可以在自签名证书上使用本地主机的名称并在内部用于在同一本地主机上运行的应用程序吗?
我只是想用证书测试我的应用程序。
原谅我的无知我是部署证书的新手。
使用 Powershell,我正在尝试使用可以导出的私钥创建自签名 ssl 证书。我已经阅读并遵循了各种教程,但最终结果始终是没有导出任何私有的。我正在使用 Powershell,因为服务器运行的是 Windows Server 2016 Core 版本。我已经尝试从远程计算机使用证书 MMC 控制台,但是在远程执行该操作时似乎并非所有功能都可用。无论如何,我所遵循的各种教程都谈到了导出私钥的能力,但是我还没有找到一个具体的代码示例来实现这项工作。这是我一直在尝试的代码:
$todaydt = Get-Date
$5years = $todaydt.AddYears(5)
$selfSignedRootCA = New-SelfSignedCertificate -DnsName SelfSignedRootCA -notafter $5years -CertStoreLocation Cert:\LocalMachine\My\ -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeySpec KeyExchange -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName "myserver.test" -notafter $5years -Signer $selfSignedRootCA -KeyUsage KeyEncipherment,DigitalSignature
$CertPassword = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\REDACTED-THUMBPRINT -FilePath C:\test.pfx -Password $CertPassword
我的研究表明,最常见的原因是用于创建证书的证书模板不允许导出私钥,因此按照这些建议,我复制了现有的证书模板并确保将其配置为允许导出密钥。但是,我不知道如何/在哪里在上述任何命令中指定新创建的模板。我对这些 cmdlet 文档的审查没有显示任何参数。真的坚持这一点,所以任何建议都非常感谢。
我想使用 Vault (HashiCorp) 为内部服务设置私有 CA。我在 Vault 之外生成根 CA 和中间 CA 证书。Vault 将根据请求生成短期(30 天)证书。
我遵循了这个 guid https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
并生成了 Root CA Certificate example.com& dev.example.com,但是我是否需要*.dev.example.comVault 的通配符中间证书来生成进一步的子域证书,例如one.dev.example.com,two.dev.example.com?
对此有任何帮助吗?
我在域https://www.ayeaye.at的 RHEL7 上运行一个带有 apache 的网站。我正在使用 certbot 来获取证书。
网络服务器正常工作,我获得了正确的域证书,并且 certbot 告诉我它已安装并正在工作,但是当我通过网络访问我的域时,我收到“MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT”错误,当我使用 ssllabs 测试我的网站时,我看到了主题/通用名称(在 ssllabs 上:k004992vsa)与我使用openssl x509 -in /etc/letsencrypt/live/www.ayeaye.at/fullchain.pem -subject(subject= /CN=www.ayeaye.at)分析我的证书时发现的名称不同。
我正在寻求帮助以了解如何消除这种差异以及如何获得与我的域名实际匹配的证书。
到目前为止,我已经尝试了 certbot 提供的几乎所有命令,删除、撤销、更新、空运行......没有任何改变。
我的 Apache 配置文件:
# cat /etc/httpd/conf/httpd.conf 1 ↵ root@ayeaye
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
<VirtualHost *:80>
DocumentRoot "/var/www/html/drupal/"
ServerName www.ayeaye.at
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.ayeaye.at
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.ayeaye.at
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
#
# Relax access to content within /var/www.
#
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
#rewrite vron www to non-www on all sites
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
</Directory>
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.php index.html
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig /etc/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddType text/css .css
</IfModule>
#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default. To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
MIMEMagicFile conf/magic
</IfModule>
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf
#enabling clean urls for drupal
Include conf/drupal.conf
Include /etc/httpd/conf/httpd-le-ssl.conf
和 httpd-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot "/var/www/html/drupal/"
ServerName www.ayeaye.at
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.ayeaye.at
SSLCertificateFile /etc/letsencrypt/live/www.ayeaye.at/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.ayeaye.at/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.ayeaye.at/chain.pem
</VirtualHost>
</IfModule>
---------------
和 httpd -S 说:
# httpd -S root@ayeaye
VirtualHost configuration:
*:80 www.ayeaye.at (/etc/httpd/conf/httpd.conf:52)
*:443 is a NameVirtualHost
default server www.ayeaye.at (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.ayeaye.at (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.ayeaye.at (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.ayeaye.at
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
我正在寻找有关如何添加要在 Pod 本身中使用的证书的各种演练,但我似乎找不到有关如何设置 Kubernetes 以允许自签名证书从内部运行的 Harbor 实例中提取图像的信息集群。我已将 ca 证书导入系统的受信任证书(系统运行的是 Ubuntu 18.04),但我猜 Kubernetes 在某处使用它自己的受信任证书存储,类似于 Java 忽略系统的受信任证书并依赖密钥库文件的方式?
编辑 更具体地说,我要做的是部署一个自定义 Docker 映像,该映像存储在我的 Harbor 实例中,该实例在我的 Kubernetes 集群中运行。我将 Harbor 的证书导入到我的主机系统操作系统中,我可以运行:
docker login <url_to_harbor>
docker pull <url_to_harbor>/library/custom/image:latest
它在 CLI 中运行良好,但如果我尝试像这样创建部署 yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: custom-deployment
spec:
replicas: 1
selector:
matchLabels:
app: custom
template:
metadata:
labels:
app: custom
spec:
containers:
- name: custom
image: <url_to_harbor>/library/custom/image:latest
...
并运行kubectl apply -f custom-deploy.yaml当我得到 pod 时出现以下错误:
custom-deployment-6ff68947f6-8jj2p 0/1 ImagePullBackOff 0 13s
如果我得到关于失败 pod 的描述,我会看到:
Warning Failed 18s kubelet, node3 Failed to pull image "<url_to_harbor>/library/custom/image:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://<url_to_harbor>/v2/: x509: certificate signed by unknown authority
Warning Failed 18s kubelet, node3 Error: ErrImagePull
自从导入 CA 证书以来,我已经重新启动了主机。我通过将根 CA 证书文件移动到/usr/local/share/ca-certificates然后运行来添加证书sudo update-ca-certificates。
我有以下证书链:
自签名证书 --> 中间证书 --> 客户端证书、服务器证书。我有 ssl 通信应用程序并验证对等设置。我尝试用openssl s_client命令测试这个链,我得到了Verify return code: 19 (self signed certificate in certificate chain). 服务器在握手中发送整个链。
我尝试使用包含自签名和中间证书的 Bundle.pem 以及 Self-signed.pem 对此进行测试,但结果是相同的。
openssl s_client -msg -connect localhost:1500 -CAfile Self-signed.pem/Bundle.pem -cert Client.crt -key Client.key
然后我颁发了另一个中间证书,并从那个证书颁发了新的服务器证书
openssl s_client -msg -connect localhost:1500 -CAfile Bundle2.pem -cert Client.crt -key Client.key
Bundle2.pem 包含第二个中间证书和自签名证书,这工作正常。此外,服务器现在不发送整个证书链,这是应用程序的设计方式。
有人可以解释为什么这是一个问题,如果服务器和客户端具有相同的中间证书,为什么我无法成功验证?
请问如何根据自己的CA根证书生成端实体证书?我以这种方式生成了根 CA:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -subj /CN=MyCompany \
-addext subjectAltName=IP:192.168.100.82
openssl pkcs12 -export -out cert.pfx -inkey example.key -in example.crt
我已将 cer 文件导入Windows Trusted Root Certification Authorities并将 pfx 文件导入IIS Server Certificates。
它适用于 Chrome、IE 和 Edge,但 Firefox 报告我的证书存在问题:MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
我用谷歌搜索了它,我了解到我应该拥有由我的 CA 根证书签名的最终实体证书。我试图生成最终实体证书:
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj /CN=MyCompanyEE -addext subjectAltName=IP:192.168.100.82
openssl x509 -req -in server.csr -CA cert.pem -CAkey example.key -CAcreateserial -out server.crt -days 3650 -sha256
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
OpenSSL 响应:
Signature ok
subject=CN = MyCompanyEE
Getting CA Private Key
我也已将 server.pfx 导入IIS 服务器证书,并将我的 Web 应用程序的绑定更改为使用服务器证书,但现在它在 Firefox 或 Chrome 中都不起作用。
Firefox 说:SSL_ERROR_BAD_CERT_DOMAIN,
Chrome 说:NET::ERR_CERT_COMMON_NAME_INVALID。
我做错了什么?
我曾经像这样使用 makecert 创建自签名证书
makecert.exe
-iv fooCA.pvk
-ic fooCA.cer
-n "CN=Username"
-pe
-sv username.pvk
-a sha1
-len 2048
-b 08/07/2014
-e 08/07/2024
-sky exchange username.cer
-eku 1.3.6.1.5.5.7.3.2
现在使用 Windows 10 我不能再使用 MakeCert,我正在尝试使用 New-SelfSignedCertificate 脚本来实现相同的目的。这是我到目前为止所尝试的。
New-SelfSignedCertificate
-Subject "CN=Username"
-KeyExportPolicy Exportable
-Container "Username.pvk"
-KeyAlgorithm sha1
-KeyLength 2048
-NotBefore 08/07/2014
-NotAfter 08/07/2024 -KeySpec KeyExchange
-TextExtension @("1.3.6.1.5.5.7.3.2")
我应该使用哪些参数来镜像 MakeCert 中的 -iv 和 -ic?
我还怀疑我的主题不正确,或者我需要在 TextExtension 中添加替代主题,因为我目前收到缺少主题信息错误。
我是否需要对.ps1包含在我的 Powershell 配置文件中的每个 Powershell 脚本(外部文件)进行签名?如果是这样,我可以用相同的证书签名(或者这是最糟糕的做法)吗?
并且只是为了清楚脚本是否更改,我只需要辞职更改正确的脚本吗?因为脚本的内容是通过某种校验和编码到签名中的。
使用 powershell 编写脚本时,您必须确保允许您的脚本使用证书在相关机器上运行。如果对脚本进行了任何更改,则必须重新签署证书才能再次运行脚本;在您对要在多台机器上运行的脚本进行更改之前,这非常有效。
是否可以使用 Powershell 在远程计算机上为特定脚本导入更新的证书?
如果我更改了已签名的脚本,我必须将其辞职,否则会出现此错误:
. : File \\server\Redirected\yy-XXXX\My Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 cannot
be loaded. The contents of file \\server\Redirected\yy-XXXX\My
Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 may have been tampered because the hash of the file does
not match the hash stored in the digital signature. The script will not execute on the system. Please see "get-help
about_signing" for more details..
At line:1 char:3
+ . '\\server\Redirected\yy-XXXX\My Documents\WindowsPowerShell\Microsof ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess