让我们加密 > Certbot > OpenSSL 证书 (2048 位密钥问题)

huangapple go评论53阅读模式
英文:

let's encrypt > certbot > openssl certificate (2048 bit key issue)

问题

我尝试生成一个通配符PFX证书,用于我的域example.com,使用Let's Encrypt,然后使用certbot,最后使用OpenSSL将.pem转换为pfx。

问题在于最终的PFX文件似乎不符合浏览器安全要求,而且密钥长度没有至少2048位,但这真的很奇怪,因为Certbot默认情况下使用2048位的RSA密钥(已经尝试强制为4096位,但结果相同)。

我按照以下步骤进行操作:

  1. 从Certbot(通过Anaconda Python安装)运行以下命令:

    call C:\ProgramData\Anaconda3\Scripts\activate.bat

    certbot certonly --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com

  2. 然后,从OpenSSL运行以下命令:

    openssl pkcs12 -export -out "C:\Users\administrator.EXAMPLE\Desktop\certificati\EXAMPLE.com.pfx" -inkey "C:\Certbot\live\EXAMPLE.com\privkey.pem" -in "C:\Certbot\live\EXAMPLE.com\fullchain.pem" -password pass:TEST2023!

当我尝试导入证书时,从Sangfor VDI界面出现警告,并且如果我尝试从Chrome等浏览器访问完全限定域名(FQDN),由于SSL不匹配,域名无法加载。

让我们加密 > Certbot > OpenSSL 证书 (2048 位密钥问题)

让我们加密 > Certbot > OpenSSL 证书 (2048 位密钥问题)

英文:

I'm trying to generate a wildcard PFX certificate for my domain example.com with Let's Entrypt, then using certbot and finally converting .pem to pfx using OpenSSL.
The problem is that it seems the final PFX file doesn't meet security browser requiements and the key doesn't have at least 2048 characters, but this is really strange as Certbot by default works at 2048 bits for RSA keys (already tried forcing to 4096 but I get the same result).

This is the procedure I followed:

  1. from Certbot (installed via Anaconda Python) I ran

    call C:\ProgramData\Anaconda3\Scripts\activate.bat

    certbot certonly --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com

  2. After, from OpenSSL I ran

    openssl pkcs12 -export -out "C:\Users\administrator.EXAMPLE\Desktop\certificati\EXAMPLE.com.pfx" -inkey "C:\Certbot\live\EXAMPLE.com\privkey.pem" -in "C:\Certbot\live\EXAMPLE.com\fullchain.pem" -password pass:TEST2023!

From Sangfor VDI interface an alert appears when I try to import the certificate and if I test to access the FQDN from Chrome for example, the domain cannot be loaded due to SSL mismatch.

让我们加密 > Certbot > OpenSSL 证书 (2048 位密钥问题)

让我们加密 > Certbot > OpenSSL 证书 (2048 位密钥问题)

答案1

得分: 5

certbot certonly --rsa-key-size 2048 --key-type rsa --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com

英文:
certbot certonly --rsa-key-size 2048 --key-type rsa --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com

huangapple
  • 本文由 发表于 2023年2月14日 08:18:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/75442368.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定