나는 후속 조치를 취하고 있다이 지시자체 서명된 인증서를 설치합니다. 구체적으로:
다음 내용으로 localhost.conf 파일을 만듭니다.
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
그 다음에:
$ lsb_release -d
Description: Debian GNU/Linux 11 (bullseye)
$ openssl version
OpenSSL 1.1.1k 25 Mar 2021
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -subj '/CN=localhost'
Generating a RSA private key
...+++++
...........................................................+++++
writing new private key to 'localhost.key'
-----
$ openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
Enter Export Password: (empty password)
Verifying - Enter Export Password: (empty password)
$ sudo cp localhost.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Adding debian:localhost.pem
done.
done.
$ openssl verify localhost.crt
CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed
인증서는 CA 키(즉, 신뢰할 수 있음)에 설치되어야 하므로 최신 명령이 인증서를 성공적으로 확인해야 한다고 생각했지만 그렇지 않습니다. 여기서 분명한 것을 놓치고 있습니까?