在redhat中导入自签名证书 [英] import self signed certificate in redhat

问题描述

如何在Red-Hat Linux中导入自签名证书.

How can I import a self-signed certificate in Red-Hat Linux.

我不是证书方面的专家，并且很难通过谷歌搜索找到正确的答案，因为我不知道.cer，.crt或.pem之间的区别.话虽如此，我想做的不应该是火箭科学(在Windows中，只需在浏览器中单击几下就可以做到这一点) 我想连接到使用自签名证书的服务器.例如，使用wget，而不必使用--no-check-certificate选项. 为了使这项工作有效，我将不得不将服务器的自签名证书添加到我的RedHat框中.我发现证书位于/etc/pki/tls中.但是我无所适从，应该做什么才能使wget功能正常运行而不会抱怨.

I'm not an expert with respect to certificates and find it difficult to find the right answer through googling, since I don't know the difference between a .cer, .crt or a .pem. Having said that, what I would like to do should not be rocket science (In windows I can do this with a few clicks in my browser) I want to connect to a server that makes use of a self-signed certificate. For example using wget, without having to use the --no-check-certificate option. To make this work I will have to add the self-signed certificate of the server to my RedHat box. I have found out the certificates reside in /etc/pki/tls. But I am at a loss what actions I should perform to make wget function without complaining.

我可以使用以下方法从服务器获取SSL证书:

I can get the SSL certificate from the server using:

openssl s_client-连接服务器:443

openssl s_client -connect server:443

该证书介于"BEGIN证书"和"END证书"之间，我不知道这是哪种证书. 接下来，我将其放在/etc/pki/tls/certs目录中，并应用一些我不知道的openssl secert调味料. 你能帮忙吗?

The certificate is between "BEGIN CERTIFICATE and END CERTIFICATE" I do not know what kind of certificate this is. Next I will have to put it in the /etc/pki/tls/certs directory and apply some openssl secert sauce I don't know about. Can you help?

推荐答案

我不知道将特定站点证书导入OpenSSL的信任数据库的方法(我希望我能做到！)，但是由于您正在谈论关于自签名证书，我们可以通过将您的证书导入为新的受信任CA证书来实现.不过请注意:您还将信任该证书签名的任何网站.

I don't know of a way to import a specific site-cert into OpenSSL's trust db (I wish I did!), but since you're talking about a self-signed cert we can approach it by importing your cert as new trusted CA cert. Warning though: you're also going to be trusting any sites that are signed by that cert.

您可以使用以下方法直接从网站直接下载自签名证书:

You can download a self-signed cert directly from a site quickly with:

openssl s_client -connect server:443 <<<'' | openssl x509 -out /path/file

请注意，如果是自签名证书(如原始问题中所述)，则应该仅 . 如果证书是由其他一些CA签署的，则不能使用上述证书运行；相反，您将需要找到适当的CA证书并将其下载.

Note that you should only do this in the case of a self-signed cert (as mentioned in the original question). If the cert is signed by some other CA, you can't run with the above; instead, you will need to find the appropriate CA cert and download that.

update-ca-trust命令是通过 RHEA-2013在Fedora 19和RHEL6中添加的-1596 .如果有的话，您的步骤将非常简单(但需要root/sudo):

The update-ca-trust command was added in Fedora 19 and RHEL6 via RHEA-2013-1596. If you have it, your steps are dumb-simple (but require root/sudo):

1. 将CA证书复制到/etc/pki/ca-trust/source/anchors/
2. update-ca-trust enable; update-ca-trust extract
3. (请注意，在RHEL7和现代Fedora中，不需要enable命令)

1. copy the CA cert to /etc/pki/ca-trust/source/anchors/
2. update-ca-trust enable; update-ca-trust extract
3. (Note that the enable command isn't necessary in RHEL7 & modern Fedora)

如果您没有update-ca-trust，这只会有点困难(并且仍然需要root/sudo):

If you don't have update-ca-trust, it's only a little harder (and still requires root/sudo):

1. cd /etc/pki/tls/certs
2. 在此处复制CA证书
3. ln -sv YOURCERT $(openssl x509 -in YOURCERT -noout -hash).0

1. cd /etc/pki/tls/certs
2. copy the CA cert here
3. ln -sv YOURCERT $(openssl x509 -in YOURCERT -noout -hash).0

PS:该问题提到了Red Hat，但是对于那些希望使用Fedora/RHEL之外的工具进行同样操作的人， wiki.cacert.org/FAQ/ImportRootCert 可能会有所帮助.

PS: The question mentioned Red Hat, but for anyone looking at doing the same with something besides Fedora/RHEL, wiki.cacert.org/FAQ/ImportRootCert might be helpful.

这篇关于在redhat中导入自签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！