如何在Linux Chrome和Firefox上信任自签名的本地主机证书 [英] How to trust self-signed localhost certificates on Linux Chrome and Firefox
问题描述
我尝试为指向127.0.0.1的自定义本地域生成自签名证书:
I try to generate a self-signed certificate for a custom local domain pointing to 127.0.0.1:
# /etc/hosts
127.0.0.1 subdomain.domain.local
我已经使用openssl生成了自签名证书,请记住,过去一切正常.但是,似乎自Chrome 58起,使用自签名证书的限制就更多了.
I've generated a self-signed certificate using openssl and remember that everything worked in the past. But it seems that since Chrome 58, there are far more restrictions on using self-signed certificates.
我的尝试以"您的连接不是私有的"结束,并出现以下错误之一:
My attempts conclude with "Your connection is not private" following with one of the below errors:
-
如果我像过去一样进行操作,则
- "安全证书不受信任". 尝试将其导入Chrome时
- "不是证书颁发机构". 导入证书的CA后使用证书时,
- 缺少主题备用名称".
- "security certificate is not trusted" if I proceed like in the past.
- "not a certification authority" when trying to import it into Chrome.
- "subject alternative name missing" when using a certificate after importing its CA.
我很确定我在此过程中遗漏了一些东西.请问谁能提供有效的配置来处理替代名称,以及创建相应CA和证书的确切步骤,以便Chrome和Firefox可以处理我的本地自定义域?
I'm pretty sure I'm missing something in the process. Please, can anyone provide the valid configuration to handle alternative names along with the exact steps to create the corresponding CA and a certificate so that Chrome and Firefox can handle my local custom domain?
推荐答案
TLDR
-
创建文件
generate.sh
#!/usr/bin/env bash
find . \( -name "$1.*" -o -name "*.srl" \) -type f -delete
cp /usr/lib/ssl/openssl.cnf $1.cnf
python <(
cat << "END"
import sys
from ConfigParser import ConfigParser
from StringIO import StringIO
domain = sys.argv[1]
config = ConfigParser()
config.optionxform = lambda option: option
name = "{}.cnf".format(domain)
with open(name, "rb") as stream:
config.readfp(StringIO("[top]\n" + stream.read()))
config.set(" v3_ca ", "subjectKeyIdentifier", "hash")
config.set(" v3_ca ", "authorityKeyIdentifier", "keyid:always,issuer")
config.set(" v3_ca ", "basicConstraints", "critical, CA:TRUE, pathlen:3")
config.set(" v3_ca ", "keyUsage", "critical, cRLSign, keyCertSign")
config.set(" v3_ca ", "nsCertType", "sslCA, emailCA")
config.set(" v3_req ", "basicConstraints", "CA:FALSE")
config.set(" v3_req ", "keyUsage", "nonRepudiation, digitalSignature, keyEncipherment")
config.set(" v3_req ", "subjectAltName", "@alt_names")
config.remove_option(" v3_req ", "extendedKeyUsage")
config.add_section(" alt_names ")
config.set(" alt_names ", "DNS.1", domain)
config.set(" alt_names ", "DNS.2", "*.{}".format(domain))
config.set(" req ", "req_extensions", "v3_req")
with open(name, "wb") as stream:
config.write(stream)
END
) $1
tail -n +2 $1.cnf > $1.cnf.tmp && mv $1.cnf.tmp $1.cnf
echo "$1\n" | openssl genrsa -aes256 -out $1.ca.key 2048
chmod 400 $1.ca.key
openssl req -new -x509 -subj "/CN=$1" -extensions v3_ca -days 3650 -key $1.ca.key -sha256 -out $1.ca.crt -config $1.cnf
openssl genrsa -out $1.key 2048
openssl req -subj "/CN=$1" -extensions v3_req -sha256 -new -key $1.key -out $1.csr
openssl x509 -req -extensions v3_req -days 3650 -sha256 -in $1.csr -CA $1.ca.crt -CAkey $1.ca.key -CAcreateserial -out $1.crt -extfile $1.cnf
openssl x509 -in $1.crt -text -noout
致电./generate.sh example.com
需要Python 2
Requires Python 2
所有积分都转到这篇出色的文章,来自Fabian Lee.
All credits go to this excellent article by Fabian Lee.
使用OpenSSL创建受信任的CA和SAN证书
- 自定义openssl.cnf
- 创建CA证书
- 使用由CA签名的SAN创建服务器证书
先决条件
作为先决条件,请确保已安装SSL软件包:
Prerequisite
As a prerequisite, ensure the SSL packages are installed:
$ sudo apt install libssl1.0.0 -y
定制的openssl.cnf
第一步是获取系统上可用的openssl.cnf模板.在Ubuntu上,可以在/usr/lib/ssl/openssl.cnf上找到.您可以在MacOS的/System/Library/OpenSSL/和Redhat变体的/etc/pki/tls中找到它.
Customized openssl.cnf
The first step is to grab the openssl.cnf template available on your system. On Ubuntu this can be found at /usr/lib/ssl/openssl.cnf. You may find this in /System/Library/OpenSSL/ on MacOS, and /etc/pki/tls on Redhat variants.
export prefix="mydomain"
cp /usr/lib/ssl/openssl.cnf $prefix.cnf
$prefix.cnf需要使用有关我们将要生成的证书的特定信息进行修改.
$prefix.cnf needs be modified with the specific information about the cert we are going to generate.
在[ v3_ca ]部分下,添加以下值.对于CA,这表示我们正在创建一个将用于密钥签名的CA.
Under the [ v3_ca ] section, add the following values. For the CA, this signifies we are creating a CA that will be used for key signing.
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:TRUE, pathlen:3
keyUsage = critical, cRLSign, keyCertSign
nsCertType = sslCA, emailCA
然后在[ v3_req ]部分下,设置以下内容以及此证书的所有有效替代名称.
Then under the [ v3_req ] section, set the following along with all the valid alternative names for this certificate.
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = mydomain.com
DNS.2 = *.dydomain.com
还取消注释[ req ]部分下的以下行,以便使用v3扩展名创建证书请求.
Also uncomment the following line under the [ req ] section so that certificate requests are created with v3 extensions.
req_extensions = v3_req
生成每种类型的密钥时,我们指定要使用的扩展部分,这就是为什么我们可以共享$prefix.cnf来创建CA和SAN证书的原因.
When we generate each type of key, we specify which extension section we want to use, which is why we can share $prefix.cnf for creating both the CA as well as the SAN certificate.
现在,我们将开始使用OpenSSL创建必要的密钥和证书.首先生成专用/公用RSA密钥对:
Now we will start using OpenSSL to create the necessary keys and certificates. First generate the private/public RSA key pair:
openssl genrsa -aes256 -out ca.key.pem 2048
chmod 400 ca.key.pem
这使用基于AES256的密码对密钥文件进行编码. 然后,我们需要创建自签名的根CA证书.
This encodes the key file using an passphrase based on AES256. Then we need to create the self-signed root CA certificate.
openssl req -new -x509 -subj "/CN=myca" -extensions v3_ca -days 3650 -key ca.key.pem -sha256 -out ca.pem -config $prefix.cnf
您可以使用以下方法验证此根CA证书:
You can verify this root CA certificate using:
openssl x509 -in ca.pem -text -noout
这将显示根CA证书,并且Issuer和Subject将是相同的,因为这是自签名的.这被标记为CA:TRUE,这意味着它将被识别为根CA证书;这意味着浏览器和操作系统将允许将其导入到其受信任的根证书存储中.
This will show the root CA certificate, and the Issuer and Subject will be the same since this is self-signed. This is flagged as CA:TRUE meaning it will be recognized as a root CA certificate; meaning browsers and OS will allow it to be imported into their trusted root certificate store.
Issuer: CN=myca
...
Subject: CN=myca
...
X509v3 Basic Constraints:
critical CA:TRUE, pathlen:3
X509v3 Key Usage:
critical Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA
创建由CA签名的服务器证书
现在已经创建了根CA,我们将切换到服务器证书.首先生成专用/公用RSA密钥对:
Create Server certificate signed by CA
With the root CA now created, we switch over to the server certificate. First generate the private/public RSA key pair:
openssl genrsa -out $prefix.key.pem 2048
我们之所以没有在此密钥上加密码,仅仅是因为CA是更有价值的目标,并且我们始终可以重新生成服务器证书,但是请随时采取这种额外的预防措施.
We didn’t put a passphrase on this key simply because the CA is more valuable target and we can always regenerate the server cert, but feel free to take this extra precaution.
然后创建服务器证书签名请求:
Then create the server cert signing request:
openssl req -subj "/CN=$prefix" -extensions v3_req -sha256 -new -key $prefix.key.pem -out $prefix.csr
然后使用以下内容生成服务器证书:服务器签名请求,CA签名密钥和CA证书.
Then generate the server certificate using the: server signing request, the CA signing key, and CA cert.
openssl x509 -req -extensions v3_req -days 3650 -sha256 -in $prefix.csr -CA ca.pem -CAkey ca.key.pem -CAcreateserial -out $prefix.crt -extfile $prefix.cnf
$prefix.key.pem是服务器私钥,$prefix.crt是服务器证书.验证证书:
The $prefix.key.pem is the server private key and $prefix.crt is the server certificate. Verify the certificate:
openssl x509 -in $prefix.crt -text -noout
这将显示证书,Issuer将是CA名称,而Subject是前缀.未将其设置为CA,并且Subject Alternative Name字段包含将被浏览器视为有效的URL.
This will show the certificate, and the Issuer will be the CA name, while the Subject is the prefix. This is not set to be a CA, and the Subject Alternative Name field contains the URLs that will be considered valid by browsers.
Issuer:
CN=myca
...
Subject:
CN=mydomain
...
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:mydomain.com, DNS:*.mydomain.com
浏览器评估
当您首次使用带有CA签名的SAN证书将Chrome或Firefox指向该站点时,它将抛出与自签名SAN证书相同类型的异常.这是因为根CA证书不被视为签名证书的可信来源.
Browser Evaluation
When you first point Chrome or Firefox at the site with your SAN cert with CA signing, it will throw the same type of exceptions as a self-signed SAN cert. This is because the root CA cert is not known as a trusted source for signed certificates.
在Linux上,Chrome管理自己的证书存储区,并且再次将ca.pem导入到Authorities中.现在,这将使安全图标变为绿色.
On Linux, Chrome manages its own certificate store and again you should import ca.pem into the Authorities. This should now make the security icon turn green.
在Chrome设置(chrome://settings)中,搜索certificates,然后单击Manage Certificates.在Windows上,这将打开Windows证书管理器,您应该在Trusted Root Certification Authorities选项卡上导入ca.pem文件.这等效于通过local user受信任的根存储(而不是计算机级别)中的mmc.exe添加它.
In Chrome settings (chrome://settings), search for certificates and click on Manage Certificates. On Windows this will open the Windows certificate manager and you should import the ca.pem file at the Trusted Root Certification Authorities tab. This is equivalent to adding it through mmc.exe, in the local user trusted root store (not the computer level).
在Firefox选项about:preferences中,搜索certificates,然后单击View Certificates.转到Authorities选项卡并导入ca.pem.选中该框以使其信任网站,现在,当您访问该页面时,锁定图标应变为绿色.
In Firefox Options about:preferences, search for certificates and click View Certificates. Go to the Authorities tab and import ca.pem. Check the box to have it trust websites, and now the lock icon should turn green when you visit the page.
这篇关于如何在Linux Chrome和Firefox上信任自签名的本地主机证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
