如何使浏览器信任本地SSL证书? [英] How to make browser trust localhost SSL certificate?
问题描述
尽管有 问题,甚至答案,它们要么都不关心自己专门针对localhost,或询问一个特定的选项/解决方案(自签名与CA).
有哪些选择?他们如何比较?我该怎么办?
tl; dr 生成由自己的CA颁发的证书(请参见下面的脚本)
这就是我所发现的.纠正我在哪里错了.
有CA(证书颁发机构).他们为其他CA(中间CA)或服务器(终端实体证书)颁发证书(签署CSR).其中一些是根权限.他们有自己签发的自签名证书.也就是说,通常存在从服务器证书到根证书的信任链.而且没有人提供根状认证.因此,操作系统具有根证书存储区(或信任策略存储区),系统范围的受信任根证书列表.浏览器有自己的受信任证书列表,其中包括系统范围的列表以及用户信任的证书.
在Chromium中,您可以通过chrome://settings/certificates管理证书.在Firefox中,为Preferences > Privacy & Security > Certificates > View Certificates
.两者都有权限"选项卡,它是受信任的根证书的列表.和服务器"选项卡,其中列出了受信任的服务器证书.
要获取证书,请创建CSR(证书签名请求),然后将其发送到CA. CA签署了CSR,并在此过程中将其转换为受信任的证书.
证书和CSR是一堆包含信息和公共密钥的字段.一些字段称为扩展. CA证书是带有basicConstraints = CA:true
的证书.
您可以在Developer Tools > Security
中检查Chromium中的证书错误.
系统范围内的信任证书
更改操作系统的根证书存储时,必须重新启动浏览器.您可以通过以下方式更改它:
# trust anchor path/to/cert.crt
# trust anchor --remove path/to/cert.crt
trust
将CA证书置于权限"类别(trust list
)中,否则将其置于其他条目"类别中. CA证书显示在浏览器的权限"选项卡中,或者显示在服务器"选项卡中.
与Chromium相比,Firefox不信任OS的根证书存储中的服务器证书.两者都信任来自操作系统根证书存储的CA证书.
在浏览器中信任证书
在Chromium和Firefox中,您可以将证书添加(导入)到权限"标签.如果您尝试导入非CA证书,则会收到不是证书颁发机构"消息.选择文件后,将出现一个对话框,您可以在其中指定信任设置(信任证书时).进行网站工作的相关设置是信任此证书以识别网站".
在Chromium中,可以在服务器"选项卡上添加(导入)证书.但是它们要么出现在权限"选项卡(CA证书,选择文件后就不会显示信任设置对话框),要么出现在其他"选项卡(如果是非CA证书).
在Firefox中,您不能将证书完全添加到服务器"选项卡中.您添加例外.而且您可以信任那里根本没有扩展名的证书(差).
自签名证书扩展名
我的系统为证书提供了以下默认设置(要添加的扩展名):
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
来自/etc/ssl/openssl.cnf , v3_ca 部分. 此处.>
另外,当Chromium没有subjectAltName = DNS:$domain
时,它会将该证书视为无效.
非自签名证书扩展
来自以下部分的 [ usr_cert ]
/etc/ssl/openssl.cnf
:
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
当浏览器信任自签名证书时
要让Chromium信任自签名证书,必须具有basicConstraints = CA:true
和subjectAltName = DNS:$domain
.对于Firefox来说,这还不够:
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
当浏览器信任自己的CA颁发的证书时
Firefox不需要扩展,但是Chromium需要subjectAltName
.
openssl
备忘单
openssl genpkey -algorithm RSA -out "$domain".key
-生成私钥(男人)
openssl req -x509 -key "$domain".key -out "$domain".crt
-生成自签名证书(-subj "/CN=$domain/O=$org".
要添加subjectAltName
扩展名,您必须在其中指定了所有内容的地方进行配置,或者在配置中添加一个部分并使用-extensions
开关告知openssl
其名称:
-config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
) -extensions x509_ext
openssl req -new -key "$domain".key -out "$domain".csr
-生成CSR,它可以采用-subj
选项(-签署CSR( man )
没有-CAcreateserial
不能工作.它创建一个ca.srl
文件,其中保留最后生成的证书的序列号.要添加subjectAltName
,您需要-extfile
开关:
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
openssl req -in $domain.csr -text -noout
-查看CSR( man )
openssl x509 -in $domain.crt -text -noout
-查看证书( man )
生成自签名证书
(在Firefox中,您将需要一个例外才能使其正常工作)
#!/usr/bin/env bash
set -eu
org=localhost
domain=localhost
sudo trust anchor --remove "$domain".crt || true
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -x509 -key "$domain".key -out "$domain".crt \
-subj "/CN=$domain/O=$org" \
-config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
) -extensions x509_ext
sudo trust anchor "$domain".crt
生成由自己的CA颁发的证书
#!/usr/bin/env bash
set -eu
org=localhost-ca
domain=localhost
sudo trust anchor --remove ca.crt || true
openssl genpkey -algorithm RSA -out ca.key
openssl req -x509 -key ca.key -out ca.crt \
-subj "/CN=$org/O=$org"
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -new -key "$domain".key -out "$domain".csr \
-subj "/CN=$domain/O=$org"
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
sudo trust anchor ca.crt
Web服务器配置
Nginx:
server {
listen 443 ssl;
ssl_certificate ssl/localhost.crt;
ssl_certificate_key ssl/localhost.key;
...
Morbo:
carton exec morbo --listen='https://*:3000?cert=localhost.crt&key=localhost.key' \
site.pl
P.S.我正在运行Chromium 65.0.3325.162,Firefox 59.0和openssl-1.1.0.g
.
Windows
显然,Windows没有trust
实用程序.在Windows下,具有两个商店:本地计算机"和当前用户证书"商店.使用本地计算机证书存储没有意义,因为我们使它仅适用于当前用户.然后,有子商店.其中最受关注的是两个预定义的名称:受信任的根证书颁发机构和中级证书颁发机构存储.在命令行中通常称为 root和CA .
您可以按照以下步骤访问Chrome的证书管理器:chrome://settings/?search = Manage%20certificates,然后单击管理证书".最受关注的是受信任的根证书颁发机构"和中间证书颁发机构"选项卡.
一种管理器证书的方法是通过命令行:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path\to\file.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
结果如下(对于本地计算机和当前用户证书存储):
root
localhost.crt
error
ca.crt
appears in Trusted Root Certification Authorities tab
CA
localhost.crt
doesn't work, appears in Other People tab
ca.crt
doesn't work, appears in Intermediate Certification Authorities tab
其他选项可能是双击资源管理器中的证书,使用Chromebook的证书管理器导入证书,使用证书MMC管理单元(运行 因此,将CA证书安装到当前用户">受信任的根证书颁发机构"存储中似乎是最佳选择.并且确保,不要忘记重新启动您的浏览器. OpenSSL Although, there are similar questions, and even good answers, they either don't concern themselves with localhost specifically, or ask about one particular option/solution (self-signed vs CA). What are the options? How do they compare? Ho do I do this? tl;dr Generate a certificate issued by own CA (see the script below) Here's what I've found. Correct me where I'm wrong. There are CA's (certificate authorities). They issue certificates (sign CSR's) for other CA's (intermediate CA's), or servers (end entity certificates). Some of them are root authorities. They have self-signed certificates, issued by themselves. That is, usually there's a chain of trust that goes from server certificate to root certificate. And there's noone to vouch for a root certicate. As such, OS'es have a root certificate store (or trust policy store), a systemwide list of trusted root certificates. Browsers have their own lists of trusted certificates, which consist of systemwide list plus certificates trusted by the user. In Chromium you manage certificates at chrome://settings/certificates. In Firefox, To obtain a certificate you create CSR (certificate signing request), send it to CA. CA signs the CSR, turning it into trusted certificate in the process. Certificates and CSR's are a bunch of fields with information plus public key. Some of the fields are called extensions. CA certificate is a certificate with You can inspect certificate errors in Chromium in When you change OS' root certificate store, you've got to restart a browser. You change it with: Firefox doesn't trust server certificates from OS' root certificate store, as opposed to Chromium. Both trust CA certificates from OS' root certificate store. In Chromium, and Firefox you can add (import) certificates to Authorities tab. If you try to import a non-CA certificate, you get "Not a Certificate Authority" message. After choosing a file, a dialog appears where you can specify trust settings (when to trust the certificate). The relevant setting for making a site work is "Trust this certificate for identifying websites." In Chromium, you can add (import) certificates on Servers tab. But they end up either on Authorities tab (CA certificates, and you're not presented with trust settings dialog after choosing a file), or on Others tab (if non-CA certificate). In Firefox, you can't exactly add a certificate to Servers tab. You add exceptions. And you can trust a certificate with no extensions at all (poor) there. My system comes with the following default settings (extensions to be added) for certificates: Taken from /etc/ssl/openssl.cnf, section v3_ca. More on it here. Additionally, Chromium considers a certificate invalid, when it doesn't have From section
For Chromium to trust to a self-signed certificate it's got to have
Firefox needs no extensions, but Chromium requires Without To add Doesn't work without (you're gonna need an exception in Firefox for it to work)
certmgr.msc
)或使用其他阅读内容
genpkey
要求
x509
OpenSSL证书颁发机构
本地主机的证书
iamaCA-成为您自己的证书颁发机构并分配证书
Firefox和自签名证书
在Chrome中绕过证书错误页面 Preferences > Privacy & Security > Certificates > View Certificates
. Both have Authorities tab, which is a list of trusted root certificates. And Servers tab, a list of trusted server certificates.basicConstraints = CA:true
.Developer Tools > Security
.Trusting certificates systemwide
# trust anchor path/to/cert.crt
# trust anchor --remove path/to/cert.crt
trust
puts CA certificates under "authority" category (trust list
), or "other-entry" category otherwise. CA certificates appear in Authorities tab in browsers, or else in Servers tab.Trusting certificates in a browser
Self-signed certificate extensions
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
.Non-self-signed certificate extensions
[ usr_cert ]
of /etc/ssl/openssl.cnf
:basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
When browsers trust a self-signed certificate
basicConstraints = CA:true
, and subjectAltName = DNS:$domain
. For Firefox not even this is enough:basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
When browsers trust a certificate issued by own CA
subjectAltName
.openssl
cheat sheetopenssl genpkey -algorithm RSA -out "$domain".key
- generate private key (man)openssl req -x509 -key "$domain".key -out "$domain".crt
- generate self-signed certificate (man)-subj
it will ask questions regarding distinguished name (DN), like common name (CN), organization (O), locality (L). You can answer them "in advance": -subj "/CN=$domain/O=$org"
.subjectAltName
extension, you've got to either have a config where it all is specified, or add a section to config and tell openssl
its name with -extensions
switch: -config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
) -extensions x509_ext
openssl req -new -key "$domain".key -out "$domain".csr
- generate CSR, it can take -subj
option (man)openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt \
-CA ca.crt -CAkey ca.key -CAcreateserial
- sign CSR (man)-CAcreateserial
. It creates a ca.srl
file, where it keeps serial number of the last generated certificate. To add subjectAltName
, you're gonna need -extfile
switch: -extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
openssl req -in $domain.csr -text -noout
- view CSR (man)openssl x509 -in $domain.crt -text -noout
- view certificate (man)Generate self-signed certificate
#!/usr/bin/env bash
set -eu
org=localhost
domain=localhost
sudo trust anchor --remove "$domain".crt || true
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -x509 -key "$domain".key -out "$domain".crt \
-subj "/CN=$domain/O=$org" \
-config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
) -extensions x509_ext
sudo trust anchor "$domain".crt
Generate a certificate issued by own CA
#!/usr/bin/env bash
set -eu
org=localhost-ca
domain=localhost
sudo trust anchor --remove ca.crt || true
openssl genpkey -algorithm RSA -out ca.key
openssl req -x509 -key ca.key -out ca.crt \
-subj "/CN=$org/O=$org"
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -new -key "$domain".key -out "$domain".csr \
-subj "/CN=$domain/O=$org"
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
sudo trust anchor ca.crt
Webserver configuration
Nginx:
server {
listen 443 ssl;
ssl_certificate ssl/localhost.crt;
ssl_certificate_key ssl/localhost.key;
...
Morbo:
carton exec morbo --listen='https://*:3000?cert=localhost.crt&key=localhost.key' \
site.pl
P.S. I'm running Chromium 65.0.3325.162, Firefox 59.0, and openssl-1.1.0.g
.
Windows
Apparently, Windows doesn't have trust
utility. Under Windows one has two stores: Local Machine and Current User Certificate stores. No point in using Local Machine Certificate Store, since we're making it work just for our current user. Then, there are substores. With two predefined of them being of most interest: Trusted Root Certification Authorities and Intermediate Certification Authorities Stores. Commonly referred in command line as root and CA.
You can access Chrome's Certificate Manager by following chrome://settings/?search=Manage%20certificates, then clicking Manage certificates. Of most interest are Trusted Root Certification Authorities and Intermediate Certification Authorities tabs.
One way to manager certificates is via command line:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path\to\file.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
The results are as follows (for both Local Machine and Current User Certificate stores):
root
localhost.crt
error
ca.crt
appears in Trusted Root Certification Authorities tab
CA
localhost.crt
doesn't work, appears in Other People tab
ca.crt
doesn't work, appears in Intermediate Certification Authorities tab
Other options would be double-clicking on a certificate in Explorer, importing certificates from Chrome's Certificate Manager, using Certificates MMC Snap-in (run certmgr.msc
), or using CertMgr.exe
.
For those who have grep
installed, here's how to quickly check where is the certificate:
>certutil.exe -store -user root | grep "localhost\|^root\|^CA" ^
& certutil.exe -store -user CA | grep "locahost\|^root\|^CA" ^
& certutil.exe -store -enterprise root | grep "localhost\|^root\|^CA" ^
& certutil.exe -store -enterprise CA | grep "localhost\|^root\|^CA"
So, installing CA certificate into Current User > Trusted Root Certification Authorities store seems like the best option. And make sure not to forget to restart your browser.
Additional reading
OpenSSL
genpkey
req
x509
OpenSSL Certificate Authority
Certificates for localhost
iamaCA - Become your own certificate authority and dispense certifications
Firefox and Self-Signed Certs
Bypassing certificate error page in Chrome
这篇关于如何使浏览器信任本地SSL证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!