使用openssl生成自签名证书后,在软件调试时提示如下报错:
tls: failed to parse certificate from server: x509: certificate contains duplicate extensions
证书生成命令为:
openssl x509 -req -extfile /etc/pki/tls/openssl.cnf -extensions v3_req -in client-req.csr -out client-cert.cer -signkey client-key.key -CA root-cert.cer -CAkey root-key.key -CAcreateserial -days 36500
排查思路
查看证书信息
通过查看证书信息,可以看到X509v3 extensions
中存在多个X509v3 Basic Constraints
及X509v3 Key Usage
扩展信息。
[root@ym68 ~]# openssl x509 -in client-cert.cer -noout -text
Certificate:
Data:
........
Signature Algorithm: sha256WithRSAEncryption
........
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
........
解决办法
在证书生成命令中添加 -clrext
选项即可。
openssl x509 -req -extfile /etc/pki/tls/openssl.cnf -extensions v3_req -clrext -in client-req.csr -out client-cert.cer -signkey client-key.key -CA root-cert.cer -CAkey root-key.key -CAcreateserial -days 36500
Signature ok