通常情况下系统会自带ca-bundle以及用于维护自带ca-bundle的工具。本文所写的是关于如何生成自己的ca bundle,在使用基于openssl的程序中作为cafile或者cacert参数传入。这种情况下不需要去修改系统的ca bundle,也不需要root访问权限。

首先,下载你所希望加入到bundle的ca证书文件。比如我所在的公司拆分过程中,我会常用到两家新公司的内部ca。假定其名称为hpca-internal.pem, hpeca-internal.pem。

然后,执行以下命令:

openssl x509 -inform PEM -in hpca-internal.pem  -text > my-cabundle.crt 
openssl x509 -inform PEM -in hpeca-internal.pem  -text >> my-cabundle.crt

在my-cabundle.crt中就包含了两个cacert了,可以用来作为cacert参数访问由这两个ca签发的内部服务。

比如我有一个https服务,其证书是由hpca签发的,操作系统自带的cabundle中没有包含该内部ca,因此访问该服务时会遇到如下错误:

curl  https://$(hostname -f):35358/v3
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

下面我使用前面生成的cabundle作为参数,再次访问该服务:

curl --cacert my-cabundle.crt https://$(hostname -f):35358/v3;echo
{"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "https://c4t12190.itcs.hpecorp.net:35358/v3/", "rel": "self"}]}}