修复根证书信任问题

app.py

@@ -300,16 +300,43 @@ def create_ca(ca_name, common_name, organization, organizational_unit, country,
     key_path = os.path.join(ca_dir, f"{common_name}.key")
     cert_path = os.path.join(ca_dir, f"{common_name}.crt")
 
+    # 创建OpenSSL配置文件
+    openssl_cnf = f"""
+    [ req ]
+    default_bits       = {key_size}
+    distinguished_name = req_distinguished_name
+    x509_extensions    = v3_ca
+    prompt             = no
+
+    [ req_distinguished_name ]
+    C  = {country}
+    ST = {state}
+    L  = {locality}
+    O  = {organization}
+    OU = {organizational_unit}
+    CN = {common_name}
+
+    [ v3_ca ]
+    subjectKeyIdentifier   = hash
+    authorityKeyIdentifier = keyid:always,issuer:always
+    basicConstraints       = CA:TRUE
+    keyUsage               = digitalSignature, keyCertSign, cRLSign
+    """
+
+    config_path = os.path.join(ca_dir, 'openssl.cnf')
+    with open(config_path, 'w') as f:
+        f.write(openssl_cnf.strip())
+
     # 生成CA私钥
     subprocess.run([
         'openssl', 'genrsa', '-out', key_path, str(key_size)
     ], check=True)
 
-    # 生成CA自签名证书
+    # 生成CA自签名证书（使用配置文件）
     subprocess.run([
         'openssl', 'req', '-new', '-x509', '-days', str(days_valid),
         '-key', key_path, '-out', cert_path,
-        '-subj', f'/CN={common_name}/O={organization}/OU={organizational_unit}/C={country}/ST={state}/L={locality}'
+        '-config', config_path
     ], check=True)
 
     # 保存到数据库
@@ -362,14 +389,8 @@ default_bits = {key_size}
 prompt = no
 default_md = sha256
 distinguished_name = dn
-"""
+req_extensions = req_ext
 
-    # 只有在有SAN时才添加扩展部分
-    has_san = bool(san_dns or san_ip)
-    if has_san:
-        csr_config += "req_extensions = req_ext\n"
-
-    csr_config += f"""
 [dn]
 CN = {common_name}
 O = {organization}
@@ -377,26 +398,25 @@ OU = {organizational_unit}
 C = {country}
 ST = {state}
 L = {locality}
-"""
 
-    if has_san:
-        csr_config += """
 [req_ext]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
 subjectAltName = @alt_names
+extendedKeyUsage = serverAuth, clientAuth
 
 [alt_names]"""
 
-        # 添加DNS SAN条目
+    # 添加SAN条目
-        if san_dns:
+    if san_dns:
-            dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()]
+        dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()]
-            for i, dns in enumerate(dns_entries, 1):
+        for i, dns in enumerate(dns_entries, 1):
-                csr_config += f"\nDNS.{i} = {dns}"
+            csr_config += f"\nDNS.{i} = {dns}"
 
-        # 添加IP SAN条目
+    if san_ip:
-        if san_ip:
+        ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()]
-            ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()]
+        for i, ip in enumerate(ip_entries, 1):
-            for i, ip in enumerate(ip_entries, 1):
+            csr_config += f"\nIP.{i} = {ip}"
-                csr_config += f"\nIP.{i} = {ip}"
 
     # 确保配置文件不以空行结尾
     csr_config = csr_config.strip()
@@ -417,12 +437,34 @@ subjectAltName = @alt_names
         print(csr_config)
         return None
 
-    # 使用CA签名证书
+    # 使用CA签名证书（添加-extfile参数）
     try:
+        # 创建扩展配置文件
+        ext_config = f"""
+        authorityKeyIdentifier=keyid,issuer
+        basicConstraints=CA:FALSE
+        keyUsage=digitalSignature, keyEncipherment
+        extendedKeyUsage=serverAuth, clientAuth
+        subjectAltName=@alt_names
+
+        [alt_names]"""
+
+        if san_dns:
+            for i, dns in enumerate(dns_entries, 1):
+                ext_config += f"\nDNS.{i} = {dns}"
+
+        if san_ip:
+            for i, ip in enumerate(ip_entries, 1):
+                ext_config += f"\nIP.{i} = {ip}"
+
+        ext_path = os.path.join(cert_dir, 'ext.cnf')
+        with open(ext_path, 'w') as f:
+            f.write(ext_config.strip())
+
         subprocess.run([
             'openssl', 'x509', '-req', '-in', csr_path, '-CA', ca['cert_path'],
             '-CAkey', ca['key_path'], '-CAcreateserial', '-out', cert_path,
-            '-days', str(days_valid), '-sha256'
+            '-days', str(days_valid), '-sha256', '-extfile', ext_path
         ], check=True)
     except subprocess.CalledProcessError as e:
         print(f"签名证书错误: {e}")