生成证书

hknaruto.com

参考

openssl CA.sh 产生自定义CA,签发https证书,并配置到Nginx,支持IE, Chrome

https://hknaruto.blog.csdn.net/article/details/79556245

配置受信任的根证

curl测试访问

[yeqiang@localhost openssl-CA]$ curl -vv https://www.hknaruto.com
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to www.hknaruto.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

注意到其中日志

CAfile: /etc/pki/tls/certs/ca-bundle.crt

导出根证书ca.pem

[yeqiang@localhost openssl-CA]$ openssl x509 -in demoCA/cacert.pem -out ca.pem

查看根证书ca.pem

[yeqiang@localhost openssl-CA]$ cat ca.pem 
-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvkwDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNTE0
WhcNMzAwODAyMDYyNTE0WjBMMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
CzAJBgNVBAoMAmd3MQwwCgYDVQQLDANkZXYxEjAQBgNVBAMMCW9wZW5zc2xDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRx8Gi0yW4M3Rd5N7WsKbLv
X9uDlfm7wVSZxXPJyHRBeuaaN09Jku6cz7acAmTGnDFPZ18HBwuSJV8Cm/tqhnP3
3qNPfZtrHbzKLshdz6+oOI54gITK0iHszHPfh71GDhQeZwxDMta3rzP+VdTPrsO4
m5RF6e4noMddfKAtXo6s0rX+FOS7T17UMeICUfaxIFZIGv4UahbhdwHQNe/uRoE/
RVyZ34q6VrdXD/kgA3C2JTGF3jL042gPwytS0miCuvoi2E6BYGvGpi/QkI4byDRQ
woB2hpk7JiOtQLJl1klGBROP6VALfhtzSRa7xvBz87cFFdNxbPcF00GRApmW6aEC
AwEAAaN2MHQwHQYDVR0OBBYEFFBOBT3XyrPtO9lgY+4sf/7/7DrgMB8GA1UdIwQY
MBaAFFBOBT3XyrPtO9lgY+4sf/7/7DrgMAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0w
G4IOKi5oa25hcnV0by5jb22CCSouYWJjLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
HK6KUekNlJCcs4l4wz7ADP99UE2x4YEmQbpQus/CBUnxUT+BP4O93kAiUtXyNxrj
qK3eSOmB1KJ6pAHua0HmDRKsHqzvplkJ0I7SHl2n4zqfqSpf8k/6esdR1rBa4cL8
MV9Qq8TJRItF3pG+r2R3giRk+Ur5hKK0X1W9YWatoxRQhj65DsXzifC7Kp1kKMNT
bSghMEgQ/rmhY17nfyLIf/u+V1V5bG9BnRMnmDveSUsrI+Pv6RBtv7ei5R5gJPo9
Jo5ecgI3DLezUgdIDOctv2Gp+S8xealB96f+4P5N9VxO3fwbmGPLMN0e8whBWuCF
NGzQWZtwfNemMcmEvb1tEQ==
-----END CERTIFICATE-----

切换root权限,将根证书内容追加到受信任根证书列表配置文件

[yeqiang@localhost openssl-CA]$ sudo su
[sudo] password for yeqiang: 
[root@localhost openssl-CA]# cat ca.pem >> /etc/pki/tls/certs/ca-bundle.crt

测试curl

[yeqiang@localhost openssl-CA]$ curl -vv https://www.hknaruto.com
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to www.hknaruto.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=CS; ST=Hunan; L=Changsha; O=gw; OU=dev; CN=*.hknaruto.com
*  start date: Aug  4 06:26:26 2020 GMT
*  expire date: Aug  2 06:26:26 2030 GMT
*  subjectAltName: host "www.hknaruto.com" matched cert's "*.hknaruto.com"
*  issuer: C=CS; ST=Hunan; O=gw; OU=dev; CN=opensslCA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.hknaruto.com
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.19.1
< Date: Tue, 04 Aug 2020 06:50:48 GMT
< Content-Type: text/html
< Content-Length: 0
< Last-Modified: Thu, 19 Mar 2020 06:39:39 GMT
< Connection: keep-alive
< ETag: "5e7313ab-0"
< Accept-Ranges: bytes
< 
* Connection #0 to host www.hknaruto.com left intact

测试成功。

测试chrome

报错

Your connection is not private
Attackers might be trying to steal your information from www.hknaruto.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy policy

此方案不支持chrome

Logo

更多推荐