51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

openssl自签名证书报错x509: certificate contains duplicate extensions

使用openssl生成自签名证书后,在软件调试时提示如下报错:

tls: failed to parse certificate from server: x509: certificate contains duplicate extensions

证书生成命令为:

openssl x509 -req -extfile /etc/pki/tls/openssl.cnf -extensions v3_req -in client-req.csr -out client-cert.cer -signkey client-key.key -CA root-cert.cer -CAkey root-key.key -CAcreateserial -days 36500

排查思路

查看证书信息

通过查看证书信息,可以看到X509v3 extensions中存在多个X509v3 Basic ConstraintsX509v3 Key Usage扩展信息。

[root@ym68 ~]# openssl x509 -in client-cert.cer -noout -text 
Certificate:
    Data:
    ........
    Signature Algorithm: sha256WithRSAEncryption
    ........
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
    ........
解决办法

在证书生成命令中添加-clrext选项即可。

openssl x509 -req -extfile /etc/pki/tls/openssl.cnf -extensions v3_req -clrext -in client-req.csr -out client-cert.cer -signkey client-key.key -CA root-cert.cer -CAkey root-key.key -CAcreateserial -days 36500
Signature ok
赞(0)
未经允许不得转载:工具盒子 » openssl自签名证书报错x509: certificate contains duplicate extensions