我正在尝试向 OpenBSD 添加 CA 证书。
- 我已将其复制
conmpany.crt
到/etc/ssl/private
- 我已经
.0
从证书创建了文件(使用openssl x509 -hash -noout -in company.crt
) - 我跑得
openssl verify -CApath /etc/ssl/private/ company.crt
很好;结果:company.crt: OK
然而,当我尝试:curl -vi https://company.example/
我得到:
* Trying 192.168.XXX.XXX...
* TCP_NODELAY set
* Connected to company.example (192.168.XXX.XXX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
根据我从消息中收集到的信息,curl 会查看/in /etc/ssl/cert.pem
。我可以将其添加.crt
到该文件中,但是a)我不知道正确的方法是什么,b)每当我更新所有根证书时它不会被删除吗?我希望我可以将我们自己的证书保存在单独的位置。到目前为止,除了.0
显然需要一个文件之外,我在谷歌上找不到太多信息。但接下来如何实际使用该证书无处可寻。
哦,还有错误消息中提供的链接(https://curl.haxx.se/docs/sslcerts.html)不是很有帮助。
需要明确的是,这是我在 Debian 机器上所做的,效果很好:
- 复制
company.crt
到/usr/local/share/ca-certificates/company
(company
目录有chmod 755
并且company.crt
有的地方chmod 644
) - 跑步
update-ca-certificates
- ...
- 利润
答案1
您可以将证书附加到以下内容的末尾/etc/ssl/cert.pem
:
# cat mycert.pem >> /etc/ssl/cert.pem
它将在更新中保留(请参阅man sysmerge
)。
请注意,有时该文件会被忽略(例如,某些浏览器只信任自己的 CA 存储库)。