RHEL機台透過CA bundle憑證信任Server憑證
參考(LINK)
問題(以下範例的CA是中繼CA憑證):
在有CA憑證:rapidSSL-ca.crt
以及Server憑證:server.crt
#執行以下Server憑證認證確認指令看到錯誤:
openssl verify server.crt
#(Output):
server.crt: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
error 2 at 2 depth lookup:unable to get issuer certificate
#但是帶著CA憑證則正常:
openssl verify -CAfile rapidSSL-ca.crt server.crt
#(Output):
OK解法1 →update-ca-trust:
#轉移CA憑證到機台信任目錄:
cp rapidSSL-ca.crt /etc/pki/ca-trust/source/anchors/
#執行信任目錄內憑證:
update-ca-trust
#再次檢核Server憑證(此時就不帶CA)即正常:
openssl verify server.crt
#(Output):
server.crt : OK解法2 →trust anchor:
#執行信任指令:
trust anchor --store rapidSSL-ca.crt
#確認信任清單:
trust list
#(Output):
pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a%ae%e4%aa%a8%1c%82%56%da%75;type=cert
type: certificate
label: RapidSSL RSA CA 2018
trust: anchor
category: authority
..snip..
#再次檢核Server憑證(此時就不帶CA)即正常:
openssl verify server.crt
#(Output):
server.crt : OK
#之後如果想移除:
trust anchor --remove pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a%ae%e4%aa%a8%1c%82%56%da%75
#或是:
trust anchor --remove /etc/pki/ca-trust/source/RapidSSL_RSA_CA_2018.p11-kit
