如何使用 OpenSSL 创建和信任证书? [英] How to create and trust certificate Using OpenSSL?

问题描述

如何使用 OpenSSL 创建有效证书以在 IIS 中使用 HTTPS 绑定??

<块引用>

它必须在 Firefox 和所有其他浏览器中也能工作我正在使用 IIS 10 服务器.
还有 Firefox v70、Firefox Dev 版 v72b5、Chrome v79、Edge v44.我希望 HTTPS 绑定能够在所有这些浏览器中工作.

解决方案

好的.我想，我找到了答案，

必须创建一个认证机构才能使用 HTTPS 绑定，因此我们所有的证书都将由它签署.为此，请从此处下载合适版本的 OpenSSL:

现在，导入证书并简单地添加与证书的 HTTPS 绑定并使用任何服务器(甚至 IIS 等)托管网站.

How to create valid certificate using OpenSSL for using HTTPS binding in IIS ??

It must work in Firefox and all other browsers as well I am using IIS 10 server.
And Firefox v70, Firefox Dev edition v72b5, Chrome v79, Edge v44. I want the HTTPS binding to work in all of these browsers.

解决方案

Ok. I think, I found out the answer,

A certification authourity have to be created to use HTTPS binding and hereby all our certificates will be signed from it. For that download a suitable version of OpenSSL from here: Win32/Win64 OpenSSL Installer for Windows And Install it. Then, for fast and easier working a few script file can be made,

In the folder (in which the script is running) add a folder named #. All the certicate files will be stored there.

for making Root Certificate's create RootCA.bat,

openssl genrsa -des3 -out #/RootCA.key 4096
openssl req -x509 -new -nodes -sha256 -days 730 -key #/RootCA.key -out #/RootCA.crt -config rootca.csr
openssl pkcs12 -export -out #/RootCA.p12 -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pem -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pfx -inkey #/RootCA.key -in #/RootCA.crt

And, For RootCA's details create RootCa.csr,

[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=CodeSigner
CN=*.codesigning.in

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.codesigning.in

When you Run RootCA.bat it will create a certificate using RootCa.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a RootCA.csr and 'RootCA.key' is also created).

Now, for servers certificate create server.bat,

openssl req -new -sha256 -nodes -out #/server.csr -newkey rsa:2048 -keyout #/server.key -config server.csr
openssl x509 -req -in #/server.csr -CA #/RootCA.crt -CAkey #/RootCA.key -CAcreateserial -out #/server.crt -days 365 -sha256 -extfile v3.ext
openssl pkcs12 -export -out #/server.p12 -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pem -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pfx -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt

And, Of course for details create a server.csr file,

[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=Test & Learn
CN=*.localhost.in

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.localhost.in

And, Another file named v3.ext (I don't quite know about it),

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.localhost.in

Again When you Run server.bat it will create a certificate using server.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a server.csr and server.key is also created).

Note: You will have to modify the server.csr for your custom domains (default by, its gonna create for dev.localhost.in domain).

!!! Warning: You Have to remember the passwords you enter. And You might modify the RootCA.csr and RootCA.bat as your need. (to increase expiration, modify deatails etc.)

Adding to Windows,

As i use windows i only know about importing to windows. To add in windows simply click on the RootCA.p12 file and import it. Remember, you have to trust the RootCA in Trusted Root Certification Authourity And in Intermediate Certification Authourity.

All the browsers Except for firefox will trust the site. WORK Done (Partially)!!

You can check it using mmc in the run. And then snap-in certificates using Ctrl + M.

Adding to FireFox,

Because FireFox uses it own Certificate Managers and doesn't pay any heed to systems certificates. So, You will have to manually have to import the RootCA.crt for trust And all the inheriting certificates will be trusted. As Follows,

NOW, Import the certificate and simply add HTTPS binding with the certificate And Host the website using any server (even IIS etc).

这篇关于如何使用 OpenSSL 创建和信任证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！