opessl CA. sh 는 자체 서명 인증 서 를 만 들 고 Fedora Linux 에서 신뢰 하 는 루트 인증서 방법 기구 설정 파일 / etc / pki / tles / certs / ca - bundle. crt 에 루트 인증 서 를 넣 습 니 다.

인증서 생 성
hknaruto.com
레 퍼 런 스
openssl CA. sh 는 사용자 정의 CA 를 만 들 고 https 인증 서 를 발급 하 며 Nginx 로 설정 합 니 다. IE, Chrome 을 지원 합 니 다.
https://hknaruto.blog.csdn.net/article/details/79556245
신뢰 할 수 있 는 루트 설정
curl 테스트 접근

[yeqiang@localhost openssl-CA]$ curl -vv https://www.hknaruto.com
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to www.hknaruto.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

로그

CAfile: /etc/pki/tls/certs/ca-bundle.crt

루트 인증서 ca. pem 내 보 내기

[yeqiang@localhost openssl-CA]$ openssl x509 -in demoCA/cacert.pem -out ca.pem

루트 인증서 ca. pem 보기

[yeqiang@localhost openssl-CA]$ cat ca.pem 
-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIUOzXkTZIKQ4SHhiPxIw03uhuzyvkwDQYJKoZIhvcNAQEL
BQAwTDELMAkGA1UEBhMCQ1MxDjAMBgNVBAgMBUh1bmFuMQswCQYDVQQKDAJndzEM
MAoGA1UECwwDZGV2MRIwEAYDVQQDDAlvcGVuc3NsQ0EwHhcNMjAwODA0MDYyNTE0
WhcNMzAwODAyMDYyNTE0WjBMMQswCQYDVQQGEwJDUzEOMAwGA1UECAwFSHVuYW4x
CzAJBgNVBAoMAmd3MQwwCgYDVQQLDANkZXYxEjAQBgNVBAMMCW9wZW5zc2xDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRx8Gi0yW4M3Rd5N7WsKbLv
X9uDlfm7wVSZxXPJyHRBeuaaN09Jku6cz7acAmTGnDFPZ18HBwuSJV8Cm/tqhnP3
3qNPfZtrHbzKLshdz6+oOI54gITK0iHszHPfh71GDhQeZwxDMta3rzP+VdTPrsO4
m5RF6e4noMddfKAtXo6s0rX+FOS7T17UMeICUfaxIFZIGv4UahbhdwHQNe/uRoE/
RVyZ34q6VrdXD/kgA3C2JTGF3jL042gPwytS0miCuvoi2E6BYGvGpi/QkI4byDRQ
woB2hpk7JiOtQLJl1klGBROP6VALfhtzSRa7xvBz87cFFdNxbPcF00GRApmW6aEC
AwEAAaN2MHQwHQYDVR0OBBYEFFBOBT3XyrPtO9lgY+4sf/7/7DrgMB8GA1UdIwQY
MBaAFFBOBT3XyrPtO9lgY+4sf/7/7DrgMAwGA1UdEwQFMAMBAf8wJAYDVR0RBB0w
G4IOKi5oa25hcnV0by5jb22CCSouYWJjLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
HK6KUekNlJCcs4l4wz7ADP99UE2x4YEmQbpQus/CBUnxUT+BP4O93kAiUtXyNxrj
qK3eSOmB1KJ6pAHua0HmDRKsHqzvplkJ0I7SHl2n4zqfqSpf8k/6esdR1rBa4cL8
MV9Qq8TJRItF3pG+r2R3giRk+Ur5hKK0X1W9YWatoxRQhj65DsXzifC7Kp1kKMNT
bSghMEgQ/rmhY17nfyLIf/u+V1V5bG9BnRMnmDveSUsrI+Pv6RBtv7ei5R5gJPo9
Jo5ecgI3DLezUgdIDOctv2Gp+S8xealB96f+4P5N9VxO3fwbmGPLMN0e8whBWuCF
NGzQWZtwfNemMcmEvb1tEQ==
-----END CERTIFICATE-----

루트 권한 전환, 루트 인증서 내용 을 신뢰 받 는 루트 인증서 목록 설정 파일 에 추가

[yeqiang@localhost openssl-CA]$ sudo su
[sudo] password for yeqiang: 
[root@localhost openssl-CA]# cat ca.pem >> /etc/pki/tls/certs/ca-bundle.crt

테스트 컬

[yeqiang@localhost openssl-CA]$ curl -vv https://www.hknaruto.com
*   Trying 127.0.0.1:443...
* TCP_NODELAY set
* Connected to www.hknaruto.com (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=CS; ST=Hunan; L=Changsha; O=gw; OU=dev; CN=*.hknaruto.com
*  start date: Aug  4 06:26:26 2020 GMT
*  expire date: Aug  2 06:26:26 2030 GMT
*  subjectAltName: host "www.hknaruto.com" matched cert's "*.hknaruto.com"
*  issuer: C=CS; ST=Hunan; O=gw; OU=dev; CN=opensslCA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.hknaruto.com
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.19.1
< Date: Tue, 04 Aug 2020 06:50:48 GMT
< Content-Type: text/html
< Content-Length: 0
< Last-Modified: Thu, 19 Mar 2020 06:39:39 GMT
< Connection: keep-alive
< ETag: "5e7313ab-0"
< Accept-Ranges: bytes
< 
* Connection #0 to host www.hknaruto.com left intact

테스트 성공.
테스트 chrome
잘못 을 보고 하 다

Your connection is not private
Attackers might be trying to steal your information from www.hknaruto.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy policy

이 프로젝트 는 chrome 을 지원 하지 않 습 니 다.