我正在尝试为我的网络服务器创建自签名证书,但进展不顺利。标题是当我
curl --noproxy "*" https://example.com
在网络服务器上运行(example.com 是我的网络服务器的域名)时 curl 给出的错误消息。它是一个 FQDN 并且可解析。
wget --no-proxy https://example.com让我
Resolving example.com (example.com)... 127.0.1.1
Connecting to example.com (example.com)|127.0.1.1|:443... connected.
ERROR: certificate common name ‘’ doesn't match requested host name ‘example.com’.
显然,它“无法获取我的证书的通用名称”。但我不明白为什么。
我使用这个名为 server.cnf 的 .cnf 文件生成了服务器证书:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName= <country>
stateOrProvinceName= <province>
localityName= <locality>
organizationName= <organization>
organizationalUnitName= <ou>
commonName= example.com
[alt_names]
DNS.1 = example.com
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
使用以下命令:
sudo certtool --generate-certificate \
--load-privkey /etc/ssl/web_domain_keys/server_key.pem \
--load-ca-certificate /etc/ssl/certs/CA_cert.pem \
--load-ca-privkey /etc/ssl/private/CA_key.pem \
--template /usr/lib/ssl/server.cnf \
--outfile /etc/ssl/server_cert.pem
当我运行时openssl s_client -connect example.com:443主题名称是空白的,但我不知道这是为什么:
depth=1 CN = ca.example.com
verify return:1
depth=0
verify return:1
---
Certificate chain
0 s:
i:CN = ca.example.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 5 13:54:23 2024 GMT; NotAfter: Mar 5 13:54:23 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<correct certificate>
-----END CERTIFICATE-----
subject=
issuer=CN = ca.example.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits```