我使用openssl在AWS linux实例上生成了自签名CA和证书。然后,我将根证书导入到密钥库中,后端应用程序使用它来支持HTTPS。
当我运行以下命令尝试连接到服务器时,
curl --cacert caroot.cer --capath ~/ca/ --user abc:123 https://localhost:9999
我收到错误curl: (77) Problem with the SSL CA cert (path? access rights?)。
我在ubuntu上执行了相同的步骤,一切正常。
这是脚本
#!/bin/bash
export PW=`cat password`
echo "generating the key pair and save to the keystore"
keytool -genkeypair \
-alias test \
-keystore test.jks \
-dname "CN=localhost, OU=TA, O=S1, L=Toronto, ST=Ontario, C=CA" \
-keypass $PW \
-storepass $PW \
-keyalg RSA \
-keysize 4096 \
-ext KeyUsage:critical="keyCertSign" \
-ext BasicConstraints:critical="ca:true" \
-sigalg SHA1withRSA
echo "self-signing the certificate where both owner and issuer are the same as test.jks"
keytool -export -alias test -file test_self_signed.cer -keystore test.jks -storepass $PW
echo "generating the certificate signing request(CSR) for test.jks"
keytool -certreq -alias test -keystore test.jks -file test.csr -storepass $PW
set RANDFILE=rand
echo "generating CA's private key and CA's CSR"
openssl req -new -keyout cakey.pem -out careq.pem #-config /usr/lib/ssl/openssl.cnf
echo "self-signing CA's certificate"
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca
echo 1234 > serial.txt
echo "signing test.csr using CA's certificate and CA's private key"
openssl x509 \
-CA caroot.cer \
-CAkey cakey.pem \
-CAserial serial.txt \
-req \
-in test.csr \
-out test_signed_by_CA.cer \
-days 365
echo "adding CA's certificate to the keystore"
keytool -import -alias schedule1 -file caroot.cer -keystore test.jks -storepass $PW
echo "adding test's certificate signed by CA to the keystore"
keytool -import -alias test -file test_signed_by_CA.cer -keystore test.jks -storepass $PW