我无法设置多客户端SSL加密。以下是我尝试过的方法(命令按照发出它们的顺序列出):
要生成服务器证书/密钥:
openssl req -new -x509 -keyout eda_dev_ca.key -out eda_dev_ca.crt -days 365 -subj '/CN=eda.dev.orgext.global/OU=EDA/O=org/L=ATLANTA/S=GEORGIA/C=US' -passin pass:orgCa -passout pass:orgCa
keytool -genkey -noprompt -alias VA1orgDEIS87.orgext.global -dname "CN=VA1orgDEIS87.orgext.global, OU=EDA, O=org, L=ATLANTA, ST=GEORGIA, C=US" -ext san=dns:VA1orgDEIS87.orgext.global -keystore kafka.restproxy.keystore.jks -keyalg RSA -storepass orgKeyStore -keypass orgKeyStore
keytool -keystore kafka.restproxy.keystore.jks -alias VA1orgDEIS87.orgext.global -certreq -file restproxy.csr -storepass orgKeyStore -keypass orgKeyStore
openssl x509 -req -CA eda_dev_ca.crt -CAkey eda_dev_ca.key -in restproxy.csr -out restproxy-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:orgCa
keytool -noprompt -keystore kafka.restproxy.keystore.jks -alias CARoot -import -file eda_dev_ca.crt -storepass orgKeyStore -keypass orgKeyStore
keytool -noprompt -keystore kafka.restproxy.keystore.jks -alias VA1orgDEIS87.orgext.global -import -file restproxy-ca1-signed.crt -storepass orgKeyStore -keypass orgKeyStore
keytool -noprompt -keystore kafka.restproxy.truststore.jks -alias CARoot -import -file eda_dev_ca.crt -storepass orgKeyStore -keypass orgKeyStore
要生成客户端证书/密钥:
keytool -genkey -noprompt -alias VA1orgDEIS88.orgext.global -dname "CN=VA1orgDEIS88.orgext.global, OU=EDA, O=org, L=ATLANTA, ST=GEORGIA, C=US" -ext san=dns:VA1orgDEIS88.orgext.global -keystore kafka.restproxy.keystore.jks -keyalg RSA -storepass orgKeyStore -keypass orgKeyStore
keytool -keystore kafka.restproxy.keystore.jks -alias VA1orgDEIS88.orgext.global -certreq -file client88proxy.csr -storepass orgKeyStore -keypass orgKeyStore
openssl x509 -req -CA eda_dev_ca.crt -CAkey eda_dev_ca.key -in client88proxy.csr -out client88proxy-signed.crt -days 9999 -CAcreateserial -passin pass:orgCa
keytool -noprompt -keystore kafka.restproxy.keystore.jks -alias VA1orgDEIS88.orgext.global -import -file client88proxy-signed.crt -storepass orgKeyStore -keypass orgKeyStore
要将客户端证书移至服务器:
keytool -export -alias VA1orgDEIS88.orgext.global -file client88proxy.der -keystore kafka.restproxy.keystore.jks -storepass orgKeyStore
openssl x509 -inform der -in client88proxy.der -out client88proxy.certificate.pem
keytool -importkeystore -srckeystore kafka.restproxy.keystore.jks -destkeystore client88proxy.keystore.p12 -deststoretype PKCS12 -deststorepass orgKeyStore -srcstorepass orgKeyStore -noprompt
openssl pkcs12 -in client88proxy.keystore.p12 -nodes -nocerts -out client88proxy.key -passin pass:orgKeyStore
命令
curl -vk --key ./client88proxy.key --cert ./client88proxy.certificate.pem --cacert ./restproxy.certificate.pem -X POST -H "Content-Type: application/vnd.kafka.json.v2+json" -H "Accept: application/vnd.kafka.v2+json" --data '{"records":[{"value":{"foo":"bar"}}]}' "https://VA1orgDEIS91.orgext.global:8082/topics/test_topic"
会导致以下错误消息:
About to connect() to VA1orgDEIS91.orgext.global port 8082 (#0)
Trying 10.236.3.208... connected
Connected to VA1orgDEIS91.orgext.global (10.236.3.208) port 8082 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
warning: ignoring value of ssl.verifyhost
skipping SSL peer certificate verification
NSS: client certificate from file
subject: CN=VA1orgDEIS88.orgext.global,OU=EDA,O=org,L=ATLANTA,ST=GEORGIA,C=US
start date: Sep 24 00:40:51 2018 GMT
expire date: Feb 08 00:40:51 2046 GMT
common name: VA1orgDEIS88.orgext.global
issuer: C=US,L=ATLANTA,O=org,OU=EDA,CN=ca1.test.orgext.global
NSS error -12224
Closing connection #0
SSL connect error
curl: (35) SSL connect error
该错误可能是什么原因?