Mi piacerebbe usare il portachiavi MacOS per creare una CA root di base, che sarà in grado di firmare CSR e / o CA intermedie che saranno in grado di farlo.
Per motivi di conoscenza, mi piacerebbe creare un Root e Intermedio quindi i nostri comuni certificati SSL interni, ma IRL, solo una radice e alcune foglie sono sufficienti.
Sto provando molte combinazioni di utilizzo per la radice e per le foglie. Su MacOS, devo solo fidarmi del certificato Root e i discendenti sono fidati (che è del tutto normale). Ma su Windows, non importa quanto mi fido del Root, le foglie sono sempre contrassegnate come non attendibili, dicendo qualcosa come "Questo certificato non è attendibile perché il certificato di firma non può emettere certificati", anche se contrassegno OGNI utilizzo possibile.
Ad esempio, ecco RootCA.pem :
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIBGTANBgkqhkiG9w0BAQsFADB3MQ8wDQYDVQQDDAZPUEgg
Q0ExHTAbBgNVBAoMFE9seW1waWMgUGFsYWNlIEhvdGVsMQwwCgYDVQQLDANDVE8x
FDASBgNVBAgMC0JyYXp6YXZpbGxlMQswCQYDVQQGEwJDRzEUMBIGA1UEBwwLQnJh
enphdmlsbGUwHhcNMTgwNDEwMTcyMzQ0WhcNMzgwNDA1MTcyMzQ0WjB3MQ8wDQYD
VQQDDAZPUEggQ0ExHTAbBgNVBAoMFE9seW1waWMgUGFsYWNlIEhvdGVsMQwwCgYD
VQQLDANDVE8xFDASBgNVBAgMC0JyYXp6YXZpbGxlMQswCQYDVQQGEwJDRzEUMBIG
A1UEBwwLQnJhenphdmlsbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDVGJe8JL4jy7Y0Ovb2yn1NKrbnWmDY4Y4gZ5U9fd1C2b0rjUYw0+gdIY+zZoC9
zqIOYpIIDhwcXQXTMGB0naAv+mmnmnmJh9PsyGZ7xl9UT/Z1scICpWUgOLC+9xO4
wa8kbA88P+j+6Ybg+CwRDRM4ut7jweQz/BGnK6C2QDLvuGOekLCQTzPMugJBImia
M1CfMqrbnYqP8U6ULRVu/GX7R1itsoMIm/IG6ZnDDLna4ReE5Fsxka7h7Mfqt8EH
Tcn7tBlV4QApEF+RIo2JpHHmw5UAZZqWUdUkk4sB7iVqiOvh3egEeWmpyK6pAa7S
dFnLk0SVEg/ociTj8l61OZtZAgMBAAGjJDAiMA8GA1UdEwEB/wQFMAMBAf8wDwYD
VR0PAQH/BAUDAwf/gDANBgkqhkiG9w0BAQsFAAOCAQEAM0vlrtpJS+kmVW7c0Kb3
OyQc9cSne9vcneu5vz8oPsMuv9N1emo8TKueiPEwPxNan/WqrLAanaMtpxP9XRco
O9JnlXqKzXxlym3abiKsV4XsxBC8gBlG5Gks5JNjj7pTpx9OwsShob0G/8RzBlUZ
LoP1iPpO0mDw8wwI5X1TbmYodmtpNeEcd1JtfZ1/iL0AMF+pE/FY1PYkBPs6S7mb
iWePjRv2QuVGv0dSzpJAPcAILmwLvHRVRB4DrV/liJ9DfiEjnQHV0SJfvc/tJcYs
hEDMxLEm+2l4XsEWAmjlZMDIf1jZFKgXRsEAHHn1F4OxqspTmfhAFns6v9SKtQk7
ow==
-----END CERTIFICATE-----
Ecco la foglia certificate.pem:
-----BEGIN CERTIFICATE-----
MIIEGzCCAwOgAwIBAgIBATANBgkqhkiG9w0BAQsFADB3MQ8wDQYDVQQDDAZPUEgg
Q0ExHTAbBgNVBAoMFE9seW1waWMgUGFsYWNlIEhvdGVsMQwwCgYDVQQLDANDVE8x
FDASBgNVBAgMC0JyYXp6YXZpbGxlMQswCQYDVQQGEwJDRzEUMBIGA1UEBwwLQnJh
enphdmlsbGUwHhcNMTgwNDEwMTczMDMwWhcNMjMwNDA5MTczMDMwWjCBpzEUMBIG
A1UEAwwLbGFuLm9waC5vdmgxHTAbBgNVBAoMFE9seW1waWMgUGFsYWNlIEhvdGVs
MQswCQYDVQQLDAJJVDEUMBIGA1UECAwLQnJhenphdmlsbGUxCzAJBgNVBAYTAkNH
MRQwEgYDVQQHDAtCcmF6emF2aWxsZTEqMCgGCSqGSIb3DQEJARYbaXRAb2x5bXBp
Yy1wYWxhY2UtaG90ZWwubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA1OKgramUyEMaByWJq6vXHR1n3Ump8qaE+iFgJIU4p+c9jfVMJuRtECcSJejI
IKp+0um5rCJAeFNSmyLmMGp+zjmLTUySrrl/ZJKhwLolxJCK68MOJJ6CVEJammO6
dA55RIgukHpRsUnlUdu+VpQB7dsKreG44b23jpa5w3l4Hknb7lGxOPXjAya8kfiZ
lObbBne1xdOLQfjdHqpUvjJHv0uajq+R/YnoH7Dfp3UVNZ4rWwAtHcJbOpLAam4c
FcsDy+pG1ng2yryup+fGK0HjvSHhj6VjCJqZysJGF3zIFwEugoN0liCK6GsM6vM5
fm0FbEFoLvnrrfPdWP3gEcex5wIDAQABo4GAMH4wDwYDVR0TAQH/BAUwAwEBADAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDwG
A1UdEQQ1MDOBG2l0QG9seW1waWMtcGFsYWNlLWhvdGVsLm5ldIIJKi5vcGgub3Zo
ggkqLm9waC5sYW4wDQYJKoZIhvcNAQELBQADggEBAD+2KDcJ/XGLdfMsHWgn6au/
daGn0HAvjOvHDqBN+HG9zVrVa+C1IpoPFI9ZMfe5W4Ju2RFEZLAT1l4rMVghsHO2
hQ6Jf/PZE+4K68C6ewp0isDDzah9w8nZ8N7LZHSVq2AaQQX3Zv7yOIxvpkeEjhzI
GInZM+UVJhbdV4g5Om+dcAMWjEQJN+AvAATZdJogfbPDEmHG+RbfTqn9L+ycA75t
/uXdTxN3kdSS/iBfk07ZFTKB2nhJJPwI1NJHM6LBbfY9lIQnxAiyKaWMprZztWIC
oAS1tjTchbWQERYNBQ+kxIkgQLjVr4PL5F0Ji2FjWfRscMuXdPowFTpJ1exDC3M=
-----END CERTIFICATE-----
Ed ecco la chiave privata del certificato foglia (decrittografata):
Bag Attributes
friendlyName: lan.oph.ovh
localKeyID: E7 36 A4 85 FC 43 2A F9 79 01 36 37 80 BB 00 38 30 74 0E 47
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDU4qCtqZTIQxoH
JYmrq9cdHWfdSanypoT6IWAkhTin5z2N9Uwm5G0QJxIl6Mggqn7S6bmsIkB4U1Kb
IuYwan7OOYtNTJKuuX9kkqHAuiXEkIrrww4knoJUQlqaY7p0DnlEiC6QelGxSeVR
275WlAHt2wqt4bjhvbeOlrnDeXgeSdvuUbE49eMDJryR+JmU5tsGd7XF04tB+N0e
qlS+Mke/S5qOr5H9iegfsN+ndRU1nitbAC0dwls6ksBqbhwVywPL6kbWeDbKvK6n
58YrQeO9IeGPpWMImpnKwkYXfMgXAS6Cg3SWIIroawzq8zl+bQVsQWgu+eut891Y
/eARx7HnAgMBAAECggEBAJLwFf2oBjSv9CAorbybcG/9IvqfZLlCbJiFPuoWNgPW
XStFu5lAo3K5tRILeU7qv3zurCR+w8cJpAPGc+HJL9tB5r+k8b299YtClnkDQxxI
tEqEqJdn/QcRgZ385e5DKzq9UH6Snx5ipfD5Xog9wpMdVGKuYUEXBMJbkL62cc1c
5JraBNvUPDoIkLI1fyBz2ZEc9Iz4wweSk2IldPCXXHmL2OLDSDwsl9HpJoMJTt8S
PaWTOOBrCBtW9if6vvwZDPOpdHISdfhg/N+ifE0eYn2s8cxPs/9Y1dDo2L5gS8re
pOB4LAaeOos4mvQ8808HLX8Y9M+iuM3Qr8ToiGvkbTkCgYEA+EPHTfkllDUn2fel
6+zxJv4omKZupJ3Bvx/g+AjFBnAzkMVkcuhRA7B5dlBq3f2N1QFBBJJnkmF7z3Mu
IAXTM5MOuwqgywApA/voK0p5ZragP9WZR/5+SakWeVF+Vk1Zvu816ppLBXW64H6+
t+YRqa1KYAVj8xbgATxGb81QmPsCgYEA24SnSTBbhvMMaZoUGecIf29Pxx4+WAkh
Dq1Q0V1CH/zBIYvgnN1cI4E/TFcrzHhxmxtb5B6PYpZfD59tzvbKGNPL64hAqWwg
4IFuvNpw2aJptQGz9D6Vu61kAe4m/5Hw6wcJN3o73pMGV3CuoyHqYj85vqCasbFP
vOitYUpaDwUCgYBfQsqn/bDQtLDM7zyoUWubFa0IHdyYp7vfFWFiayMGvGjc5REN
El17t+xzXJoVAiS5FdkX4wGA5oz2ZfDN8s4+nO/rD0Hxguc6Ex/b9KCuq+bDd7dw
K5PTueDYvk9m2BlWrT0X/wpIVwtU9u1BbTNb0xWV0JuwfBeKAdHZNoP1nwKBgQCf
YlGT8miCMzZv9k9h/z1MSaXDDVJ22SoHXg+v8+ZvEzWnBciwHIkpvk4XP7OtYkYa
OGMf3pB9JHEhBsDT5JwYKq+E9Aj++mNknpWoyXHmkuXtZq8iR86v1dUnEaN/LJeg
DhvDDB0sHdQc6NPj3lwvuXhT0IiBPByJLOe2HCYHgQKBgDNRAJ4C1SAAW3XXnoCL
kjnvaXk0plj7Sh1JfZiipZun2Gl99JX68aNh+5bnm5Yq+jQHKHmAQfHnXW4Nyjk7
vmlI+LGZvwVkKQn6xORWNz3T0CUD9MHNCWN5CNL6HJJ3mBYDqpjC5n2i10/tF2Jv
WtTYDNeQf1HnCLuoDSV1y/nB
-----END PRIVATE KEY-----
Qualcuno può aiutarmi a capire perché questo certificato non può essere considerato attendibile su Windows e cosa mi è mancato, per favore?