我在此链接中使用此工具为Windows Web服务器生成自签名证书。
生成证书的命令如下所示
New-SelfSignedCertificateEx -Subject "CN=192.168.56.111" -SAN "192.168.56.111" -IsCA $true -EKU "Server Authentication", "Client Authentication" -KeyLength 2048 -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "192.168.56.111" -NotAfter $([datetime]::now.AddYears(5)) -StoreLocation "LocalMachine" -Exportable
使用 IIS 安装证书并将证书添加到 Windows 10 客户端中的受信任根 CA 存储后,我能够浏览网站,没有证书错误。
但是,当我尝试通过将证书安装到 CA 证书存储并使用 cURL 进行测试来在 ubuntu 18.04 客户端中执行相同的操作时,它不起作用
将证书安装到
Ubuntu ca-certificate(英语:Ubuntu ca-certificate(openssl s_client -connect 192.168.56.111:443 -showcerts > out.txt
#then use vim to edit out.txt and save the cert to 192.168.56.111.crt
sudo cp 192.168.56.111.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
使用 cURL 测试连接
curl https://192.168.56.111
并收到错误消息
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
将证书添加到 Chrome 证书商店时,Chrome 会显示 NET::ERR_CERT_INVALID
所以我的问题是,为什么它在 Windows 客户端中有效,而在 Ubuntu 18.04 中不起作用?我看不到任何错误表明 Ubuntu 中的证书出了什么问题,所以我目前被困住了。
您的 openssl命令不正确:
jonathan.muller@jonathan-muller-C02ZC4EPLVDQ$ openssl s_client -connect drylm.org:443 -showcerts
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = blog.drylm.org
verify return:1
---
Certificate chain
0 s:/CN=blog.drylm.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgISA0xYp5ZHU+NGF1EW/RcUuV0fMA0GCSqGSIb3DQEBCwUA
...
输出中有很多噪音。 以下是提取证书的方法:
echo | openssl s_client -connect 192.168.56.111:443 2>/dev/null | openssl x509 > 192.168.56.111.pem
您可以将此 PEM 文件复制到信任库。
编辑:
我只是通过在此网站上创建自签名证书进行了练习
在我的壳里:
john@kona$ curl https://test.drylm.org
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
然后
john@kona$ echo | openssl s_client -connect test.drylm.org:443 2>/dev/null | openssl x509 > test.drylm.org.crt
sudo cp test.drylm.org.crt /usr/local/share/ca-certificates/
john@kona$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Adding debian:test.drylm.org.pem
done.
done.
最后:
john@kona$ curl https://test.drylm.org
Path : ~
不再有带有卷曲的错误消息。