如何使浏览器信任 localhost SSL 证书? [英] How to make browser trust localhost SSL certificate?
问题描述
虽然 有 类似 问题,甚至是好 答案,他们要么不关心自己具体使用 localhost,或询问一个特定的选项/解决方案(自签名与 CA).
有哪些选择?他们如何比较?我该怎么做?
tl;dr 生成自己的CA颁发的证书(见下方脚本)
这是我发现的.纠正我的错误.
有 CA(证书颁发机构).他们为其他 CA(中间 CA)或服务器(最终实体证书)颁发证书(签署 CSR).其中一些是根权限.他们有自己签发的自签名证书.也就是说,通常存在从服务器证书到根证书的信任链.而且没有人可以保证根证书.因此,操作系统有一个根证书存储(或信任策略存储),一个系统范围的受信任根证书列表.浏览器有自己的受信任证书列表,其中包括系统范围的列表和用户信任的证书.
在 Chromium 中,您可以在 chrome://settings/certificates 管理证书.在 Firefox 中,Preferences >隐私与安全 >证书 >查看证书
.两者都有 Authorities 选项卡,这是受信任的根证书的列表.和服务器选项卡,受信任的服务器证书列表.
要获得您创建 CSR(证书签名请求)的证书,请将其发送给 CA.CA 签署 CSR,在此过程中将其转化为可信证书.
证书和 CSR 是一堆包含信息和公钥的字段.一些字段被称为扩展.CA 证书是具有 basicConstraints = CA:true
的证书.
您可以在 Developer Tools > 中检查 Chromium 中的证书错误.安全
.
全系统信任证书
当您更改操作系统的根证书存储时,您必须重新启动浏览器.你改变它:
# 信任锚路径/to/cert.crt# 信任锚 -- 删除路径/to/cert.crt
trust
将 CA 证书置于授权"类别(trust list
)或其他条目"类别下.CA 证书显示在浏览器的授权"选项卡中,或者显示在服务器"选项卡中.
与 Chromium 不同,Firefox 不信任来自操作系统根证书存储的服务器证书.两者都信任来自操作系统根证书存储的 CA 证书.
在浏览器中信任证书
在 Chromium 和 Firefox 中,您可以将证书添加(导入)到 Authorities 选项卡.如果您尝试导入非 CA 证书,则会收到不是证书颁发机构"消息.选择文件后,会出现一个对话框,您可以在其中指定信任设置(何时信任证书).使网站正常工作的相关设置是信任此证书以识别网站".
在 Chromium 中,您可以在服务器选项卡上添加(导入)证书.但它们最终会出现在授权"选项卡(CA 证书,选择文件后不会出现信任设置对话框)或其他"选项卡(如果是非 CA 证书)上.
在 Firefox 中,您无法准确地将证书添加到服务器"选项卡.您添加例外.而且您可以信任根本没有扩展的证书(差).
自签名证书扩展
我的系统带有以下证书的默认设置(要添加的扩展):
basicConstraints = critical,CA:truesubjectKeyIdentifier = 哈希authorityKeyIdentifier = keyid:always,issuer
取自 /etc/ssl/openssl.cnf,部分 v3_ca.更多信息这里.p>
此外,当证书没有 subjectAltName = DNS:$domain
时,Chromium 会认为证书无效.
非自签名证书扩展
来自 [ usr_cert ] 部分
:/etc/ssl/openssl 的代码>
.cnf
basicConstraints = CA:FALSEsubjectKeyIdentifier = 哈希authorityKeyIdentifier = keyid,颁发者
当浏览器信任自签名证书时
要让 Chromium 信任自签名证书,它必须具有 basicConstraints = CA:true
和 subjectAltName = DNS:$domain
.对于 Firefox 来说,这还不够:
basicConstraints = critical,CA:truesubjectKeyIdentifier = 哈希authorityKeyIdentifier = keyid:always,issuersubjectAltName = DNS:$domain
当浏览器信任自己的 CA 颁发的证书时
Firefox 不需要扩展,但 Chromium 需要 subjectAltName
.
openssl
备忘单
openssl genpkey -algorithm RSA -out "$domain".key
- 生成私钥(man)
openssl req -x509 -key "$domain".key -out "$domain".crt
- 生成自签名证书(man)
如果没有 -subj
,它会询问有关专有名称 (DN) 的问题,例如通用名称 (CN)、组织 (O)、位置 (L).您可以提前"回答它们:-subj "/CN=$domain/O=$org"
.
要添加 subjectAltName
扩展名,您必须有一个指定所有内容的配置,或者在配置中添加一个部分并用 openssl
告诉 openssl
其名称code>-extensions 开关:
-config <(cat/etc/ssl/openssl.cnf - <<END[ x509_ext ]基本约束 = 关键,CA:truesubjectKeyIdentifier = 哈希authorityKeyIdentifier = keyid:always,issuersubjectAltName = DNS:$domain结尾) - 扩展 x509_ext
openssl req -new -key "$domain".key -out "$domain".csr
- 生成CSR,可以带-subj
选项(
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt -CA ca.crt -CAkey ca.key -CAcreateserial
- 签署 CSR (男人)
没有 -CAcreateserial
就无法工作.它创建一个 ca.srl
文件,其中保存最后生成的证书的序列号.要添加 subjectAltName
,你需要 -extfile
开关:
-extfile <(cat <<END基本约束 = CA:FALSEsubjectKeyIdentifier = 哈希authorityKeyIdentifier = keyid,颁发者subjectAltName = DNS:$domain结尾)
openssl req -in $domain.csr -text -noout
- 查看 CSR (man)
openssl x509 -in $domain.crt -text -noout
- 查看证书(man)
生成自签名证书
(您需要在 Firefox 中设置一个例外才能正常工作)
#!/usr/bin/env bash设置-eu组织=本地主机域=本地主机sudo 信任锚 --remove "$domain".crt ||真的openssl genpkey -algorithm RSA -out "$domain".keyopenssl req -x509 -key "$domain".key -out "$domain".crt -subj "/CN=$domain/O=$org" -config <(cat/etc/ssl/openssl.cnf - <<END[ x509_ext ]基本约束 = 关键,CA:truesubjectKeyIdentifier = 哈希authorityKeyIdentifier = keyid:always,issuersubjectAltName = DNS:$domain结尾) - 扩展 x509_extsudo 信任锚$domain".crt
生成自己的CA颁发的证书
#!/usr/bin/env bash设置-euorg=localhost-ca域=本地主机sudo 信任锚 --remove ca.crt ||真的openssl genpkey -algorithm RSA -out ca.keyopenssl req -x509 -key ca.key -out ca.crt -subj "/CN=$org/O=$org"openssl genpkey -algorithm RSA -out "$domain".keyopenssl req -new -key "$domain".key -out "$domain".csr -subj "/CN=$domain/O=$org"openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile <(猫 <<END基本约束 = CA:FALSEsubjectKeyIdentifier = 哈希authorityKeyIdentifier = keyid,颁发者subjectAltName = DNS:$domain结尾)sudo 信任锚 ca.crt
网络服务器配置
Nginx:
服务器{听 443 ssl;ssl_certificate ssl/localhost.crt;ssl_certificate_key ssl/localhost.key;...
莫波:
carton exec morbo --listen='https://*:3000?cert=localhost.crt&key=localhost.key' 网站.pl
附:我正在运行 Chromium 65.0.3325.162、Firefox 59.0 和 openssl-1.1.0.g
.
窗口
显然,Windows 没有 trust
实用程序.在 Windows 下有一个 两个存储:本地计算机和当前用户证书存储.使用本地机器证书存储毫无意义,因为我们让它只为我们当前的用户工作.然后,有子商店.其中两个预定义是最受关注的:受信任的根证书颁发机构和中间证书颁发机构存储.在命令行中通常称为 root和 CA.
您可以通过 chrome://settings/?search=Manage%20certificates 访问 Chrome 的证书管理器,然后点击管理证书.最受关注的是受信任的根证书颁发机构和中间证书颁发机构选项卡.
管理证书的一种方法是通过 命令行:
>rem 列表当前用户>受信任的根证书颁发机构存储>certutil.exe -store -user root>rem 列表本地机器 >中级认证机构商店>certutil.exe -store -enterprise CA>rem GUI 版本的 -store 命令>certutil.exe -viewstore -user CA>rem 将证书添加到当前用户 >受信任的根证书颁发机构存储>certutil.exe -addstore -用户根路径 ofile.crt>rem 删除当前用户的证书 >受信任的根证书颁发机构按序列号存储>certutil.exe -delstore -user root 03259fa1>rem GUI 版本的 -delstore 命令>certutil.exe -viewdelstore -user CA
结果如下(本地机器和当前用户证书存储):
根本地主机.crt错误ca.crt出现在受信任的根证书颁发机构选项卡中加州本地主机.crt不起作用,出现在其他人"选项卡中ca.crt不起作用,出现在中间证书颁发机构选项卡中
其他选项包括在资源管理器中双击证书、从 Chrome 的证书管理器导入证书、使用证书 MMC 管理单元(运行 certmgr.msc
)或使用 CertMgr.exe
.
对于那些安装了grep
的人,这里是快速检查证书在哪里的方法:
>certutil.exe -store -user root |grep "本地主机|^root|^CA" ^&certutil.exe -store -user CA |grep "本地主机|^root|^CA" ^&certutil.exe -store -enterprise root |grep "本地主机|^root|^CA" ^&certutil.exe -store -enterprise CA |grep "本地主机|^root|^CA"
因此,将 CA 证书安装到 Current User > Trusted Root Certification Authorities 存储似乎是最佳选择.并且确保不要忘记重新启动您的浏览器.
补充阅读
OpenSSL
genpkey
req
x509
OpenSSL 证书颁发机构
本地主机证书
iamaCA - 成为您自己的证书颁发机构并分发认证
Firefox 和自签名证书
在 Chrome 中绕过证书错误页面
Although, there are similar questions, and even good answers, they either don't concern themselves with localhost specifically, or ask about one particular option/solution (self-signed vs CA).
What are the options? How do they compare? Ho do I do this?
tl;dr Generate a certificate issued by own CA (see the script below)
Here's what I've found. Correct me where I'm wrong.
There are CA's (certificate authorities). They issue certificates (sign CSR's) for other CA's (intermediate CA's), or servers (end entity certificates). Some of them are root authorities. They have self-signed certificates, issued by themselves. That is, usually there's a chain of trust that goes from server certificate to root certificate. And there's noone to vouch for a root certicate. As such, OS'es have a root certificate store (or trust policy store), a systemwide list of trusted root certificates. Browsers have their own lists of trusted certificates, which consist of systemwide list plus certificates trusted by the user.
In Chromium you manage certificates at chrome://settings/certificates. In Firefox, Preferences > Privacy & Security > Certificates > View Certificates
. Both have Authorities tab, which is a list of trusted root certificates. And Servers tab, a list of trusted server certificates.
To obtain a certificate you create CSR (certificate signing request), send it to CA. CA signs the CSR, turning it into trusted certificate in the process.
Certificates and CSR's are a bunch of fields with information plus public key. Some of the fields are called extensions. CA certificate is a certificate with basicConstraints = CA:true
.
You can inspect certificate errors in Chromium in Developer Tools > Security
.
Trusting certificates systemwide
When you change OS' root certificate store, you've got to restart a browser. You change it with:
# trust anchor path/to/cert.crt
# trust anchor --remove path/to/cert.crt
trust
puts CA certificates under "authority" category (trust list
), or "other-entry" category otherwise. CA certificates appear in Authorities tab in browsers, or else in Servers tab.
Firefox doesn't trust server certificates from OS' root certificate store, as opposed to Chromium. Both trust CA certificates from OS' root certificate store.
Trusting certificates in a browser
In Chromium, and Firefox you can add (import) certificates to Authorities tab. If you try to import a non-CA certificate, you get "Not a Certificate Authority" message. After choosing a file, a dialog appears where you can specify trust settings (when to trust the certificate). The relevant setting for making a site work is "Trust this certificate for identifying websites."
In Chromium, you can add (import) certificates on Servers tab. But they end up either on Authorities tab (CA certificates, and you're not presented with trust settings dialog after choosing a file), or on Others tab (if non-CA certificate).
In Firefox, you can't exactly add a certificate to Servers tab. You add exceptions. And you can trust a certificate with no extensions at all (poor) there.
Self-signed certificate extensions
My system comes with the following default settings (extensions to be added) for certificates:
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
Taken from /etc/ssl/openssl.cnf, section v3_ca. More on it here.
Additionally, Chromium considers a certificate invalid, when it doesn't have subjectAltName = DNS:$domain
.
Non-self-signed certificate extensions
From section [ usr_cert ]
of /etc/ssl/openssl.cnf
:
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
When browsers trust a self-signed certificate
For Chromium to trust to a self-signed certificate it's got to have basicConstraints = CA:true
, and subjectAltName = DNS:$domain
. For Firefox not even this is enough:
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
When browsers trust a certificate issued by own CA
Firefox needs no extensions, but Chromium requires subjectAltName
.
openssl
cheat sheet
openssl genpkey -algorithm RSA -out "$domain".key
- generate private key (man)
openssl req -x509 -key "$domain".key -out "$domain".crt
- generate self-signed certificate (man)
Without -subj
it will ask questions regarding distinguished name (DN), like common name (CN), organization (O), locality (L). You can answer them "in advance": -subj "/CN=$domain/O=$org"
.
To add subjectAltName
extension, you've got to either have a config where it all is specified, or add a section to config and tell openssl
its name with -extensions
switch:
-config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
) -extensions x509_ext
openssl req -new -key "$domain".key -out "$domain".csr
- generate CSR, it can take -subj
option (man)
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt
-CA ca.crt -CAkey ca.key -CAcreateserial
- sign CSR (man)
Doesn't work without -CAcreateserial
. It creates a ca.srl
file, where it keeps serial number of the last generated certificate. To add subjectAltName
, you're gonna need -extfile
switch:
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
openssl req -in $domain.csr -text -noout
- view CSR (man)
openssl x509 -in $domain.crt -text -noout
- view certificate (man)
Generate self-signed certificate
(you're gonna need an exception in Firefox for it to work)
#!/usr/bin/env bash
set -eu
org=localhost
domain=localhost
sudo trust anchor --remove "$domain".crt || true
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -x509 -key "$domain".key -out "$domain".crt
-subj "/CN=$domain/O=$org"
-config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:$domain
END
) -extensions x509_ext
sudo trust anchor "$domain".crt
Generate a certificate issued by own CA
#!/usr/bin/env bash
set -eu
org=localhost-ca
domain=localhost
sudo trust anchor --remove ca.crt || true
openssl genpkey -algorithm RSA -out ca.key
openssl req -x509 -key ca.key -out ca.crt
-subj "/CN=$org/O=$org"
openssl genpkey -algorithm RSA -out "$domain".key
openssl req -new -key "$domain".key -out "$domain".csr
-subj "/CN=$domain/O=$org"
openssl x509 -req -in "$domain".csr -days 365 -out "$domain".crt
-CA ca.crt -CAkey ca.key -CAcreateserial
-extfile <(cat <<END
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:$domain
END
)
sudo trust anchor ca.crt
Webserver configuration
Nginx:
server {
listen 443 ssl;
ssl_certificate ssl/localhost.crt;
ssl_certificate_key ssl/localhost.key;
...
Morbo:
carton exec morbo --listen='https://*:3000?cert=localhost.crt&key=localhost.key'
site.pl
P.S. I'm running Chromium 65.0.3325.162, Firefox 59.0, and openssl-1.1.0.g
.
Windows
Apparently, Windows doesn't have trust
utility. Under Windows one has two stores: Local Machine and Current User Certificate stores. No point in using Local Machine Certificate Store, since we're making it work just for our current user. Then, there are substores. With two predefined of them being of most interest: Trusted Root Certification Authorities and Intermediate Certification Authorities Stores. Commonly referred in command line as root and CA.
You can access Chrome's Certificate Manager by following chrome://settings/?search=Manage%20certificates, then clicking Manage certificates. Of most interest are Trusted Root Certification Authorities and Intermediate Certification Authorities tabs.
One way to manager certificates is via command line:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path ofile.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
The results are as follows (for both Local Machine and Current User Certificate stores):
root
localhost.crt
error
ca.crt
appears in Trusted Root Certification Authorities tab
CA
localhost.crt
doesn't work, appears in Other People tab
ca.crt
doesn't work, appears in Intermediate Certification Authorities tab
Other options would be double-clicking on a certificate in Explorer, importing certificates from Chrome's Certificate Manager, using Certificates MMC Snap-in (run certmgr.msc
), or using CertMgr.exe
.
For those who have grep
installed, here's how to quickly check where is the certificate:
>certutil.exe -store -user root | grep "localhost|^root|^CA" ^
& certutil.exe -store -user CA | grep "locahost|^root|^CA" ^
& certutil.exe -store -enterprise root | grep "localhost|^root|^CA" ^
& certutil.exe -store -enterprise CA | grep "localhost|^root|^CA"
So, installing CA certificate into Current User > Trusted Root Certification Authorities store seems like the best option. And make sure not to forget to restart your browser.
Additional reading
OpenSSL
genpkey
req
x509
OpenSSL Certificate Authority
Certificates for localhost
iamaCA - Become your own certificate authority and dispense certifications
Firefox and Self-Signed Certs
Bypassing certificate error page in Chrome
这篇关于如何使浏览器信任 localhost SSL 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!