修复根证书信任问题

app.py

@@ -385,34 +385,44 @@ def create_certificate(ca_id, common_name, san_dns, san_ip, organization, organi
 
     # 创建CSR配置文件
     csr_config = f"""[req]
-default_bits = {key_size}
+    default_bits = {key_size}
-prompt = no
+    prompt = no
-default_md = sha256
+    default_md = sha256
-distinguished_name = dn
+    distinguished_name = dn
-req_extensions = req_ext
+    """
 
-[dn]
+    # 只有在有SAN时才添加扩展部分
-CN = {common_name}
+    has_san = bool(san_dns or san_ip)
-O = {organization}
+    if has_san:
-OU = {organizational_unit}
+        csr_config += "req_extensions = req_ext\n"
-C = {country}
-ST = {state}
-L = {locality}
 
-[req_ext]
+    csr_config += f"""
-basicConstraints = CA:FALSE
+    [dn]
-keyUsage = digitalSignature, keyEncipherment
+    CN = {common_name}
-subjectAltName = @alt_names
+    O = {organization}
-extendedKeyUsage = serverAuth, clientAuth
+    OU = {organizational_unit}
+    C = {country}
+    ST = {state}
+    L = {locality}
+    """
 
-[alt_names]"""
+    if has_san:
+        csr_config += """
+    [req_ext]
+    basicConstraints = CA:FALSE
+    keyUsage = digitalSignature, keyEncipherment
+    subjectAltName = @alt_names
+    extendedKeyUsage = serverAuth, clientAuth
 
-    # 添加SAN条目
+    [alt_names]"""
+
+        # 添加DNS SAN条目
         if san_dns:
             dns_entries = [dns.strip() for dns in san_dns.split(',') if dns.strip()]
             for i, dns in enumerate(dns_entries, 1):
                 csr_config += f"\nDNS.{i} = {dns}"
 
+        # 添加IP SAN条目
         if san_ip:
             ip_entries = [ip.strip() for ip in san_ip.split(',') if ip.strip()]
             for i, ip in enumerate(ip_entries, 1):