前端之家

  1. 首页
  2. 问答

仅在ca-bundle-trust.crt中添加CA Cert

问答

Env:

Red Hat Enterprise Linux Server release 7.7 (Maipo)
# openssl version
OpenSSL 1.0.2g  1 Mar 2016

因此,将使用OpenSSL生成自签名证书,并将cacert.pem放在/etc/pki/ca-trust/source/anchors/下。

现在,根据update-ca-trust中的人说,应该运行cmd将证书添加到信任存储中,并将证书添加到/etc/pki/ca-trust/extracted/下。

运行上述cmd之后,我看到证书仅添加到/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt中。但是大多数应用程序(例如curl)都指向/etc/pki/ca-trust/extracted/openssl/ca-bundle.crt上的OS ca信任关系,该信任关系链接到/etc/pki/tls/certs/ca-bundle.crt

curl -v https://172.21.19.92/api
* About to connect() to 172.21.19.92 port 443 (#0)
*   Trying 172.21.19.92...
* Connected to 172.21.19.92 (172.21.19.92) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

我知道传递--cacert选项是克服它的一种方法,但是我想知道为什么update-ca-trust仅更新ca-bundle-trust.crt而不更新ca-bundle.crt或提取的Java Keystore还有一个/etc/pki/ca-trust/extracted/java/cacerts

limei2009 回答:仅在ca-bundle-trust.crt中添加CA Cert

将证书导入到/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem的实际命令是:

/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem

因此,此处的过滤器为--filter=ca-anchors + --purpose server-auth。生成证书时,您必须明确添加用途extendedKeyUsage=serverAuth

openssl x509 -req -in $SRV_NAME.csr -CA $CA_NAME.crt -CAkey $CA_NAME.key -passin pass:"$PASS" -out $SRV_NAME.crt \
  -days 3650 -CAcreateserial \
  -extensions v3_ca \
  -extfile <(echo "[v3_ca]"; echo "extendedKeyUsage=serverAuth"; echo "subjectAltName=$SRV_DNS_NAMES_TEXT,email:$SRV_EMAIL")
cacurlopensslredhatssl
本文链接:https://www.f2er.com/3154098.html

大家都在问