ssl - curl:“证书密钥使用不足以尝试操作”
问题描述
我已经阅读了很多关于密钥使用不足的帖子,我想我知道如何让 curl 接受自签名证书,但我仍然无法让它为我工作:
我有一个包含证书 CA 的信任库:
./my.trust.crt
我使用从服务器检索证书 ./my.server.com.pem
> openssl s_client -showcerts -servername my.server.com -connect my.server.com:443
我检查了证书是否适合使用:
> openssl verify -purpose sslserver -CAfile ./my.trust.crt my.server.com.pem
my.server.com.pem: OK
>
但是,卷曲仍然抱怨:
> curl -v --cacert ./my.trust.crt https://my.server.com
* About to connect() to my.server.com port 443 (#0)
* Trying 192.168.x.y...
* Connected to my.server.com (192.168.x.y) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: ./my.trust.crt
CApath: none
* Server certificate:
* subject: CN=my.server.com,OU=x,O=y,L=z,ST=ZH,C=CH
* start date: Mar 07 13:19:00 2019 GMT
* expire date: Mar 07 13:19:00 2029 GMT
* common name:my.server.com
* issuer: CN=My Certificate Authority,O=y,L=z,ST=ZH,C=CH
* NSS error -8102 (SEC_ERROR_INADEQUATE_KEY_USAGE)
* Certificate key usage inadequate for attempted operation.
* Closing connection 0
curl: (60) Certificate key usage inadequate for attempted operation.
More details here: http://curl.haxx.se/docs/sslcerts.html
...
关于我如何找出问题所在的任何提示?我的 openssl 验证是否正确?还有什么我做错了吗?
附加信息:ca“捆绑包”中有一个 CA。根据建议,CA 和服务器证书的匿名内容(谢谢!)
> openssl x509 -in my.server.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:48:fb:ed:52:57:1e:24
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CH, ST=ZH, L=Z, O=Company, CN=Company Certificate Authority
Validity
Not Before: Mar 7 13:19:00 2019 GMT
Not After : Mar 7 13:19:00 2024 GMT
Subject: C=CH, ST=ZH, L=Z, O=Company, OU=Dept, CN=my.server.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<lots of hex stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
A4:51:53:0C:51:01:2F:51:48:D1:C0:49:B3:8B:CF:BD:7B:91:27:40
X509v3 Authority Key Identifier:
keyid:91:E5:80:D7:86:77:4C:B8:16:19:49:DF:74:E4:A7:05:D2:86:12:FE
DirName:/C=CH/ST=ZH/L=Z/O=Company/CN=Company Certificate Authority
serial:C2:48:FB:ED:52:57:1D:8B
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:my.server.com, DNS:my-1.server.com, DNS:my-2.server.com
Signature Algorithm: sha256WithRSAEncryption
<lots of hex stuff>
> openssl x509 -in my.trust.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:48:fb:ed:52:57:1d:8b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CH, ST=ZH, L=Z, O=Company, CN=Company Certificate Authority
Validity
Not Before: Sep 9 11:49:46 2015 GMT
Not After : Sep 9 11:49:46 2025 GMT
Subject: C=CH, ST=ZH, L=Z, O=Company, CN=Company Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<lots of hex stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
91:E5:80:D7:86:77:4C:B8:16:19:49:DF:74:E4:A7:05:D2:86:12:FE
X509v3 Authority Key Identifier:
keyid:91:E5:80:D7:86:77:4C:B8:16:19:49:DF:74:E4:A7:05:D2:86:12:FE
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<lots of hex stuff>
No Trusted Uses.
No Rejected Uses.
Alias: Company Certificate Authority
解决方案
正如@SteffenUllrich 正确指出的那样:服务器证书中缺少 keyEncipherment 用法。添加这个(分别创建包含这种用法的证书)解决了这个问题!
推荐阅读
- javascript - html 输入后更改/替换字符串
- python - 使用柯南构建多个库并打包它们以在没有柯南的情况下使用
- php - 将未选择的列表框值从 html 回显到 php
- python - 我想从列表中单独输出
- python - 从抓取的数据中剥离数字并将其存储在单独的变量中
- azure - 使用 powershell 下载 Site-to-Site VPN 配置文件
- python - 根据另一个 Pandas 数据框中的重叠范围和相同范围的总和值从 2 列映射范围
- c++ - 如果没有顺序,如何从 wav 文件头中读取数据
- python - 删除后的 Python SQLAlchemy INSERT 违反约束
- javascript - 对话框(Jquery)仅在第二次单击时工作,并显示无法读取未定义的属性“调用”