9501:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:847:You must type in 4 to 8191 characters
Enter pass phrase for ./demoCA/private/cakey.pem:

fargg

我的https访问提示选择证书，然后提示无法打开页面。郁闷。

fargg

无法显示网页
您正在查找的页当前不可用。 网站可能遇到支持问题，或者您需要 调整您的浏览器设置。

--------------------------------------------------------------------------------

请尝试以下操作:

单击  刷新按钮，或稍后重试。

如果您已经在地址栏中输入该网页的地址， 请确认其拼写正确。

要检查您的网络连接，请单击工具菜单，然后单击 Internet 选项。在连接选项卡上，单击设置。 设置必须与您的局域网 (LAN) 管理员或 Internet 服务供应商 (ISP) 提供的一致。
查看您的 Internet 连接设置是否正确被检测。您可能设置让 Microsoft Windows 检查您的网站并自动发现网络连接设置(如果您的网络管理员已经启用此设置)。
单击工具菜单，然后单击Internet 选项。
在连接选项卡上，单击LAN 设置。
选择自动检测设置，然后单击确定。
某些站点要求 128-位的连接安全性。单击帮助菜单，然后单击关于 Internet Explorer 可以查看您所安装的安全强度。
如果您要访问某安全站点，请确保您的安全设置能够支持。请单击工具菜单，然后单击 Internet 选项。在“高级”选项卡上，滚动到“安全”部分，复选 SSL 2.0、SSL 3.0、TLS 1.0、PCT 1.0 设置。
单击上一步按钮，尝试其他链接。



找不到服务器或 DNS 错误
Internet Explorer

fargg

下面这项就是设置CA根证书的位置的吧？


SSLCACertificateFile Directive
Description: File of concatenated PEM-encoded CA Certificates for Client Auth
Syntax: SSLCACertificateFile file-path
Context: server config, virtual host
Status: Extension
Module: mod_ssl

This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath.

Example
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt

fargg

能不能帮忙看看我的问题在哪？