Creazione dell'autenticazione radice autofirmata utilizzando il portachiavi MacOS

0

Mi piacerebbe usare il portachiavi MacOS per creare una CA root di base, che sarà in grado di firmare CSR e / o CA intermedie che saranno in grado di farlo.

Per motivi di conoscenza, mi piacerebbe creare un Root e Intermedio quindi i nostri comuni certificati SSL interni, ma IRL, solo una radice e alcune foglie sono sufficienti.

Sto provando molte combinazioni di utilizzo per la radice e per le foglie. Su MacOS, devo solo fidarmi del certificato Root e i discendenti sono fidati (che è del tutto normale). Ma su Windows, non importa quanto mi fido del Root, le foglie sono sempre contrassegnate come non attendibili, dicendo qualcosa come "Questo certificato non è attendibile perché il certificato di firma non può emettere certificati", anche se contrassegno OGNI utilizzo possibile.

Ad esempio, ecco RootCA.pem :

-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIBGTANBgkqhkiG9w0BAQsFADB3MQ8wDQYDVQQDDAZPUEgg
Q0ExHTAbBgNVBAoMFE9seW1waWMgUGFsYWNlIEhvdGVsMQwwCgYDVQQLDANDVE8x
FDASBgNVBAgMC0JyYXp6YXZpbGxlMQswCQYDVQQGEwJDRzEUMBIGA1UEBwwLQnJh
enphdmlsbGUwHhcNMTgwNDEwMTcyMzQ0WhcNMzgwNDA1MTcyMzQ0WjB3MQ8wDQYD
VQQDDAZPUEggQ0ExHTAbBgNVBAoMFE9seW1waWMgUGFsYWNlIEhvdGVsMQwwCgYD
VQQLDANDVE8xFDASBgNVBAgMC0JyYXp6YXZpbGxlMQswCQYDVQQGEwJDRzEUMBIG
A1UEBwwLQnJhenphdmlsbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDVGJe8JL4jy7Y0Ovb2yn1NKrbnWmDY4Y4gZ5U9fd1C2b0rjUYw0+gdIY+zZoC9
zqIOYpIIDhwcXQXTMGB0naAv+mmnmnmJh9PsyGZ7xl9UT/Z1scICpWUgOLC+9xO4
wa8kbA88P+j+6Ybg+CwRDRM4ut7jweQz/BGnK6C2QDLvuGOekLCQTzPMugJBImia
M1CfMqrbnYqP8U6ULRVu/GX7R1itsoMIm/IG6ZnDDLna4ReE5Fsxka7h7Mfqt8EH
Tcn7tBlV4QApEF+RIo2JpHHmw5UAZZqWUdUkk4sB7iVqiOvh3egEeWmpyK6pAa7S
dFnLk0SVEg/ociTj8l61OZtZAgMBAAGjJDAiMA8GA1UdEwEB/wQFMAMBAf8wDwYD
VR0PAQH/BAUDAwf/gDANBgkqhkiG9w0BAQsFAAOCAQEAM0vlrtpJS+kmVW7c0Kb3
OyQc9cSne9vcneu5vz8oPsMuv9N1emo8TKueiPEwPxNan/WqrLAanaMtpxP9XRco
O9JnlXqKzXxlym3abiKsV4XsxBC8gBlG5Gks5JNjj7pTpx9OwsShob0G/8RzBlUZ
LoP1iPpO0mDw8wwI5X1TbmYodmtpNeEcd1JtfZ1/iL0AMF+pE/FY1PYkBPs6S7mb
iWePjRv2QuVGv0dSzpJAPcAILmwLvHRVRB4DrV/liJ9DfiEjnQHV0SJfvc/tJcYs
hEDMxLEm+2l4XsEWAmjlZMDIf1jZFKgXRsEAHHn1F4OxqspTmfhAFns6v9SKtQk7
ow==
-----END CERTIFICATE-----

Ecco la foglia certificate.pem:

-----BEGIN CERTIFICATE-----
MIIEGzCCAwOgAwIBAgIBATANBgkqhkiG9w0BAQsFADB3MQ8wDQYDVQQDDAZPUEgg
Q0ExHTAbBgNVBAoMFE9seW1waWMgUGFsYWNlIEhvdGVsMQwwCgYDVQQLDANDVE8x
FDASBgNVBAgMC0JyYXp6YXZpbGxlMQswCQYDVQQGEwJDRzEUMBIGA1UEBwwLQnJh
enphdmlsbGUwHhcNMTgwNDEwMTczMDMwWhcNMjMwNDA5MTczMDMwWjCBpzEUMBIG
A1UEAwwLbGFuLm9waC5vdmgxHTAbBgNVBAoMFE9seW1waWMgUGFsYWNlIEhvdGVs
MQswCQYDVQQLDAJJVDEUMBIGA1UECAwLQnJhenphdmlsbGUxCzAJBgNVBAYTAkNH
MRQwEgYDVQQHDAtCcmF6emF2aWxsZTEqMCgGCSqGSIb3DQEJARYbaXRAb2x5bXBp
Yy1wYWxhY2UtaG90ZWwubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA1OKgramUyEMaByWJq6vXHR1n3Ump8qaE+iFgJIU4p+c9jfVMJuRtECcSJejI
IKp+0um5rCJAeFNSmyLmMGp+zjmLTUySrrl/ZJKhwLolxJCK68MOJJ6CVEJammO6
dA55RIgukHpRsUnlUdu+VpQB7dsKreG44b23jpa5w3l4Hknb7lGxOPXjAya8kfiZ
lObbBne1xdOLQfjdHqpUvjJHv0uajq+R/YnoH7Dfp3UVNZ4rWwAtHcJbOpLAam4c
FcsDy+pG1ng2yryup+fGK0HjvSHhj6VjCJqZysJGF3zIFwEugoN0liCK6GsM6vM5
fm0FbEFoLvnrrfPdWP3gEcex5wIDAQABo4GAMH4wDwYDVR0TAQH/BAUwAwEBADAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDwG
A1UdEQQ1MDOBG2l0QG9seW1waWMtcGFsYWNlLWhvdGVsLm5ldIIJKi5vcGgub3Zo
ggkqLm9waC5sYW4wDQYJKoZIhvcNAQELBQADggEBAD+2KDcJ/XGLdfMsHWgn6au/
daGn0HAvjOvHDqBN+HG9zVrVa+C1IpoPFI9ZMfe5W4Ju2RFEZLAT1l4rMVghsHO2
hQ6Jf/PZE+4K68C6ewp0isDDzah9w8nZ8N7LZHSVq2AaQQX3Zv7yOIxvpkeEjhzI
GInZM+UVJhbdV4g5Om+dcAMWjEQJN+AvAATZdJogfbPDEmHG+RbfTqn9L+ycA75t
/uXdTxN3kdSS/iBfk07ZFTKB2nhJJPwI1NJHM6LBbfY9lIQnxAiyKaWMprZztWIC
oAS1tjTchbWQERYNBQ+kxIkgQLjVr4PL5F0Ji2FjWfRscMuXdPowFTpJ1exDC3M=
-----END CERTIFICATE-----

Ed ecco la chiave privata del certificato foglia (decrittografata):

Bag Attributes
    friendlyName: lan.oph.ovh
    localKeyID: E7 36 A4 85 FC 43 2A F9 79 01 36 37 80 BB 00 38 30 74 0E 47 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDU4qCtqZTIQxoH
JYmrq9cdHWfdSanypoT6IWAkhTin5z2N9Uwm5G0QJxIl6Mggqn7S6bmsIkB4U1Kb
IuYwan7OOYtNTJKuuX9kkqHAuiXEkIrrww4knoJUQlqaY7p0DnlEiC6QelGxSeVR
275WlAHt2wqt4bjhvbeOlrnDeXgeSdvuUbE49eMDJryR+JmU5tsGd7XF04tB+N0e
qlS+Mke/S5qOr5H9iegfsN+ndRU1nitbAC0dwls6ksBqbhwVywPL6kbWeDbKvK6n
58YrQeO9IeGPpWMImpnKwkYXfMgXAS6Cg3SWIIroawzq8zl+bQVsQWgu+eut891Y
/eARx7HnAgMBAAECggEBAJLwFf2oBjSv9CAorbybcG/9IvqfZLlCbJiFPuoWNgPW
XStFu5lAo3K5tRILeU7qv3zurCR+w8cJpAPGc+HJL9tB5r+k8b299YtClnkDQxxI
tEqEqJdn/QcRgZ385e5DKzq9UH6Snx5ipfD5Xog9wpMdVGKuYUEXBMJbkL62cc1c
5JraBNvUPDoIkLI1fyBz2ZEc9Iz4wweSk2IldPCXXHmL2OLDSDwsl9HpJoMJTt8S
PaWTOOBrCBtW9if6vvwZDPOpdHISdfhg/N+ifE0eYn2s8cxPs/9Y1dDo2L5gS8re
pOB4LAaeOos4mvQ8808HLX8Y9M+iuM3Qr8ToiGvkbTkCgYEA+EPHTfkllDUn2fel
6+zxJv4omKZupJ3Bvx/g+AjFBnAzkMVkcuhRA7B5dlBq3f2N1QFBBJJnkmF7z3Mu
IAXTM5MOuwqgywApA/voK0p5ZragP9WZR/5+SakWeVF+Vk1Zvu816ppLBXW64H6+
t+YRqa1KYAVj8xbgATxGb81QmPsCgYEA24SnSTBbhvMMaZoUGecIf29Pxx4+WAkh
Dq1Q0V1CH/zBIYvgnN1cI4E/TFcrzHhxmxtb5B6PYpZfD59tzvbKGNPL64hAqWwg
4IFuvNpw2aJptQGz9D6Vu61kAe4m/5Hw6wcJN3o73pMGV3CuoyHqYj85vqCasbFP
vOitYUpaDwUCgYBfQsqn/bDQtLDM7zyoUWubFa0IHdyYp7vfFWFiayMGvGjc5REN
El17t+xzXJoVAiS5FdkX4wGA5oz2ZfDN8s4+nO/rD0Hxguc6Ex/b9KCuq+bDd7dw
K5PTueDYvk9m2BlWrT0X/wpIVwtU9u1BbTNb0xWV0JuwfBeKAdHZNoP1nwKBgQCf
YlGT8miCMzZv9k9h/z1MSaXDDVJ22SoHXg+v8+ZvEzWnBciwHIkpvk4XP7OtYkYa
OGMf3pB9JHEhBsDT5JwYKq+E9Aj++mNknpWoyXHmkuXtZq8iR86v1dUnEaN/LJeg
DhvDDB0sHdQc6NPj3lwvuXhT0IiBPByJLOe2HCYHgQKBgDNRAJ4C1SAAW3XXnoCL
kjnvaXk0plj7Sh1JfZiipZun2Gl99JX68aNh+5bnm5Yq+jQHKHmAQfHnXW4Nyjk7
vmlI+LGZvwVkKQn6xORWNz3T0CUD9MHNCWN5CNL6HJJ3mBYDqpjC5n2i10/tF2Jv
WtTYDNeQf1HnCLuoDSV1y/nB
-----END PRIVATE KEY-----

Qualcuno può aiutarmi a capire perché questo certificato non può essere considerato attendibile su Windows e cosa mi è mancato, per favore?

    
posta Max13 25.04.2018 - 00:15
fonte

1 risposta

4

Sembra essere valido per me. Windows non si lamenta del certificato foglia se installo la CA. XCA conferma anche la foglia come affidabile.

Utilizzi un browser che utilizza il proprio elenco di root attendibili, come Firefox?

    
risposta data 25.04.2018 - 01:30
fonte

Leggi altre domande sui tag