localhost的自签名SSL证书，如何使其受信任 [英] Self-signed SSL cert for localhost, how to make trusted

问题描述

我有一个Owin自托管C＃应用程序，提供超过127.0.0.1:5555的Web API服务（它只侦听localhost，没有外部连接）。

I have an Owin self-host C# app that provides Web API services over 127.0.0.1:5555 (it only listens on localhost, no external connections).

这些Web API服务是使用AngularJS应用程序中的Ajax调用的。顺便说一句：Owin应用程序的原因是需要与硬件进行某些交互，这在浏览器中是不可能的。此外，AngularJS应用程序供内部使用，因此我可以控制使用的浏览器。

These Web API services are called using Ajax from an AngularJS app. As an aside: the reason for the Owin app is that certain interaction with the hardware is needed, which is not possible from within a browser. Also, the AngularJS app is for internal use, so I have control over the browsers used.

以上在HTTP上运行良好，但Angular JS应用程序需要使用SSL，除非Owin应用程序也使用SSL（否则您会收到混合内容错误），它不起作用。

The above works very well over HTTP, but the Angular JS app needs to use SSL, which does not work unless the Owin app also uses SSL (otherwise you get "Mixed content" errors).

我已经购买了AngularJS应用程序的官方证书，我正在使用Owin localhost的自签名证书。

I have bought an official cert for the AngularJS app, and I am using self-signed certs for the Owin localhost stuff.

问题是我在与Owin Web交谈时从AngularJS应用程序获得NET :: ERR_CERT_AUTHORITY_INVALID（来自Chrome的testin）和net :: ERR_INSECURE_RESPONSE API。

The problem is that I get "NET::ERR_CERT_AUTHORITY_INVALID" (when testin from Chrome) and "net::ERR_INSECURE_RESPONSE" from the AngularJS app when talking to the Owin Web API.

以下是我的所作所为：

我使用CentOS框生成localhost的证书并将其导出为pkcs12 / pfx格式。我还生成了CA证书并以相同的方式导出它。

I used a CentOS box to generate the cert for localhost and exported it to pkcs12 / pfx format. I also generated a CA cert and exported it the same way.

使用MMC我在运行Angular& amp;的Windows 7机器上导入了localhost证书。将Owin应用程序转换为证书（本地计算机）>个人>证书。

Using MMC I imported the localhost cert on the Windows 7 machine running the Angular & Owin app into Certificates (Local Computer) > Personal > Certificates.

我还将Windows 7计算机上的CA证书导入证书（本地计算机）>受信任的根证书认证>证书

I also imported the CA cert on the Windows 7 machine into Certificates (Local Computer) > Trusted Root Certification Auhorities > Certificates

查看localhost证书，它显示发布到：localhost，发布者：ca.acme.com，你有一个私钥，对此证书进行更正，（在证书路径下）此证书正常

Looking at the localhost cert, it says "Issued to: localhost", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"

CA证书上写着发布到：ca.acme.com，发布者： ca.acme.com，您有一个与此证书相关的私钥，（在证书路径下）此证书正常

The CA cert says "Issued to: ca.acme.com", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"

netsh http show sslcert

IP:port                 : 127.0.0.1:5555 
Certificate Hash        : 1234555555555555555555511155555555555555
Application ID          : {1234a123-1234-1234-1234-123412341234} 
Certificate Store Name  : (null) 
Verify Client Certificate Revocation    : Enabled
Verify Revocation Using Cached Client Certificate Only    : Disabled
Usage Check    : Enabled
Revocation Freshness Time : 0 
URL Retrieval Timeout   : 0 
Ctl Identifier          : (null) 
Ctl Store Name          : (null) 
DS Mapper Usage    : Disabled
Negotiate Client Certificate    : Disabled

我错过了什么？如何让Chrome等信任localhost的SSL证书？

What am I missing? How can I make Chrome, etc. trust the SSL cert for localhost?

推荐答案

我得到了这个（至少足以满足我目前的需求）。

I got this working (sufficiently for my current needs, at least).

我将localhost证书从证书（本地计算机）>个人>证书复制到证书（当前用户）>个人>证书。这消除了Chrome中的https红色交叉（以及NET :: ERR_CERT_AUTHORITY_INVALID消息）以及AngularJS中的net :: ERR_INSECURE_RESPONSE错误。

I copied the localhost cert from "Certificates (Local Computer) > Personal > Certificates" to "Certificates (Current User) > Personal > Certificates". This got rid of the red cross-out of https in Chrome (and the "NET::ERR_CERT_AUTHORITY_INVALID" message) as well as the "net::ERR_INSECURE_RESPONSE" error in AngularJS.

请注意，在我的情况下，localhost证书必须同时位于本地计算机存储和当前用户存储中，否则用于将其绑定到端口5555（对于Owin应用程序）的netsh命令将失败：

Note that in my case, the localhost cert had to be in both the Local Computer store and in the Current User Store, otherwise the netsh command for binding it to port 5555 (for the Owin app) would fail:

netsh http add sslcert ipport=127.0.0.1:5555 certhash=1234555555555555555555511155555555555555 appid={1234a123-1234-1234-1234-123412341234}

SSL Certificate add failed, Error: 1312, A specified logon session does not exist. It may already have been terminated.

Chrome中仍然没有漂亮的绿色挂锁（它现在在垫锁上有一个黄色的小三角形，此网站的身份已由ca.acme.com验证，但没有公开审核记录），但这似乎不会干扰Web API通信，所以应该没问题。

There is still no nice green padlock in Chrome (it now has a yellow little triangle on the pad lock, "The identity of this website has been verified by ca.acme.com but does not have public audit records"), but this does not seem to interfere with the Web API communication, so it should be fine.

如果有人知道一个简单的方法可以让它全部变绿并且没有任何警告，我仍然感兴趣，但这并不重要。

If anybody knows of an easy way to make it all green and nice with no warnings, I am still interested, but it is not critical.

这篇关于localhost的自签名SSL证书，如何使其受信任的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！