There are two ip: 192.168.31.42 ,192.168.31.50 .Make 192.168.31.72 as server side,192.168.31.42 as client side,all the operating system is debian.The domain name is mylocal.com.
Login server side:
#create the rootCA.keyand rootCA.crt.
openssl req -x509 \
-sha256 -days 356 \
-nodes \
-newkey rsa:2048 \
-subj "/CN=mylocal.com" \
-keyout rootCA.key -out rootCA.crt
#Create the Server Private Key:
sudo openssl genrsa -out /etc/ssl/server.key 2048
#Create Certificate Signing Request Configuration :
cat > csr.conf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = US
CN = mylocal.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = 192.168.31.72
EOF
openssl req -new -key server.key -out server.csr -config csr.conf
#Generate SSL certificate With self signed CA:
cat > cert.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.31.72
EOF
openssl x509 -req \
-in server.csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out server.crt \
-days 365 \
-sha256 -extfile cert.conf
Now Set configuration on server side's apache2:
<VirtualHost *:80>
ServerName mylocal.com
Redirect permanent / https://mylocal.com/
DocumentRoot /var/www/html
<Directory /home/debian/mydoc>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName localhost
DocumentRoot /var/www/html
SSLEngine On
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/server.key
<Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Restart apache and quit server ,login my local pc--192.168.31.42.
Pull rootCA.crt into /usr/local/share/ca-certificates,updaate:
sudo update-ca-certificates
Set 192.168.31.72 mylocal.com
in /etc/hosts.
Check one-way SSL verification with self singed Root CA :
-
Innput
mylocal.com:443
-
Check with curl
curl -v --cacert rootCA.crt https://mylocal.com:443
* Trying 192.168.31.72:443...
* Connected to mylocal.com (192.168.31.72) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: rootCA.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Am i success or failure?