自定义 SSL 证书颁发机构? [英] Custom SSL Certificate Authority?
问题描述
是否可以将自定义 SSL 证书颁发机构添加到我的浏览器中?
Is there a custom SSL certificate authority I can add to my browser?
我们使用了很多内部网址,例如
We use lots of internal urls like
http://www.somproject.somebranch/ 用于在各个分支上工作
http://www.somproject.somebranch/ for working on individual branches
如果有一些服务可以添加到我的浏览器/操作系统中,让我可以为非真实域使用单个证书(或轻松生成证书),那就太酷了.这是否存在,或者这只是一个#firstworldproblem?
It would be cool if there was some service I could add to my browser/OS which would let me use a single cert (or easily generate certs) for non-real domains. Does this exist, or is this just a #firstworldproblem?
推荐答案
自定义 CA 的要点在于您必须自己创建它(尤其是作为 CA 证书的私钥的持有者).将任何可用的 CA 证书导入您的浏览器意味着任何拥有其私钥的人都可以颁发您的浏览器识别的证书(通常适用于任何网站,除非有特定政策).
The point of a custom CA is that you have to create it yourself (by being the holder of the private key for the CA certificate, in particular). Importing just any available CA certificate into your browser would mean that anyone with its private key could issue certificates recognised by your browser (usually for any site, unless there is a specific policy).
有一些工具可以管理 CA:
There are a few tools to manage a CA:
- OpenSSL 的
CA.pl:它是 OpenSSL 附带的脚本.它非常基本但高度可配置(通过openssl.cnf). - TinyCA 是 OpenSSL 的前端,可帮助您使用 GUI 管理证书.它比
CA.pl更易于管理. - OSX 在 Keychain.app 中带有自己的界面.
- 在本安全中列出了许多其他工具.SE 问题:EJBCA、OpenCA 和 XCA.
- OpenSSL's
CA.pl: it's a script that comes with OpenSSL. It's quite basic but highly configurable (viaopenssl.cnf). - TinyCA is a front-end to OpenSSL that helps you manage your certificates with a GUI. It's a bit more manageable than
CA.pl. - OSX comes with its own interface in Keychain.app.
- There are a number of other tools listed in this Security.SE question: EJBCA, OpenCA and XCA.
一般来说,大部分艰苦的工作是管理部分(不是系统管理员,而是文书工作).如果只是为了你,EJBCA 或 OpenCA 可能有点矫枉过正.
Most of the hard work is the administrative part (not so much sysadmin, but paperwork) in general. If it's just for you, EJBCA or OpenCA might be overkill.
这篇关于自定义 SSL 证书颁发机构?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
