# 更新至Python 3.13导致的自签名CA出现[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier

# 排查

查看python更新日志
测试x509_strict

openssl verify -x509_strict -CAfile /data/ca.crt /data/web/web1.crt

# error 92 at 1 depth lookup: CA cert does not include key usage extension
# error /data/web/web1.crt: verification failed

# 重新生成CA证书

重新根据ca.key生成ca.crt，只需替换ca.crt即可，已经颁发的证书仍正常使用。

# 复制一份 openssl.cnf（可选）

sudo cp /etc/ssl/openssl.cnf openssl_ca.cnf

# 调整 openssl.cnf

编辑openssl_ca.cnf并将其中[ v3_ca ]下的keyUsage = cRLSign, keyCertSign解除注释

[ v3_ca ]

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign

# 生成证书请求文件csr（已有csr可忽略）

生成证书请求文件csr，需要使用原ca.crt和ca.key

openssl x509 -x509toreq -in ca.crt -signkey ca.key -out new-ca.csr

# 生成ca证书

openssl x509 -req -days 3650 -extfile openssl_ca.cnf -extensions v3_ca -in new-ca.csr -signkey ca.key -out new-ca.crt

# 测试

openssl verify -x509_strict -CAfile new-ca.crt /data/web/web1.crt

# /data/web/web1.crt: OK

# 导入到系统可信CA（可选）

sudo cp new-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# Updating certificates in /etc/ssl/certs...
# 0 added, 0 removed; done.
# Running hooks in /etc/ca-certificates/update.d...
# Processing triggers for ca-certificates-java (20240118) ...
# done.
# done.

# 参考

https://www.cnblogs.com/liweifeng888/p/18648432
https://superuser.com/questions/738612/openssl-ca-keyusage-extension

python openssl certificate self-signed certificates