我正在跟进这条指令安装自签名证书。具体来说:
创建包含以下内容的 localhost.conf 文件:
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
然后:
$ lsb_release -d
Description: Debian GNU/Linux 11 (bullseye)
$ openssl version
OpenSSL 1.1.1k 25 Mar 2021
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -subj '/CN=localhost'
Generating a RSA private key
...+++++
...........................................................+++++
writing new private key to 'localhost.key'
-----
$ openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
Enter Export Password: (empty password)
Verifying - Enter Export Password: (empty password)
$ sudo cp localhost.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Adding debian:localhost.pem
done.
done.
$ openssl verify localhost.crt
CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed
我想最新的命令应该成功验证证书,因为它应该安装到 CA 密钥中(即受信任),但事实并非如此。我在这里遗漏了一些明显的东西吗?