让 Chrome 接受自签名的本地主机证书 [英] Getting Chrome to accept self-signed localhost certificate

问题描述

我为 localhost CN 创建了一个自签名 SSL 证书.正如预期的那样，Firefox 在最初抱怨之后接受了这个证书.然而，Chrome 和 IE 拒绝接受它，即使在将证书添加到受信任根下的系统证书存储后也是如此.即使当我在 Chrome 的 HTTPS 弹出窗口中单击查看证书信息"时证书被列为正确安装，它仍然坚持认为证书不可信.

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however, refuse to accept it, even after adding the certificate to the system certificate store under Trusted Roots. Even though the certificate is listed as correctly installed when I click "View certificate information" in Chrome's HTTPS popup, it still insists the certificate cannot be trusted.

我该怎么做才能让 Chrome 接受证书并停止抱怨?

What am I supposed to do to get Chrome to accept the certificate and stop complaining about it?

推荐答案

使用仅 5 openssl 命令，您就可以完成此任务.

(请不要更改您的浏览器安全设置.)

使用以下代码，您可以 (1) 成为您自己的 CA，(2) 然后将您的 SSL 证书签名为 CA.(3) 然后将 CA 证书(不是 SSL 证书，它进入您的服务器)导入 Chrome/Chromium.(是的，这甚至适用于 Linux.)

With the following code, you can (1) become your own CA, (2) then sign your SSL certificate as a CA. (3) Then import the CA certificate (not the SSL certificate, which goes onto your server) into Chrome/Chromium. (Yes, this works even on Linux.)

注意:对于 Windows，一些报告说 openssl 必须与 winpty 一起运行以避免崩溃.

NB: For Windows, some reports say that openssl must be run with winpty to avoid a crash.

######################
# Become a Certificate Authority
######################

# Generate private key
openssl genrsa -des3 -out myCA.key 2048
# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

######################
# Create CA-signed certs
######################

NAME=mydomain.com # Use your own domain name
# Generate a private key
openssl genrsa -out $NAME.key 2048
# Create a certificate-signing request
openssl req -new -key $NAME.key -out $NAME.csr
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF
# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial 
-out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

总结:

1. 成为 CA
2. 使用您的 CA 证书+密钥签署您的证书
3. 将 myCA.pem 作为权威"导入(不是进入您的证书")在您的 Chrome 设置(设置 > 管理证书 > 授权 > 导入)
4. 使用服务器中的 $NAME.crt 和 $NAME.key 文件

1. Become a CA
2. Sign your certificate using your CA cert+key
3. Import myCA.pem as an "Authority" (not into "Your Certificates") in your Chrome settings (Settings > Manage certificates > Authorities > Import)
4. Use the $NAME.crt and $NAME.key files in your server

额外的步骤(至少对于 Mac):

Extra steps (for Mac, at least):

1. 在文件"中导入 CA 证书导入文件"，然后也在列表中找到它，右键单击它，展开>信任"，然后选择始终"
2. 在basicConstraints=CA:FALSE下方添加extendedKeyUsage=serverAuth,clientAuth，并确保将CommonName"设置为要求设置时与 $NAME 相同

1. Import the CA cert at "File > Import file", then also find it in the list, right click it, expand "> Trust", and select "Always"
2. Add extendedKeyUsage=serverAuth,clientAuth below basicConstraints=CA:FALSE, and make sure you set the "CommonName" to the same as $NAME when it's asking for setup

您可以检查您的工作以确保正确构建证书:

openssl verify -CAfile myCA.pem -verify_hostname bar.mydomain.com mydomain.com.crt

这篇关于让 Chrome 接受自签名的本地主机证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！