环境:
Red Hat Enterprise Linux Server release 7.7 (Maipo)
# openssl version
OpenSSL 1.0.2g 1 Mar 2016
因此使用OpenSSL生成自签名证书并且将cacert.pem置于CCD_ 1下。
现在,根据update-ca-trust的人的说法,应该运行cmd将证书添加到信任存储中,并且证书将添加到/etc/pki/ca-trust/extracted/下。
在运行上述cmd之后,我看到cert仅添加到/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt。但大多数像curl这样的应用程序都在/etc/pki/ca-trust/extracted/openssl/ca-bundle.crt引用了与/etc/pki/tls/certs/ca-bundle.crt链接的OS-ca信任。
curl -v https://172.21.19.92/api
* About to connect() to 172.21.19.92 port 443 (#0)
* Trying 172.21.19.92...
* Connected to 172.21.19.92 (172.21.19.92) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
我知道传递--cacert选项是克服它的一种方法,但我想知道为什么update-ca-trust只更新ca-bundle-trust.crt而不更新/etc/pki/ca-trust/source/anchors/0或java密钥库提取的/etc/pki/ca-trust/extracted/java/cacerts
将证书导入/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem的实际命令是:
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
所以这里的滤波器是--filter=ca-anchors+--purpose server-auth。当你生成证书时,你必须明确地添加目的extendedKeyUsage=serverAuth:
openssl x509 -req -in $SRV_NAME.csr -CA $CA_NAME.crt -CAkey $CA_NAME.key -passin pass:"$PASS" -out $SRV_NAME.crt
-days 3650 -CAcreateserial
-extensions v3_ca
-extfile <(echo "[v3_ca]"; echo "extendedKeyUsage=serverAuth"; echo "subjectAltName=$SRV_DNS_NAMES_TEXT,email:$SRV_EMAIL")