curl通过SSL的自签名证书Web服务 [英] curl self-signed certificate web service over SSL

问题描述

您好，我有一个大头痛试图卷曲一个REST Web服务，我在SSL本地创建。 我一直收到此邮件curl：（60）SSL证书问题：自签名证书
更多详情： http://curl.haxx.se/docs/sslcerts.html
curl默认情况下使用捆绑执行SSL证书
证书颁发机构（CA）公钥（CA证书）如果默认的
包文件不够，您可以使用--cacert选项指定一个备用文件

如果这个HTTPS服务器使用由
表示的CA签名的证书捆绑，证书验证可能失败，由于证书的
问题（它可能已过期，或者名称可能
不匹配
如果您想要关闭curl的证书验证，请使用
-k（或--insecure）选项。

这里，我按照

1. 创建了我自己的CA证书与OpenSSL私人证书和密钥对
   OpenSSL req -x509 -new -config c：\X509CA\openssl.cfg -days 365 -out c：\X509CA\ca\private_ca.pem -keyout c：\X509CA\ca\private_ca_pk .pem
   my CN：RESTfulCustomer



2. 创建了密钥库和mycert.pem
   keytool -genkey -validity 365 -alias myalias -keypass password -keystore myKeyStore .jks -storepass password
   使用与上述相同的CN




3. 创建了证书签名请求
   keytool -certreq -alias myalias -file myCert_csr.pem -keypass password -keystore myKeyStore.jks -storepass password




4. 使用
   签署CSR openssl
   ca -config c： \X509CA\openssl.cfg -days 365 - 在c：\path\to\key_store\myCert_csr.pem -out c：\path\to\key_store\myCert.pem




5. 转换为PEM格式 - 将签名的证书CertName.pem转换为仅PEM格式，如下所示：
   Openssl x509 -in c：\path \to\key_store\myCert.pem -out c：\path\to\key_store\myCert.pem -outform PEM



6. 连结CA证书文件和certName.pem
   copy myCert.pem + c：\X509CA\ca\\\
   ew_ca.pem myCert.chain


7. 使用完整的证书链更新了密钥库 - 通过导入证书的完整证书链来更新密钥库CertName.jks，如下所示：
   keytool -import -file myCert.chain -keypass password -keystore myKeyStore.jks -storepass password
   finally导入它到firefox，更新我的server.xml apache tomacat 7启动确定，我可以导航到我的ssl网页没有问题。 curl不使用--insecure不工作。 My Curl命令
   curl -v --cacert ca.pem https：// localhost ：8443 / RESTfulCustomer / customers.json

上述curl命令向我显示curl：（60）SSL证书问题：自签名证书
$ b

使用ssl禁用的http // localhost ：8080 / RESTfuCustomer.customers.json运行Curl命令。

我将ca.pem导入myKeyStore.jks并重新启动Apache。
Environemnt windows 7，apache tomcat 7，spring security 3.1，curl 7.30.0（i386-pc-win32）libcurl / 7.30.0 OpenSSL / 1.0.1c zlib / 1.2.7

任何帮助将非常感谢
感谢

解决方案

请参考以下答案：

• http://stackoverflow.com/ a / 28927268/1290438

总结：

 ％openssl s_client -showcerts -connect example.com:443< / dev / null 2> / dev / null | sed -n'/ ----- BEGIN CERTIFICATE ----- /，/ ----- END CERTIFICATE ----- / p'| grep -m1 -B-1  - '----- END CERTIFICATE -----'> cert.pem 
％curl --cacert cert.pem https://example.com 
  

和tada，您可以安全地连接到自签名网站。

Hi I am having a big headache trying to curl a REST web service I created locally over SSL. I keep getting the message "curl: (60) SSL certificate problem: self signed certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option."

Here the steps I followed

1. created my own CA certificate with OpenSSL private certificate and key pair OpenSSL req -x509 -new -config c:\X509CA\openssl.cfg -days 365 -out c:\X509CA\ca\private_ca.pem -keyout c:\X509CA\ca\private_ca_pk.pem my CN: RESTfulCustomer

2. created the keystore and mycert.pem keytool -genkey -validity 365 -alias myalias -keypass password -keystore myKeyStore.jks -storepass password used the same CN as above

3. Created a certificate signing request keytool -certreq -alias myalias -file myCert_csr.pem -keypass password -keystore myKeyStore.jks -storepass password

4. Signed the CSR with openssl ca -config c:\X509CA\openssl.cfg -days 365 -in c:\path\to\key_store\myCert_csr.pem -out c:\path\to\key_store\myCert.pem

5. Converted to PEM format - Convert the signed certificate, CertName.pem, to PEM only format, as follows: Openssl x509 -in c:\path\to\key_store\myCert.pem -out c:\path\to\key_store\myCert.pem -outform PEM

6. concatenated the CA certificate file and the certName.pem copy myCert.pem + c:\X509CA\ca\new_ca.pem myCert.chain
7. Updated keystore with the full certificate chain - Update the keystore, CertName.jks, by importing the full certificate chain for the certificate, as follows: keytool -import -file myCert.chain -keypass password -keystore myKeyStore.jks -storepass password finally imported it into firefox, updated my server.xml apache tomacat 7 starts ok and I could navigate to my ssl webpage with no problems. Curl does not work without using --insecure. My Curl command curl -v --cacert ca.pem https://localhost:8443/RESTfulCustomer/customers.json

the curl command above gives me the message "curl: (60) SSL certificate problem: self signed certificate"

Running the Curl command for http//localhost:8080/RESTfuCustomer.customers.json with ssl disabled works fine.

I imported the ca.pem into myKeyStore.jks and restarted Apache. Environemnt windows 7,apache tomcat 7, spring security 3.1, curl 7.30.0 (i386-pc-win32) libcurl/7.30.0 OpenSSL/1.0.1c zlib/1.2.7

any help would be really appreciated thanks

解决方案

please refer to that following answer:

• http://stackoverflow.com/a/28927268/1290438

to sum up:

% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://example.com

and tada, you connect securely to a self-signed website.

这篇关于curl通过SSL的自签名证书Web服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！