如何使用OpenSSL创建和信任证书? [英] How to create and trust certificate Using OpenSSL?
问题描述
它必须也可以在Firefox和所有其他浏览器中使用 我正在使用IIS 10服务器.
和 Firefox v70, Firefox Dev 版本v72b5, Chrome v79, Edge v44.我希望 HTTPS 绑定在所有这些浏览器中都能正常工作.
It must work in Firefox and all other browsers as well I am using IIS 10 server.
And Firefox v70, Firefox Dev edition v72b5, Chrome v79, Edge v44. I want the HTTPS binding to work in all of these browsers.
推荐答案
好.我想,我找到了答案,
必须创建证书真实性才能使用 HTTPS 绑定,因此我们所有的证书都将由此签名.为此,请从此处下载OpenSSL的合适版本:用于Windows的Win32/Win64 OpenSSL安装程序并安装它.然后,为了更快速,更轻松地工作,可以制作一些脚本文件,
Ok. I think, I found out the answer,
A certification authourity have to be created to use HTTPS binding and hereby all our certificates will be signed from it. For that download a suitable version of OpenSSL from here: Win32/Win64 OpenSSL Installer for Windows And Install it. Then, for fast and easier working a few script file can be made,
在运行脚本的文件夹中添加一个名为
#的文件夹.所有的证书文件都将存储在此处.
In the folder (in which the script is running) add a folder named
#. All the certicate files will be stored there.
用于创建根证书,RootCA.bat,
openssl genrsa -des3 -out #/RootCA.key 4096
openssl req -x509 -new -nodes -sha256 -days 730 -key #/RootCA.key -out #/RootCA.crt -config rootca.csr
openssl pkcs12 -export -out #/RootCA.p12 -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pem -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pfx -inkey #/RootCA.key -in #/RootCA.crt
然后,为RootCA的详细信息创建RootCa.csr,
And, For RootCA's details create RootCa.csr,
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=CodeSigner
CN=*.codesigning.in
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.codesigning.in
运行
RootCA.bat时,它将使用RootCa.csr的详细信息创建证书,并导出.pem,.pfx和.p12以及证书文件(RootCA.csr和'RootCA.key'也被创建).
When you Run
RootCA.batit will create a certificate usingRootCa.csr's details and Export a.pem,.pfxand.p12along with certificate file (aRootCA.csrand 'RootCA.key' is also created).
openssl req -new -sha256 -nodes -out #/server.csr -newkey rsa:2048 -keyout #/server.key -config server.csr
openssl x509 -req -in #/server.csr -CA #/RootCA.crt -CAkey #/RootCA.key -CAcreateserial -out #/server.crt -days 365 -sha256 -extfile v3.ext
openssl pkcs12 -export -out #/server.p12 -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pem -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pfx -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
而且,当然,有关详细信息,请创建一个server.csr文件,
And, Of course for details create a server.csr file,
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=Test & Learn
CN=*.localhost.in
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.localhost.in
然后,另一个名为v3.ext的文件(我不太了解),
And, Another file named v3.ext (I don't quite know about it),
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.localhost.in
再次运行
server.bat时,它将使用server.csr的详细信息创建证书并导出.pem,.pfx和.p12以及证书文件(server.csr和server.key为也创建了).
Again When you Run
server.batit will create a certificate usingserver.csr's details and Export a.pem,.pfxand.p12along with certificate file (aserver.csrandserver.keyis also created).
注意:您将必须为自定义域修改server.csr(默认情况下,它将为dev.localhost.in域创建).
Note: You will have to modify the server.csr for your custom domains (default by, its gonna create for dev.localhost.in domain).
!!!警告:您必须记住输入的密码.并且您可以根据需要修改RootCA.csr和RootCA.bat. (以增加到期时间,修改细节等)
!!! Warning: You Have to remember the passwords you enter. And You might modify the RootCA.csr and RootCA.bat as your need. (to increase expiration, modify deatails etc.)
添加到 Windows ,
当我使用Windows时,我只知道有关导入Windows的信息.要添加Windows,只需单击RootCA.p12文件并将其导入.请记住,您必须在受信任的根证书颁发机构和中级证书颁发机构中信任RootCA.
Adding to Windows,
As i use windows i only know about importing to windows. To add in windows simply click on the RootCA.p12 file and import it. Remember, you have to trust the RootCA in Trusted Root Certification Authourity And in Intermediate Certification Authourity.
除Firefox以外的所有浏览器都将信任该站点.完成(部分完成)!
All the browsers Except for firefox will trust the site. WORK Done (Partially)!!
您可以在运行中使用 mmc 进行检查.然后使用Ctrl + M来管理单元证书.
You can check it using mmc in the run. And then snap-in certificates using Ctrl + M.
因为 FireFox 使用它自己的证书管理器,并且对系统证书没有任何注意.因此,您将必须手动导入RootCA.crt以获得信任,并且所有继承证书都将被信任.如下,
Because FireFox uses it own Certificate Managers and doesn't pay any heed to systems certificates. So, You will have to manually have to import the RootCA.crt for trust And all the inheriting certificates will be trusted. As Follows,
这篇关于如何使用OpenSSL创建和信任证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
