opessl CA.sh生成自签名证书,并把根证书放入Fedora Linux受信任的根证书办法机构配置文件/etc/pki/tls/certs/ca-bundle.crt

其他 2020-08-13 10:18:48 阅读次数: 0

生成证书

hknaruto.com

参考

openssl CA.sh 产生自定义CA,签发https证书,并配置到Nginx,支持IE, Chrome

https://hknaruto.blog.csdn.net/article/details/79556245

配置受信任的根证

curl测试访问

[yeqiang@localhost openssl-CA]$ curl -vv https://www.hknaruto.com
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to www.hknaruto.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

注意到其中日志

CAfile: /etc/pki/tls/certs/ca-bundle.crt

导出根证书ca.pem

[yeqiang@localhost openssl-CA]$ openssl x509 -in demoCA/cacert.pem -out ca.pem

查看根证书ca.pem

[yeqiang@localhost openssl-CA]$ cat ca.pem 
-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvkwDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNTE0
WhcNMzAwODAyMDYyNTE0WjBMMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
CzAJBgNVBAoMAmd3MQwwCgYDVQQLDANkZXYxEjAQBgNVBAMMCW9wZW5zc2xDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRx8Gi0yW4M3Rd5N7WsKbLv
X9uDlfm7wVSZxXPJyHRBeuaaN09Jku6cz7acAmTGnDFPZ18HBwuSJV8Cm/tqhnP3
3qNPfZtrHbzKLshdz6+oOI54gITK0iHszHPfh71GDhQeZwxDMta3rzP+VdTPrsO4
m5RF6e4noMddfKAtXo6s0rX+FOS7T17UMeICUfaxIFZIGv4UahbhdwHQNe/uRoE/
RVyZ34q6VrdXD/kgA3C2JTGF3jL042gPwytS0miCuvoi2E6BYGvGpi/QkI4byDRQ
woB2hpk7JiOtQLJl1klGBROP6VALfhtzSRa7xvBz87cFFdNxbPcF00GRApmW6aEC
AwEAAaN2MHQwHQYDVR0OBBYEFFBOBT3XyrPtO9lgY+4sf/7/7DrgMB8GA1UdIwQY
MBaAFFBOBT3XyrPtO9lgY+4sf/7/7DrgMAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0w
G4IOKi5oa25hcnV0by5jb22CCSouYWJjLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
HK6KUekNlJCcs4l4wz7ADP99UE2x4YEmQbpQus/CBUnxUT+BP4O93kAiUtXyNxrj
qK3eSOmB1KJ6pAHua0HmDRKsHqzvplkJ0I7SHl2n4zqfqSpf8k/6esdR1rBa4cL8
MV9Qq8TJRItF3pG+r2R3giRk+Ur5hKK0X1W9YWatoxRQhj65DsXzifC7Kp1kKMNT
bSghMEgQ/rmhY17nfyLIf/u+V1V5bG9BnRMnmDveSUsrI+Pv6RBtv7ei5R5gJPo9
Jo5ecgI3DLezUgdIDOctv2Gp+S8xealB96f+4P5N9VxO3fwbmGPLMN0e8whBWuCF
NGzQWZtwfNemMcmEvb1tEQ==
-----END CERTIFICATE-----

切换root权限,将根证书内容追加到受信任根证书列表配置文件

[yeqiang@localhost openssl-CA]$ sudo su
[sudo] password for yeqiang: 
[root@localhost openssl-CA]# cat ca.pem >> /etc/pki/tls/certs/ca-bundle.crt

测试curl

[yeqiang@localhost openssl-CA]$ curl -vv https://www.hknaruto.com
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to www.hknaruto.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=CS; ST=Hunan; L=Changsha; O=gw; OU=dev; CN=*.hknaruto.com
*  start date: Aug  4 06:26:26 2020 GMT
*  expire date: Aug  2 06:26:26 2030 GMT
*  subjectAltName: host "www.hknaruto.com" matched cert's "*.hknaruto.com"
*  issuer: C=CS; ST=Hunan; O=gw; OU=dev; CN=opensslCA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.hknaruto.com
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.19.1
< Date: Tue, 04 Aug 2020 06:50:48 GMT
< Content-Type: text/html
< Content-Length: 0
< Last-Modified: Thu, 19 Mar 2020 06:39:39 GMT
< Connection: keep-alive
< ETag: "5e7313ab-0"
< Accept-Ranges: bytes
< 
* Connection #0 to host www.hknaruto.com left intact

测试成功。

测试chrome

报错

Your connection is not private
Attackers might be trying to steal your information from www.hknaruto.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy policy

此方案不支持chrome

猜你喜欢

转载自blog.csdn.net/hknaruto/article/details/107786300
今日推荐
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
GCC 14.1 发布
面壁智能发布 Eurux-8x22B 开源大模型 —— 堪称「理科状元」
开源日报 | 谷歌扶持鸿蒙上位;开源Rabbit R1;Docker加持的安卓手机;微软的焦虑和野心;海尔电器把开放平台关了
中国码农的“35岁魔咒”
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
周排行
Java自定义时间格式
同步整形电路
在开发中最最最常用的字符串的属性大集合
Linux 查看端口占用并杀掉
Java基础四:ArrayList
多线程之死锁就是这么简单
mysql 基础命令集
awk 命令详解
Centos6.3编译安装nginx+php步骤
OCR (Optical Character Recognition,光学字符识别)
每日归档
更多
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022