堆栈内存溢出
  简体   繁体   English

当我的 CA 证书过期时,为什么 SSLLabs 说我的证书没问题?

[英]Why does SSLLabs say my certificate is fine when my CA's cert is expired?

 原文  2020-10-22 18:40:51       ssl/ certificate/ ssl-certificate

问题描述

I did a scan of my domain using ssllabs.com, and this is what it says:我使用 ssllabs.com 扫描了我的域,这是它所说的:

在此处输入图片说明

From what I can tell, one of my CAs is USERTrust RSA Certification Authority, and their certificate is expired, which SSLLabs flagged red, but it still says that there are no chain issues, and no browsers complain about talking to my domain.据我所知,我的一个 CA 是 USERTrust RSA 证书颁发机构,他们的证书已过期,SSLLabs 将其标记为红色,但它仍然表示没有链问题,并且没有浏览器抱怨与我的域交谈。

I did the check after curl was complaining about an expired cert when talking to my domain, which may or may not be related.在 curl 与我的域交谈时抱怨证书过期后,我进行了检查,这可能相关,也可能不相关。

What's going on here?这里发生了什么? How can an expired CA certificate not be a problem?过期的 CA 证书怎么能不成问题?

1 个解决方案

解决方案1
 2 已采纳  2020-10-22 19:41:32

The expired certificate is actually not used for validation.过期的证书实际上不用于验证。 It is unnecessarily send by your server, ie you could remove it from the certificate chain you send since modern system have a trusted CA builtin which effectively replaces this expired intermediate CA.它是由您的服务器不必要地发送的,即您可以将它从您发送的证书链中删除,因为现代系统有一个受信任的 CA 内置,可以有效地替换这个过期的中间 CA。 For more details see for example USERTrust Intermediate Expiration in 2020 .有关更多详细信息,请参见USERTrust Intermediate Expiration in 2020 To cite:引用:

This is an old intermediate certificate and modern operating systems have a new version available and won't be affected.这是一个旧的中间证书,现代操作系统有一个可用的新版本,不会受到影响。 ... Based on what we know, equipment released or receiving security updates after June 2010 will most likely not be affected. ... 根据我们所知,2010 年 6 月之后发布或接收安全更新的设备很可能不会受到影响。 ... ...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么我的浏览器说我的服务器的SSL证书已过期,而OpenSSL却没有? - Why do my browsers say my server's SSL certificate has expired but OpenSSL says it hasn't? 为什么我的证书链不包含 CA 根证书? - Why does NOT my certificate chain contain the CA root certificate? 我的网站具有有效的SSL证书,为什么我的浏览器会说它不安全? - My site has a valid SSL Cert why would my browser say it's not secure? 使用证书管理器在 k8s 中将 ssl 添加到我的域时,“颁发证书作为秘密不存在”错误是什么意思 - what does "Issuing certificate as Secret does not exist" error mean when using cert manager to add ssl to my domain in k8s WebLogic上的(内部)CA签名证书和我的计算机上的相同CA证书(公钥)。 浏览器仍然不信任 - (Internal)CA signed certificate on WebLogic & same CA cert(public key) on my machine. Browser still doesn't trust (内部)WebLogic 上的 CA 签名证书和我的 Weblogic 服务器上的相同 CA 证书(公钥)。 浏览器仍然不信任 - (Internal)CA signed certificate on WebLogic & same CA cert(public key) on my Weblogic Server. Browser still doesn't trust 为什么 Java / Apache HttpClient 使用与我的浏览器不同(且已过期)的 X509 根证书? - Why does Java / Apache HttpClient use a different (and expired) X509 root certificate than my browser? 带有证书固定功能的移动应用-DMZ盒子上的SSL证书具有受信任的CA与我自己的CA - Mobile App with Cert Pinning - SSL Cert on DMZ box with trusted CA vs my own CA Docker Registry 错误地声明了过期的 CA 证书 - Docker Registry incorrectly claims an expired CA cert Android将我自制的CA证书识别为用户证书,并且未正确安装 - Android recognizes my self made CA certificate as a user certificate, and does not install it properly
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM