[英]How to use non-CA SSL certificate as root certificate in node.js?
So I want to have a non-CA certificate as root certificate in an TLS connection in node.js. 所以我想在node.js的TLS连接中使用非CA证书作为根证书。 However the certificate always seems to be considered a CA.
但是,证书似乎总是被视为CA。
I am generating the root certificate with 我正在生成根证书
openssl req -new -nodes -subj "/CN=ClientName1" -keyout client-key.pem -out client-csr.pem
openssl x509 -req -signkey client-key.pem -in client-csr.pem -out client-cert.pem -extfile v3.ext
(analogous for the server) (类似于服务器)
and a test-certificate like this 和这样的测试证书
openssl req -new -nodes -subj "/CN=ClientName2" -keyout client-key2.pem -out client-csr2.pem
openssl x509 -req -in client-csr2.pem -out client-cert2.pem -extfile v3.ext -CA client-cert.pem -CAkey client-key.pem -CAcreateserial
with v3.ext being 与v3.ext被
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
Now the server accepts client-cert as well as client-cert2, however if I generate a third (client-cert3) signed by client-cert2, the server does not accept it. 现在,服务器接受client-cert和client-cert2,但是,如果我生成由client-cert2签名的第三个(client-cert3),则服务器不接受它。 So the root certificate appears to be considered a CA no matter what.
因此,无论如何,根证书似乎都被视为CA。 Is there a way around it without purposely generating a throwaway dummy root certificate which is only used to sign that one single client-cert?
有没有一种解决方法,而不必故意生成仅用于签名单个客户端证书的一次性虚拟根证书?
I am using it like this: 我正在这样使用它:
var options = {
key: fs.readFileSync('server-key.pem'),
cert: fs.readFileSync('server-cert.pem'),
requestCert: true,
rejectUnauthorized: true,
ca: [fs.readFileSync('client-cert.pem')],
port: 15151
};
var server = tls.createServer(options, function (socket) {});
PS Also when testing to use client-cert2.pem as root, the server does not accept clients using client-cert2, nor client-cert3, nor client-cert. PS同样,在测试使用client-cert2.pem作为根用户时,服务器也不接受使用client-cert2,client-cert3和client-cert的客户端。
Anything which is used to sign another certificate must have the appropriate key usage restrictions. 用于签署另一个证书的任何内容都必须具有适当的密钥使用限制。 If the the usage restrictions do not allow a certificate to work as a CA you cannot work around it because validation of the certificate chain is done by the client and not by the server.
如果使用限制不允许证书作为CA起作用,则不能解决该问题,因为证书链的验证是由客户端而不是服务器完成的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.