IIS 的个人 CA 签名证书给出“此证书对所选用途无效”错误答案

【问题标题】：Personal CA signed certificate for IIS giving "This Certificate is not valid for the selected purpose" errorIIS 的个人 CA 签名证书给出“此证书对所选用途无效”错误
【发布时间】：2015-07-06 13:50:48
【问题描述】：

我使用 OpenSSL 创建了一个 CA，并使用它为我的 localhost 签署了一个证书，并且还在我的 localhost 上的一个辅助 DNS 条目 preview-localhost 上签名。我已将 CA 证书安装到我机器上的受信任根证书中，并将我的 localhost 证书添加到 IIS。当我查看签名的 localhost 证书时，我看到以下错误：

已安装的 CA 证书表明它适用于其查看器上的所有颁发和应用策略。我已经包含了来自 OpenSSL 的两个证书的输出。我已将任何敏感（和一些不敏感的信息）替换为 .

CA 证书

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Serial Number
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 16:17:41 2015 GMT
        Not After : Apr 24 16:17:41 2025 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Subject Key Identifier:
            <Subject Key Identifier>
        X509v3 Authority Key Identifier:
            keyid:<keyid>
        X509v3 Basic Constraints:
            CA:TRUE
        X509v3 Key Usage:
            Digital Signature, Key Encipherment
        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

本地主机证书

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        <Some Serial Number>
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
OU=<Some Authority>, CN=<SomeAuthority>/emailAddress=<email address>
    Validity
        Not Before: Apr 27 18:09:18 2015 GMT
        Not After : Apr 26 18:09:18 2016 GMT
    Subject: C=<Country>, ST=<State>, L=<Ventura>, O=<MyOrganization>,
CN=localhost/emailAddress=<Email Address>
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                <Modulus>
            Exponent: <Exponent>
    X509v3 extensions:
        X509v3 Basic Constraints:
            CA:FALSE
        X509v3 Key Usage:
            Digital Signature, Non Repudiation, Key Encipherment
        Netscape Comment:
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier:
            <SKI>
        X509v3 Authority Key Identifier:
            keyid:<KEY ID>

        X509v3 Subject Alternative Name:
            DNS:localhost, DNS:preview-localhost
Signature Algorithm: sha256WithRSAEncryption
     <Signature>

任何帮助弄清楚为什么我的 localhost 证书无法遵循通往 CA 的路径，我们将不胜感激。谢谢！

【问题讨论】：

标签： iis ssl https openssl ca

【解决方案1】：

创建 CA 时，您可能需要在 openssl.cnf 的 X509_extensions 部分指定以下 keyUsage：

keyUsage = keyCertSign, cRLSign

为澄清起见，您的配置文件应包含以下内容：

[ CA_default]
...
x509_extensions = ca_extensions
...
[ ca_extensions ]
keyUsage = keyCertSign, cRLSign
...

请参阅How do you sign Certificate Signing Request with your Certification Authority? 了解有关该过程的非常详细的说明。

【讨论】：