如何让浏览器信任本地主机 SSL 证书? [英] How to make browser trust localhost SSL certificate?
问题描述
尽管有 类似 问题,甚至好 答案,他们要么不关心自己使用 localhost,或者询问一个特定的选项/解决方案(自签名 vs CA).
有哪些选择?他们如何比较?我该怎么做?
tl;dr 生成自己的 CA 颁发的证书(见下面的脚本)
这是我发现的.纠正我的错误.
有 CA(证书颁发机构).他们为其他 CA(中间 CA)或服务器(最终实体证书)颁发证书(签署 CSR).其中一些是根权限.他们有自己签发的自签名证书.也就是说,通常有一个从服务器证书到根证书的信任链.并且没有人可以保证根证书.因此,操作系统有一个根证书存储(或信任策略存储),一个系统范围的受信任根证书列表.浏览器有自己的可信证书列表,由系统范围的列表加上用户信任的证书组成.
在 Chromium 中,您可以在 chrome://settings/certificates 管理证书.在 Firefox 中,Preferences >隐私和安全证书 >查看证书.两者都有 Authorities 选项卡,这是受信任的根证书列表.和服务器选项卡,受信任的服务器证书列表.
要获取您创建的 CSR(证书签名请求)的证书,请将其发送给 CA.CA 签署 CSR,在此过程中将其转换为可信证书.
证书和 CSR 是一堆带有信息和公钥的字段.一些字段称为扩展.CA 证书是具有 basicConstraints = CA:true 的证书.
您可以在 Developer Tools > 中检查 Chromium 中的证书错误.安全.
全系统信任证书
当您更改操作系统的根证书存储时,您必须重新启动浏览器.你改变它:
# 信任锚路径/to/cert.crt# 信任锚 --remove path/to/cert.crttrust 将 CA 证书置于权威"类别(信任列表)下,否则将置于其他条目"类别下.CA 证书显示在浏览器的权限"选项卡中,或者显示在服务器"选项卡中.
Firefox 不信任来自操作系统根证书存储的服务器证书,而不是 Chromium.两者都信任来自操作系统根证书存储区的 CA 证书.
在浏览器中信任证书
在 Chromium 和 Firefox 中,您可以向权限"选项卡添加(导入)证书.如果您尝试导入非 CA 证书,则会收到不是证书颁发机构"消息.选择文件后,会出现一个对话框,您可以在其中指定信任设置(何时信任证书).使网站工作的相关设置是信任此证书以识别网站."
在 Chromium 中,您可以在服务器选项卡上添加(导入)证书.但它们最终会出现在权限"选项卡(CA 证书,并且在选择文件后不会向您显示信任设置对话框)或其他"选项卡(如果是非 CA 证书).
在 Firefox 中,您无法准确地将证书添加到服务器选项卡.您添加例外.而且你可以信任一个没有扩展名的证书(很差).
自签名证书扩展
我的系统带有以下证书的默认设置(要添加的扩展):
basicConstraints = critical,CA:true主题密钥标识符 = 哈希authorityKeyIdentifier = keyid:always,issuer取自 /etc/ssl/openssl.cnf, 部分 v3_ca.更多相关信息此处.>
此外,当 Chromium 没有 subjectAltName = DNS:$domain 时,它会认为证书无效.
非自签名证书扩展
来自部分 [ usr_cert ].cnf:/etc/ssl/openssl 的代码>
basicConstraints = CA:FALSE主题密钥标识符 = 哈希authorityKeyIdentifier = keyid,issuer当浏览器信任自签名证书时
为了让 Chromium 信任自签名证书,它必须具有 basicConstraints = CA:true 和 subjectAltName = DNS:$domain.对于 Firefox 来说,这还不够:
basicConstraints = critical,CA:true主题密钥标识符 = 哈希authorityKeyIdentifier = keyid:always,issuersubjectAltName = DNS:$domain当浏览器信任由自己的 CA 颁发的证书时
Firefox 不需要扩展,但 Chromium 需要 subjectAltName.
openssl 备忘单
openssl genpkey -algorithm RSA -out "$domain".key - 生成私钥 (man)
openssl req -x509 -key "$domain".key -out "$domain".crt - 生成自签名证书 (man)
如果没有 -subj,它会询问有关专有名称 (DN) 的问题,例如通用名称 (CN)、组织 (O)、位置 (L).你可以提前"回答他们:-subj "/CN=$domain/O=$org".
要添加 subjectAltName 扩展,你必须要么有一个指定所有内容的配置,要么添加一个部分到配置并告诉 openssl 它的名称 opensslcode>-extensions 开关:
-config <(cat/etc/ssl/openssl.cnf - <<END[ x509_ext ]basicConstraints = 关键,CA:true主题密钥标识符 = 哈希authorityKeyIdentifier = keyid:always,issuersubjectAltName = DNS:$domain结尾) - 扩展 x509_extopenssl req -new -key "$domain".key -out "$domain".csr - 生成CSR,可以带-subj选项(
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt -CA ca.crt -CAkey ca.key -CAcreateserial - 签署 CSR (男人)
没有 -CAcreateserial 不起作用.它创建了一个 ca.srl 文件,其中保存了最后生成的证书的序列号.要添加 subjectAltName,你需要 -extfile 开关:
-extfile <(cat <<END基本约束 = CA:FALSE主题密钥标识符 = 哈希authorityKeyIdentifier = keyid,issuersubjectAltName = DNS:$domain结尾)openssl req -in $domain.csr -text -noout - 查看 CSR (man)
openssl x509 -in $domain.crt -text -noout - 查看证书 (男人)
生成自签名证书
(您需要在 Firefox 中设置异常才能使其工作)
#!/usr/bin/env bash设置 -eu组织=本地主机域=本地主机sudo 信任锚 --remove "$domain".crt ||真的openssl genpkey -algorithm RSA -out "$domain".keyopenssl req -x509 -key "$domain".key -out "$domain".crt -subj "/CN=$domain/O=$org" -config <(cat/etc/ssl/openssl.cnf - <<END[ x509_ext ]basicConstraints = 关键,CA:true主题密钥标识符 = 哈希authorityKeyIdentifier = keyid:always,issuersubjectAltName = DNS:$domain结尾) - 扩展 x509_ext须藤信任锚$domain".crt生成自己的CA颁发的证书
#!/usr/bin/env bash设置 -euorg=localhost-ca域=本地主机sudo 信任锚 --remove ca.crt ||真的openssl genpkey -algorithm RSA -out ca.keyopenssl req -x509 -key ca.key -out ca.crt -subj "/CN=$org/O=$org"openssl genpkey -algorithm RSA -out "$domain".keyopenssl req -new -key "$domain".key -out "$domain".csr -subj "/CN=$domain/O=$org"openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile <(cat <<END基本约束 = CA:FALSE主题密钥标识符 = 哈希authorityKeyIdentifier = keyid,issuersubjectAltName = DNS:$domain结尾)sudo 信任锚 ca.crt网络服务器配置
Nginx:
服务器{听 443 ssl;ssl_certificate ssl/localhost.crt;ssl_certificate_key ssl/localhost.key;...莫波:
carton exec morbo --listen='https://*:3000?cert=localhost.crt&key=localhost.key' 站点.pl附言我正在运行 Chromium 65.0.3325.162、Firefox 59.0 和 openssl-1.1.0.g.
视窗
显然,Windows 没有 trust 实用程序.在 Windows 下有 两个存储区:本地机器和当前用户证书存储区.使用本地机器证书存储没有意义,因为我们让它只为我们当前的用户工作.然后,有子商店.其中两个预定义最受关注:受信任的根证书颁发机构和中间证书颁发机构存储.通常在命令行中称为 root和 CA.
您可以按照 chrome://settings/?search=Manage%20certificates 访问 Chrome 的证书管理器,然后单击管理证书.最令人感兴趣的是受信任的根证书颁发机构和中间证书颁发机构选项卡.
管理证书的一种方法是通过命令行:
>rem list 当前用户>受信任的根证书颁发机构存储>certutil.exe -store -user root>rem 列表本地机器 >中级证书颁发机构商店>certutil.exe -store -enterprise CA>rem GUI 版本的 -store 命令>certutil.exe -viewstore -user CA>rem 将证书添加到当前用户 >受信任的根证书颁发机构存储>certutil.exe -addstore -user root path ofile.crt>rem 删除当前用户的证书 >受信任的根证书颁发机构按序列号存储>certutil.exe -delstore -user root 03259fa1>rem GUI 版本的 -delstore 命令>certutil.exe -viewdelstore -user CA结果如下(对于本地机器和当前用户证书存储):
root本地主机.crt错误ca.crt出现在受信任的根证书颁发机构选项卡中认证机构本地主机.crt不起作用,出现在其他人选项卡中ca.crt不起作用,出现在中级证书颁发机构选项卡中其他选项包括在资源管理器中双击证书、从 Chrome 的证书管理器导入证书、使用证书 MMC 管理单元(运行 certmgr.msc)或使用 CertMgr.exe.
对于那些安装了grep的人,这里是如何快速检查证书在哪里:
>certutil.exe -store -user root |grep "localhost|^root|^CA" ^&certutil.exe -store -user CA |grep "locahost|^root|^CA" ^&certutil.exe -store -enterprise root |grep "localhost|^root|^CA" ^&certutil.exe -store -enterprise CA |grep "localhost|^root|^CA"因此,将 CA 证书安装到 Current User > Trusted Root Certification Authorities 商店似乎是最好的选择.并且确保不要忘记重新启动您的浏览器.
补充阅读
OpenSSL
genpkey
req
x509
OpenSSL 证书颁发机构
本地主机证书
iamaCA - 成为您自己的证书颁发机构并分发证书
Firefox 和自签名证书
绕过 Chrome 中的证书错误页面
Although, there are similar questions, and even good answers, they either don't concern themselves with localhost specifically, or ask about one particular option/solution (self-signed vs CA).
What are the options? How do they compare? Ho do I do this?
tl;dr Generate a certificate issued by own CA (see the script below)
Here's what I've found. Correct me where I'm wrong.
There are CA's (certificate authorities). They issue certificates (sign CSR's) for other CA's (intermediate CA's), or servers (end entity certificates). Some of them are root authorities. They have self-signed certificates, issued by themselves. That is, usually there's a chain of trust that goes from server certificate to root certificate. And there's noone to vouch for a root certicate. As such, OS'es have a root certificate store (or trust policy store), a systemwide list of trusted root certificates. Browsers have their own lists of trusted certificates, which consist of systemwide list plus certificates trusted by the user.
In Chromium you manage certificates at chrome://settings/certificates. In Firefox, Preferences > Privacy & Security > Certificates > View Certificates. Both have Authorities tab, which is a list of trusted root certificates. And Servers tab, a list of trusted server certificates.
To obtain a certificate you create CSR (certificate signing request), send it to CA. CA signs the CSR, turning it into trusted certificate in the process.
Certificates and CSR's are a bunch of fields with information plus public key. Some of the fields are called extensions. CA certificate is a certificate with basicConstraints = CA:true.
You can inspect certificate errors in Chromium in Developer Tools > Security.
Trusting certificates systemwide
When you change OS' root certificate store, you've got to restart a browser. You change it with:
# trust anchor path/to/cert.crt
# trust anchor --remove path/to/cert.crt
trust puts CA certificates under "authority" category (trust list), or "other-entry" category otherwise. CA certificates appear in Authorities tab in browsers, or else in Servers tab.
Firefox doesn't trust server certificates from OS' root certificate store, as opposed to Chromium. Both trust CA certificates from OS' root certificate store.
Trusting certificates in a browser
In Chromium, and Firefox you can add (import) certificates to Authorities tab. If you try to import a non-CA certificate, you get "Not a Certificate Authority" message. After choosing a file, a dialog appears where you can specify trust settings (when to trust the certificate). The relevant setting for making a site work is "Trust this certificate for identifying websites."
In Chromium, you can add (import) certificates on Servers tab. But they end up either on Authorities tab (CA certificates, and you're not presented with trust settings dialog after choosing a file), or on Others tab (if non-CA certificate).
In Firefox, you can't exactly add a certificate to Servers tab. You add exceptions. And you can trust a certificate with no extensions at all (poor) there.
Self-signed certificate extensions
My system comes with the following default settings (extensions to be added) for certificates:
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
Taken from /etc/ssl/openssl.cnf, section v3_ca. More on it here.
Additionally, Chromium considers a certificate invalid, when it doesn't have subjectAltName = DNS:$domain.
Non-self-signed certificate extensions
From section [ usr_cert ] of /etc/ssl/openssl.cnf:
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
When browsers trust a self-signed certificate
For Chromium to trust to a self-signed certificate it's got to have basicConstraints = CA:true, and subjectAltName = DNS:$domain. For Firefox not even this is enough:
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
When browsers trust a certificate issued by own CA
Firefox needs no extensions, but Chromium requires subjectAltName.
openssl cheat sheet
openssl genpkey -algorithm RSA -out "$domain".key - generate private key (man)
openssl req -x509 -key "$domain".key -out "$domain".crt - generate self-signed certificate (man)
Without -subj it will ask questions regarding distinguished name (DN), like common name (CN), organization (O), locality (L). You can answer them "in advance": -subj "/CN=$domain/O=$org".
To add subjectAltName extension, you've got to either have a config where it all is specified, or add a section to config and tell openssl its name with -extensions switch:
-config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
) -extensions x509_ext
openssl req -new -key "$domain".key -out "$domain".csr - generate CSR, it can take -subj option (man)
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt
-CA ca.crt -CAkey ca.key -CAcreateserial - sign CSR (man)
Doesn't work without -CAcreateserial. It creates a ca.srl file, where it keeps serial number of the last generated certificate. To add subjectAltName, you're gonna need -extfile switch:
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
openssl req -in $domain.csr -text -noout - view CSR (man)
openssl x509 -in $domain.crt -text -noout - view certificate (man)
Generate self-signed certificate
(you're gonna need an exception in Firefox for it to work)
#!/usr/bin/env bash
set -eu
org=localhost
domain=localhost
sudo trust anchor --remove "$domain".crt || true
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -x509 -key "$domain".key -out "$domain".crt
-subj "/CN=$domain/O=$org"
-config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
) -extensions x509_ext
sudo trust anchor "$domain".crt
Generate a certificate issued by own CA
#!/usr/bin/env bash
set -eu
org=localhost-ca
domain=localhost
sudo trust anchor --remove ca.crt || true
openssl genpkey -algorithm RSA -out ca.key
openssl req -x509 -key ca.key -out ca.crt
-subj "/CN=$org/O=$org"
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -new -key "$domain".key -out "$domain".csr
-subj "/CN=$domain/O=$org"
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt
-CA ca.crt -CAkey ca.key -CAcreateserial
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
sudo trust anchor ca.crt
Webserver configuration
Nginx:
server {
listen 443 ssl;
ssl_certificate ssl/localhost.crt;
ssl_certificate_key ssl/localhost.key;
...
Morbo:
carton exec morbo --listen='https://*:3000?cert=localhost.crt&key=localhost.key'
site.pl
P.S. I'm running Chromium 65.0.3325.162, Firefox 59.0, and openssl-1.1.0.g.
Windows
Apparently, Windows doesn't have trust utility. Under Windows one has two stores: Local Machine and Current User Certificate stores. No point in using Local Machine Certificate Store, since we're making it work just for our current user. Then, there are substores. With two predefined of them being of most interest: Trusted Root Certification Authorities and Intermediate Certification Authorities Stores. Commonly referred in command line as root and CA.
You can access Chrome's Certificate Manager by following chrome://settings/?search=Manage%20certificates, then clicking Manage certificates. Of most interest are Trusted Root Certification Authorities and Intermediate Certification Authorities tabs.
One way to manager certificates is via command line:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path ofile.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
The results are as follows (for both Local Machine and Current User Certificate stores):
root
localhost.crt
error
ca.crt
appears in Trusted Root Certification Authorities tab
CA
localhost.crt
doesn't work, appears in Other People tab
ca.crt
doesn't work, appears in Intermediate Certification Authorities tab
Other options would be double-clicking on a certificate in Explorer, importing certificates from Chrome's Certificate Manager, using Certificates MMC Snap-in (run certmgr.msc), or using CertMgr.exe.
For those who have grep installed, here's how to quickly check where is the certificate:
>certutil.exe -store -user root | grep "localhost|^root|^CA" ^
& certutil.exe -store -user CA | grep "locahost|^root|^CA" ^
& certutil.exe -store -enterprise root | grep "localhost|^root|^CA" ^
& certutil.exe -store -enterprise CA | grep "localhost|^root|^CA"
So, installing CA certificate into Current User > Trusted Root Certification Authorities store seems like the best option. And make sure not to forget to restart your browser.
Additional reading
OpenSSL
genpkey
req
x509
OpenSSL Certificate Authority
Certificates for localhost
iamaCA - Become your own certificate authority and dispense certifications
Firefox and Self-Signed Certs
Bypassing certificate error page in Chrome
这篇关于如何让浏览器信任本地主机 SSL 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
