如何为通过 Chrome 要求的 IP 地址创建自签名(或由自己的 CA 签名)SSL 证书 [英] How to create a self-signed (or signed by own CA) SSL certificate for IP address that pass Chrome requirements

问题描述

如何创建 Chrome 可以信任的自签名(或由自己的 CA 签名)SSL 证书(将 CA 证书添加到本地计算机后).

How to create self-signed (or signed by own CA) SSL certificate that can be trusted by Chrome (after adding CA certificate to local machine).

证书必须对本地网络 IP、本地主机和多个域有效

Certificate must be valid for local network IPs, localhost and multiple domains

推荐答案

1. 准备配置文件以非交互方式(无提示)创建证书

CA.cnf →

[ req ]
prompt = no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C = US
ST = Localzone     
L = localhost    
O = Certificate Authority Local Center
OU = Develop      
CN = develop.localhost.localdomain
emailAddress = root@localhost.localdomain

localhost.cnf →

[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = US
stateOrProvinceName = Localzone
localityName = Localhost
organizationName = Certificate signed by my CA
commonName = localhost.localdomain

[req_ext]
subjectAltName = @alt_names

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = 127.0.0.1
IP.2 = 127.0.0.2
IP.3 = 127.0.0.3
IP.4 = 192.168.0.1
IP.5 = 192.168.0.2
IP.6 = 192.168.0.3
DNS.1 = localhost
DNS.2 = localhost.localdomain
DNS.3 = dev.local

1. 生成 CA 私钥和证书(有效期为 5 年)

openssl req -nodes -new -x509 -keyout CA_key.pem -out CA_cert.pem -days 1825 -config CA.cnf

1. 生成网络服务器密钥和 CSR

openssl req -sha256 -nodes -newkey rsa:2048 -keyout localhost_key.pem -out localhost.csr -config localhost.cnf

1. 创建证书并由自己的证书颁发机构签名(有效期 1 年)

openssl x509 -req -days 398 -in localhost.csr -CA CA_cert.pem -CAkey CA_key.pem -CAcreateserial -out localhost_cert.pem -extensions req_ext -extfile localhost.cnf

1. 利润

输出文件将是:

• CA.cnf → OpenSSL CA 配置文件.可能会在证书创建过程后删除.
• CA_cert.pem → [证书颁发机构] 证书.必须将此证书添加到浏览器本地授权存储中，才能信任使用此 CA 创建的所有证书.
• CA_cert.srl → 随机序列号.可能会在证书创建过程后删除.
• CA_key.pem → 创建新的 [localhost] 证书时必须使用.证书创建过程后可能会被删除(如果您不打算重复使用它和 CA_cert.pem).
• localhost.cnf → OpenSSL SSL 证书配置文件.可能会在证书创建过程后删除.
• localhost.csr → 证书签名请求.可能会在证书创建过程后删除.
• localhost_cert.pem → SSL 证书.必须安装在WEB服务器上.
• localhost_key.pem → 密钥.必须安装在WEB服务器上.

• CA.cnf → OpenSSL CA config file. May be deleted after certificate creation process.
• CA_cert.pem → [Certificate Authority] certificate. This certificate must be added to the browser local authority storage to make trust all certificates that created with using this CA.
• CA_cert.srl → Random serial number. May be deleted after certificate creation process.
• CA_key.pem → Must be used when creating new [localhost] certificate. May be deleted after certificate creation process (if you do not plan reuse it and CA_cert.pem).
• localhost.cnf → OpenSSL SSL certificate config file. May be deleted after certificate creation process.
• localhost.csr → Certificate Signing Request. May be deleted after certificate creation process.
• localhost_cert.pem → SSL certificate. Must be installed at WEB server.
• localhost_key.pem → Secret key. Must be installed at WEB server.

可以通过以下方式检查 SSL 证书替代名称

SSL Certificate alternative names can be checked by

openssl x509 -noout -text -in localhost_cert.pem | grep 'X509v3 Subject Alternative Name' -A 1

这篇关于如何为通过 Chrome 要求的 IP 地址创建自签名(或由自己的 CA 签名)SSL 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！