迁移 Hyper-V 到 PVE
- Advanced Migration Techniques to Proxmox VE - Proxmox VE
- Migrating Hyper-V to Proxmox - what I learned | Proxmox Support Forum
- Paravirtualized Block Drivers for Windows - Proxmox VE
- 从 Hyper-V 导出虚拟机
- 创建虚拟机
- 导入磁盘
qm disk import 100 /mnt/pve/synology/import/Windows\ 11.vhdx local-lvm- 为虚拟机以 SATA 模式装载刚刚导入的磁盘。
这时候可以启动系统了,下面的动作是安装额外驱动 - 为虚拟机再创建一张大小 1GB 的 SCSI 磁盘
Windows 11 任务栏图标不合并但是隐藏标签
Windows 11 默认合并任务栏图标并隐藏标签。有的人不喜欢这种行为,但我认为还好,开始菜单键和图标都居中看着已经习惯了。
从前可是只能合并图标的,记得最近的版本才把不合并的功能开放出来。
可是合并图标堆叠起来,想要找到特定窗口还得点两步,1. 点图标 2. 点窗口预览。甚至点图标不把窗口提到最前面来还是个 Feature,模仿 macOS 了属于是。
我想要不合并的图标,但同时不想看到那么长的标签。还好互联网有人问过 How to never combine taskbar buttons but also hide labels (so only small icons left) in Windows 11? - Super User ,有 WindHawk 插件来实现,甚至有两个:
- Disable grouping on the taskbar - Windhawk 我选这个,它直击需求
- Taskbar Labels for Windows 11 - Windhawk 功能是上面的超集,但我不需要那么多
PVE 核显直通
- 【PVE】All in One 的快乐之物理核显直通 | 云留月的技术小站
- PCI Passthrough - Proxmox VE
- PCI(e) Passthrough - Proxmox VE
- pve-tricks.txt
- PVE | SR-IOV 核显直通 – CCBP的小站
- 在
/etc/default/grub添加intel_iommu=on iommu=pt - 更新 grub
update-grub - 屏蔽驱动
echo "blacklist i915" >> /etc/modprobe.d/blacklist.conf - 添加
vfio等内核模块,修改/etc/modprobe.d/vfio.conf把显卡和声卡注册进去options vfio-pci ids=8086:a2ba,8086:a2f0 - 最后重写内核
update-initramfs -u -k all - 接下来还有拆分 PCI 设备,做核显虚拟化复用,我没弄
现在 PVE v8 还需要这么复杂吗?倒是没试在没开启 IOMMU 的情况下是怎样。
Windows 无密码账户允许远程桌面连接
如果开启了核显直通,noVNC 就失效了,得用远程桌面才能登录进去。
刚好我设置 Windows 账户是没有密码的,得 windows设置无密码远程连接-CSDN博客
其实就是去 gpedit.msc 组策略里给 Windows 设置 > 安全设置 > 本地策略 > 安全选项 > 帐户:使用空白密码的本地帐户只允许进行控制台登录 禁用掉。
Windows 远程桌面连接配置证书
- 给Windows Remote Desktop配置SSL证书 | Mint’s Blog
- Certificates on Remote Desktop Connection : r/WindowsServer
step ca certificate Windows-VM vm.crt vm.key
step certificate p12 vm.p12 vm.crt vm.key复制 p12 到 VM,并在 VM 中安装证书到本地计算机,再配置 RDP 使用证书:
# Get the thumbprint of the SSL cert by its friendly name
$Thumbprint = (Get-ChildItem "Cert:\LocalMachine\My" | Where-Object {$_.FriendlyName -eq "$FriendlyName"}).Thumbprint
# Set the SSl cert for Terminal Services
$PATH = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices)
Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash="$Thumbprint"}如果第一步 Thumbprint 为空,检查是否导入到本地计算机了。如果导入证书时一路下一步,默认会在当前用户下,需要改成本地计算机
如果最后 Set-WmiInstance 提示 Set-WmiInstance : 无效的参数 ,说明证书 CN 不对,更可能是没找到证书
在 RDP 客户端上,也需要安装 Root CA,并且装在 计算机的受信任的根证书颁发机构中。
做完这些,连接 RDP 应该会出现这些连接中提到的 「无法对证书执行吊销检查」 错误,原因是中间级 CA 缺少 CRL 。
参照 SmallStep PKI 证书的 CRL 无法通过 certutil 验证 安装 fork 版本的 step-ca,并为根证书创建 CRL 即可。
Yubikey 无法连接
$ step kms key 'yubikey:slot-id=9c' --kms 'yubikey:pin-prompt'
Error: connecting to pcsc: the Smart card resource manager is not running
$ ykman piv info
WARNING: PC/SC not available. Smart card (CCID) protocols will not function.
ERROR: Unable to list devices for connection
ERROR: Failed to connect to YubiKey.
一看是驱动挂了,Microsoft Usbccid Smartcard Reader (UMDF2) 无法配置设备。
方法也简单,重新手动选下驱动
- Failed connecting to the YubiKey when launching App → PIV on Windows 10 · 议题 #294 · Yubico/yubikey-manager-qt
- Unable to use Nitrokey HSM with Windows Server 2022 · 议题 #2541 · OpenSC/OpenSC
SmallStep PKI 证书的 CRL 无法通过 certutil 验证
$ certutil -t 1 –urlfetch -user -verify R:\vm.crt
颁发者:
CN=Kokomi Network Intermediate CA
OU=Certificate Authority
O=Kokomi Network
L=Minhang
S=Shanghai
C=CN
名称哈希(sha1): c5cc0ba5314dbed0145a838f8fc91f40d8d951db
名称哈希(md5): fa56866e3279486886a316cb218de0cf
使用者:
CN=Windows-VM
名称哈希(sha1): 9669ca2dfc5bfb87c7be061afaa9bf36bdd55754
名称哈希(md5): 132cf8f933f20a5f119da52e1a6723e9
证书序列号: 32ae0d9826c36d89b8f3ff13186d4b28
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
Issuer: CN=Kokomi Network Intermediate CA, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
NotBefore: 2025-08-30 04:54
NotAfter: 2025-08-31 04:55
Subject: CN=Windows-VM
Serial: 32ae0d9826c36d89b8f3ff13186d4b28
SubjectAltName: DNS Name=Windows-VM
Cert: 24417df7f03811a7cba9c7e7eb4e8cf34dcb19c3
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
---------------- 证书 AIA ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
Application[0] = 1.3.6.1.5.5.7.3.1 服务器身份验证
Application[1] = 1.3.6.1.5.5.7.3.2 客户端身份验证
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=Kokomi Network Root CA, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
NotBefore: 2025-08-04 05:53
NotAfter: 2026-08-03 09:53
Subject: CN=Kokomi Network Intermediate CA, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
Serial: 59afa282abfe7a1d02edb482ddf9ea85
Cert: 5618ef37534aa91be1dfd3910a56bbb32fc119c2
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- 证书 AIA ----------------
失败 "AIA" 时间: 0 (null)
检索 URL 时出现错误: 请求证书完成客户验证 0x80072f0c (WinHttp: 12044 ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED)
https://pki.home.kokomi.site
---------------- 证书 CDP ----------------
错误颁发者 "基 CRL (4c)" 时间: 0 93abdef500d79395201efb800737ddb6619814cc
[0.0] http://pki.home.kokomi.site/1.0/crl
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=40
Issuer: E=s1131234@gmail.com, CN=enihsyou Ltd Root CA, OU=enihsyou Ltd Certificate Authority, O=enihsyou Ltd, L=Shanghai, S=Shanghai, C=CN
NotBefore: 2025-08-02 00:00
NotAfter: 2055-07-26 00:00
Subject: CN=Kokomi Network Root CA, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
Serial: a47d8947e88a014cfbbc9d772a49cbff
Cert: 3ed13acf2715c8bd75af1d6829a5c30cdf2d905a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
---------------- 证书 AIA ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
CertContext[0][3]: dwInfoStatus=10a dwErrorStatus=0
Issuer: E=s1131234@gmail.com, CN=enihsyou Ltd Root CA, OU=enihsyou Ltd Certificate Authority, O=enihsyou Ltd, L=Shanghai, S=Shanghai, C=CN
NotBefore: 2018-06-04 15:35
NotAfter: 2028-06-01 15:35
Subject: E=s1131234@gmail.com, CN=enihsyou Ltd Root CA, OU=enihsyou Ltd Certificate Authority, O=enihsyou Ltd, L=Shanghai, S=Shanghai, C=CN
Serial: d4642a17f5602583
Cert: 9ede82fea1052e7504afe6fd256b998c9a3b6af5
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- 证书 AIA ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 0991d138b66b3e4e51fa3e315c2b9c0f4e890fd1
Full chain:
Chain: a5f760869ddb9396bf82105a912bc42646da9361
Issuer: CN=Kokomi Network Intermediate CA, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
NotBefore: 2025-08-30 04:54
NotAfter: 2025-08-31 04:55
Subject: CN=Windows-VM
Serial: 32ae0d9826c36d89b8f3ff13186d4b28
SubjectAltName: DNS Name=Windows-VM
Cert: 24417df7f03811a7cba9c7e7eb4e8cf34dcb19c3
由于吊销服务器已脱机,吊销功能无法检查吊销。 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
跳过了吊销检查 -- 服务器脱机
无法检查分支证书吊销状态
CertUtil: -verify 命令成功完成。并且此时 C:\WINDOWS\system32\curl.exe 也报错 curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - 吊销功能无法检查证书是否吊销。
问题 1 - CRL 应以 HTTP 协议分发
看看人家的都是 HTTP 协议,就和 CRL 链接一样,并且指向一个 CRT 文件。 RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 也写了这点。
而我用的是 HTTPS 协议,并且指向 HTML 文件,也难怪出错。
[1]Authority Info Access
Access Method=证书颁发机构颁发者 (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt然而当前版本 v0.28.4 的 step-ca,获取证书的接口都不在 HTTP 端口上开放,无奈得自己修改编译。还遇到了 自己编译的 step-ca 无法绑定 80 端口 问题。
核心改动就几点
- CRL & Certificate 端点暴露在 HTTP 协议下
- CRL 地址使用 HTTP 协议
Index: authority/tls.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/authority/tls.go b/authority/tls.go
--- a/authority/tls.go (revision 9c8ef01294db1d1f0d978085b8657af51be40429)
+++ b/authority/tls.go (date 1756581871738)
@@ -915,6 +915,8 @@
certTpl := template.GetCertificate()
certTpl.NotBefore = now.Add(-1 * time.Minute)
certTpl.NotAfter = now.Add(24 * time.Hour)
+ certTpl.CRLDistributionPoints = a.config.Audience("/1.0/crl")[:1]
+ certTpl.IssuingCertificateURL = a.config.Audience("/1.0/intermediates.pem")[:1]
// Policy and constraints require this fields to be set. At this moment they
// are only present in the extra extension.
Index: authority/config/config.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/authority/config/config.go b/authority/config/config.go
--- a/authority/config/config.go (revision 9c8ef01294db1d1f0d978085b8657af51be40429)
+++ b/authority/config/config.go (date 1756581274067)
@@ -429,7 +429,7 @@
audiences := make([]string, len(c.DNSNames)+1)
for i, name := range c.DNSNames {
hostname := toHostname(name)
- audiences[i] = "https://" + hostname + path
+ audiences[i] = "http://" + hostname + path
}
// For backward compatibility
audiences[len(c.DNSNames)] = path
Index: ca/ca.go
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/ca/ca.go b/ca/ca.go
--- a/ca/ca.go (revision 9c8ef01294db1d1f0d978085b8657af51be40429)
+++ b/ca/ca.go (date 1756567799519)
@@ -239,6 +239,7 @@
// Add regular CA api endpoints in / and /1.0
api.Route(mux)
+ api.Route(insecureMux)
mux.Route("/1.0", func(r chi.Router) {
api.Route(r)
})
搞完这些会发现,certutil 依然有错误信息,但不再是失败。C:\WINDOWS\system32\curl.exe 也不报错了
$ certutil –urlfetch -verify -user ".\Kokomi Network PKI.crt"
颁发者:
CN=Kokomi Network Intermediate V1
OU=Certificate Authority
O=Kokomi Network
L=Minhang
S=Shanghai
C=CN
名称哈希(sha1): c660ef204c4fb795088e9c75154a01a0c93b4672
名称哈希(md5): a426aa1e9e887076ae0ee5280eab86e1
使用者:
CN=Kokomi Network PKI
名称哈希(sha1): 451e055a2e8a6ba8601c8646de7cd9e84085fe2a
名称哈希(md5): 159b31da3a7106e1c03dbcde76022b51
证书序列号: b907de98b79fcdaa4a216443a319a699
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_CURRENT_USER
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwRevocationFreshnessTime: 32 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwRevocationFreshnessTime: 32 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Kokomi Network Intermediate V1, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
NotBefore: 2025-08-31 03:28
NotAfter: 2025-09-01 03:29
Subject: CN=Kokomi Network PKI
Serial: b907de98b79fcdaa4a216443a319a699
SubjectAltName: DNS Name=pki.home.kokomi.site
Cert: 61e257ec13fafedd4a1c0638627e866abbd2b7f2
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- 证书 AIA ----------------
失败 "AIA" 时间: 0 (null)
检索 URL 时出现错误: 未找到(404)。 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)
http://pki.home.kokomi.site/1.0/intermediates.pem
---------------- 证书 CDP ----------------
确定 "基 CRL (55)" 时间: 0 08da8f40ca2b6369b33d59625320efc3f3697381
[0.0] http://pki.home.kokomi.site/1.0/crl
---------------- 基 CRL CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
CRL 55:
Issuer: CN=Kokomi Network Intermediate V1, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
ThisUpdate: 2025-08-31 03:29
NextUpdate: 2025-09-01 03:29
CRL: 08da8f40ca2b6369b33d59625320efc3f3697381
Application[0] = 1.3.6.1.5.5.7.3.1 服务器身份验证
Application[1] = 1.3.6.1.5.5.7.3.2 客户端身份验证
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=40
Issuer: CN=Kokomi Network Root V1, OU=Certificate Authority, O=Kokomi Network, L=Shanghai, S=Shanghai, C=CN
NotBefore: 2025-08-31 01:40
NotAfter: 2026-08-30 05:40
Subject: CN=Kokomi Network Intermediate V1, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
Serial: 842bad8b00b9d2f507d969d49dc8b706
Cert: 2e0efe5e6a69283d89a9cbf8c44a68a8f5bab02f
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
---------------- 证书 AIA ----------------
已验证 "证书 (0)" 时间: 0 c65c7c2bffca700029edc9eeb8fbccf9c48d7091
[0.0] http://pki.home.kokomi.site/roots.pem
---------------- 证书 CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
Issuance[0] = 2.23.140.1.2.1
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=Kokomi Network Root V1, OU=Certificate Authority, O=Kokomi Network, L=Shanghai, S=Shanghai, C=CN
NotBefore: 2025-08-30 17:18
NotAfter: 2055-08-23 17:18
Subject: CN=Kokomi Network Root V1, OU=Certificate Authority, O=Kokomi Network, L=Shanghai, S=Shanghai, C=CN
Serial: 3820193029fb5853f5731ac3970a7977
Cert: c65c7c2bffca700029edc9eeb8fbccf9c48d7091
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- 证书 AIA ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: 3b6c92a893a0ec854a1e0c605965dc668af149f4
Full chain:
Chain: ad07dd7e6afeba3f3f6a4d859e9dfcad7f612cb5
Issuer: CN=Kokomi Network Intermediate V1, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
NotBefore: 2025-08-31 03:28
NotAfter: 2025-09-01 03:29
Subject: CN=Kokomi Network PKI
Serial: b907de98b79fcdaa4a216443a319a699
SubjectAltName: DNS Name=pki.home.kokomi.site
Cert: 61e257ec13fafedd4a1c0638627e866abbd2b7f2
吊销功能无法检查证书是否吊销。 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
跳过了吊销检查 -- 没有吊销信息可用
通过了分支证书吊销检查
CertUtil: -verify 命令成功完成。问题 2 - 根证书缺少 CRL
但这还不够,中间级证书签发机构还是因为缺少 CRL 触发了 ” 吊销功能无法检查证书是否吊销 ” 错误。如果用在 RDP
最终的解法是为 Root CA 创建长期有效的 CRL 文件,并通过 step-ca 分发。
Support create and distributing Root CRL · enihsyou/smallstep-certificates@4e04ec5
Support create and distributing Root CRL · enihsyou/smallstep-cli@4d259a7
$ certutil -verify -urlfetch -user ./pki.crt
颁发者:
CN=Kokomi Network Intermediate V1
OU=Certificate Authority
O=Kokomi Network
L=Minhang
S=Shanghai
C=CN
名称哈希(sha1): c660ef204c4fb795088e9c75154a01a0c93b4672
名称哈希(md5): a426aa1e9e887076ae0ee5280eab86e1
使用者:
CN=Kokomi Network PKI
名称哈希(sha1): 451e055a2e8a6ba8601c8646de7cd9e84085fe2a
名称哈希(md5): 159b31da3a7106e1c03dbcde76022b51
证书序列号: 3ee75db2352fd661e4031a01a85320c0
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_CURRENT_USER
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Days, 12 Hours, 7 Minutes, 7 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Days, 12 Hours, 7 Minutes, 7 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Kokomi Network Intermediate V1, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
NotBefore: 2025-09-01 05:13
NotAfter: 2025-09-02 05:14
Subject: CN=Kokomi Network PKI
Serial: 3ee75db2352fd661e4031a01a85320c0
SubjectAltName: DNS Name=pki.home.kokomi.site
Cert: de92458ffc39cb7d44b85f9afa471d658d165d7d
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- 证书 AIA ----------------
已验证 "证书 (0)" 时间: 0 0aa21b4711e32e14d208ea1723f18d7ee741bb1f
[0.0] http://pki.home.kokomi.site/intermediates.pem
---------------- 证书 CDP ----------------
已验证 "基 CRL (04)" 时间: 0 2f9cfabb12d964ff63768e19912cbfe3d81e021f
[0.0] http://pki.home.kokomi.site/crl
---------------- 基 CRL CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
CRL 03:
Issuer: CN=Kokomi Network Intermediate V1, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
ThisUpdate: 2025-09-01 05:14
NextUpdate: 2025-09-02 05:14
CRL: e910d165fb4ebc97a8f907350a779eaa2eb692cb
Application[0] = 1.3.6.1.5.5.7.3.1 服务器身份验证
Application[1] = 1.3.6.1.5.5.7.3.2 客户端身份验证
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=Kokomi Network Root V1, OU=Certificate Authority, O=Kokomi Network, L=Shanghai, S=Shanghai, C=CN
NotBefore: 2025-09-01 05:10
NotAfter: 2026-08-31 09:10
Subject: CN=Kokomi Network Intermediate V1, OU=Certificate Authority, O=Kokomi Network, L=Minhang, S=Shanghai, C=CN
Serial: 110c4bbb6eed8f271b2321e2e6f151e3
Cert: 0aa21b4711e32e14d208ea1723f18d7ee741bb1f
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- 证书 AIA ----------------
已验证 "证书 (0)" 时间: 0 c65c7c2bffca700029edc9eeb8fbccf9c48d7091
[0.0] http://pki.home.kokomi.site/roots.pem
---------------- 证书 CDP ----------------
已验证 "基 CRL (01)" 时间: 0 0714d834be310e6d228970ebe63e8b53cf0e3c5d
[0.0] http://pki.home.kokomi.site/root.crl
---------------- 基 CRL CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
CRL 01:
Issuer: CN=Kokomi Network Root V1, OU=Certificate Authority, O=Kokomi Network, L=Shanghai, S=Shanghai, C=CN
ThisUpdate: 2025-08-30 17:18
NextUpdate: 2055-08-23 17:18
CRL: 0714d834be310e6d228970ebe63e8b53cf0e3c5d
Issuance[0] = 2.23.140.1.2.1
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=Kokomi Network Root V1, OU=Certificate Authority, O=Kokomi Network, L=Shanghai, S=Shanghai, C=CN
NotBefore: 2025-08-30 17:18
NotAfter: 2055-08-23 17:18
Subject: CN=Kokomi Network Root V1, OU=Certificate Authority, O=Kokomi Network, L=Shanghai, S=Shanghai, C=CN
Serial: 3820193029fb5853f5731ac3970a7977
Cert: c65c7c2bffca700029edc9eeb8fbccf9c48d7091
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- 证书 AIA ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 CDP ----------------
没有 URL "无" 时间: 0 (null)
---------------- 证书 OCSP ----------------
没有 URL "无" 时间: 0 (null)
--------------------------------
Exclude leaf cert:
Chain: d9858cd19626915c1323bba68fc081cc2fde69d4
Full chain:
Chain: a9debbfd83e102297a751f198e6d1abcf9b69930
------------------------------------
已验证的颁发策略: 无
已验证的应用程序策略:
1.3.6.1.5.5.7.3.1 服务器身份验证
1.3.6.1.5.5.7.3.2 客户端身份验证
通过了分支证书吊销检查
CertUtil: -verify 命令成功完成。openssl genpkey 无法加密私钥
在文档上 openssl-genpkey - OpenSSL Documentation 说用 -pass 可以传入密码用来加密私钥,但实测没有生效,我写的命令长这样
openssl genpkey -algorithm RSA -out key.pem -pass pass:hello
实际上 Example 部分有例子,多传个 -aes-128-cbc 就行了。
关键是文档写的非常隐晦,压根没说在不传 -cipher 时加密不生效。
至于能传哪些,也是没个总览,EVP_CIPHER-AES - OpenSSL Documentation EVP_CIPHER 一列都行。文档这一块…
自己编译的 step-ca 无法绑定 80 端口
自己使用 Go 从源码编译的 step-ca 上传到服务器上,使用 rc-service step-ca start 能运行,但是无法绑定到 80 / 443 等端口。
再尝试直接手动启动,没有问题。问题很清晰,这两个都是低于 1024 的特权端口,而 rc 启动时用的是 step-ca 非特权用户。
从 alpine 包的 编译脚本 能看出,是设置了 setcap cap_net_bind_service=+ep,自己也加上就好了。
另外 alpine 上默认不带 setcap,用 apk add libcap-setcap 安装一下。
scp -O step-ca pki:
ssh pki
chmod +x step-ca
setcap cap_net_bind_service=+ep step-ca
mv step-ca /usr/bin
rc-service step-ca restart强制 PVE 刷新 ACME 证书
因为换了一套 PKI,需要让 PVE 重新用 ACME 申请证书。可是网页 WebUI 都是 HTTPS,浏览器打开会因为证书问题无法访问 ACME 接口。
一个办法是打开开发者工具,网络面板,找到 XHR 请求在新标签页打开,接受不安全的证书,再刷新页面。不断尝试…,我放弃了
另一个办法是去终端里手动刷新,见 PVE 的 HTTPS 证书未按时续期
然而遇到 type":"urn:ietf:params:acme:error:accountDoesNotExist 的错误,原因是我把 step-ca 的 db 目录删了 😅
解决证书 Lint 问题
e_signature_algorithm_not_supported
不支持 Configure step-ca with an RSA certificate chain 建议的 SHA256-RSAPSS,换回 SHA256-RSA 就好
e_sub_cert_aia_does_not_contain_ocsp_url
开源版本的 smallstep/step 不支持 OSCP。搞不了,忽略
e_sub_cert_cert_policy_empty
需要添加证书策略
- ACME 模板添加
"policyIdentifiers": ["2.23.140.1.2.1"],签发 DV 证书 - OIDC 模板添加
"policyIdentifiers": ["2.23.140.1.2.3"],表明个人身份 IV