私はフォローアップをしています。この指示自己署名証明書をインストールします。具体的には:
次の内容で localhost.conf ファイルを作成します。
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
それから:
$ lsb_release -d
Description: Debian GNU/Linux 11 (bullseye)
$ openssl version
OpenSSL 1.1.1k 25 Mar 2021
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -subj '/CN=localhost'
Generating a RSA private key
...+++++
...........................................................+++++
writing new private key to 'localhost.key'
-----
$ openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
Enter Export Password: (empty password)
Verifying - Enter Export Password: (empty password)
$ sudo cp localhost.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Adding debian:localhost.pem
done.
done.
$ openssl verify localhost.crt
CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed
証明書はCAキー(つまり信頼できる)にインストールする必要があるため、最新のコマンドが証明書を正常に検証する必要があると思いましたが、そうではありません。ここで明らかなものを見逃していますか?