为了研究 mTLS,我按照以下网站上的指南创建了必要的证书:
首先,我使用以下信息创建了一个 CA:
Country Name (2 letter code) [JP]:
State or Province Name (full name) []:
Locality Name (eg, city) [Tokyo]:
Organization Name (eg, company) [private]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
接下来,我创建了包含以下详细信息的 CSR,并尝试使用上面创建的 CA 对其进行签名。
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:tokyo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:client.yourdomain.com.
Email Address []:
但是我遇到了以下错误:
# openssl ca -config /root/mtls/openssl.cnf -days 1650 -notext -batch -in client.csr -out client.cert.pem
Using configuration from /root/mtls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field does not exist in the CA certificate,
the 'policy' is misconfigured
调查此错误后,我发现 CSR 中的 stateOrProvinceName 值必须与 CA 的值匹配。当我使用匹配的值重新创建 CA 和 CSR 时,CSR 已成功签名:
# CA
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [minato]:
Organization Name (eg, company) [private]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
# CSR
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo
Locality Name (eg, city) []:minato
Organization Name (eg, company) [Internet Widgits Pty Ltd]:private
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:client.yourdomain.com.
Email Address []:
我想了解为什么 CSR 和 CA 中的 stateOrProvinceName 值必须匹配。 CSR 创建者和签名 CA 保持物理距离似乎是合理的,例如日本的用户向 Verisign 请求证书。
没有证书和 CA 的条目必须匹配的一般要求。这可能是您的特定 openssl.cnf 中的限制。寻找这样的东西并根据您的实际要求进行更改:
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match