我终于开始在我的个人网站上使用SSL,所以我开始尝试为我的本地开发创建一个多域自签名证书(处理api.mydomain.local,www.mydomain.local,和mydomain.local)。我不知道这是不是我的第一个错误,但是......
由于我找不到单一的包含指南,我开始使用两个教程(来自EasyEngine和DeveloperSide)来创建我的证书并将其安装在我的主机(Win10)上。然后,我使用DigitalOcean指南来了解如何在我的开发服务器(Ubuntu VM)上设置我的Apache;除了在同一时间从多个指南工作引起的一些小问题之外,没有大麻烦。
我继续尝试在Chrome中点击我的api,它给了我一个不受信任的证书价值,我通过并且它有效。据我所知,这意味着证书有效吗?但是,当我尝试在Postman中点击我的api时,我收到一个错误,表明它不能接受不受信任的证书,这很好,因为它有how to fix that的教程。但是,它仍然无效。我无法弄清楚还有什么方法可以解决这个问题,我是否走在正确的轨道上?我的证书完全被证实了吗?我是否在尝试进行多域证书时犯了一个核心错误?
我注意到的一件事是,在Dev Tools安全性选项卡中,它显示
Subject Alternative Name missing
所以我不确定这是否意味着我的alt名称不起作用,但如果不是,那么当我在Chrome中点击它时,它不会尝试加载证书,对吗?
答案 0 :(得分:1)
在为我的网站撰写关于SSL证书的文章时,我遇到了类似的问题。所以我为同一个
编写了shell脚本#!/bin/bash
CERT_COMPANY_NAME=${CERT_COMPANY_NAME:=Tarun Lalwani}
CERT_COUNTRY=${CERT_COUNTRY:=IN}
CERT_STATE=${CERT_STATE:=DELHI}
CERT_CITY=${CERT_CITY:=DELHI}
CERT_DIR=${CERT_DIR:=certs}
ROOT_CERT=${ROOT_CERT:=rootCA.pem}
ROOT_CERT_KEY=${ROOT_CERT_KEY:=rootCA.key.pem}
# make directories to work from
mkdir -p $CERT_DIR
create_root_cert(){
# Create your very own Root Certificate Authority
openssl genrsa \
-out $CERT_DIR/$ROOT_CERT_KEY \
2048
# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req \
-x509 \
-new \
-nodes \
-key ${CERT_DIR}/$ROOT_CERT_KEY \
-days 1024 \
-out ${CERT_DIR}/$ROOT_CERT \
-subj "/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_CITY/O=$CERT_COMPANY_NAME Signing Authority/CN=$CERT_COMPANY_NAME Signing Authority"
}
create_domain_cert()
{
local FQDN=$1
local FILENAME=${FQDN/\*/wild}
# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa \
-out $CERT_DIR/${FILENAME}.key \
2048
# Create a request from your Device, which your Root CA will sign
if [[ ! -z "${SAN}" ]]; then
openssl req -new \
-key ${CERT_DIR}/${FILENAME}.key \
-out ${CERT_DIR}/${FILENAME}.csr \
-subj "/C=${CERT_COUNTRY}/ST=${CERT_STATE}/L=${CERT_CITY}/O=$CERT_COMPANY_NAME/CN=${FQDN}" \
-reqexts san_env -config <(cat /etc/ssl/openssl.cnf <(cat ./openssl-san.cnf))
else
openssl req -new \
-key ${CERT_DIR}/${FILENAME}.key \
-out ${CERT_DIR}/${FILENAME}.csr \
-subj "/C=${CERT_COUNTRY}/ST=${CERT_STATE}/L=${CERT_CITY}/O=$CERT_COMPANY_NAME/CN=${FQDN}"
fi
# Sign the request from Device with your Root CA
if [[ ! -z "${SAN}" ]]; then
openssl x509 \
-sha256 \
-req -in $CERT_DIR/${FILENAME}.csr \
-CA $CERT_DIR/$ROOT_CERT \
-CAkey $CERT_DIR/$ROOT_CERT_KEY \
-CAcreateserial \
-out $CERT_DIR/${FILENAME}.crt \
-days 500 \
-extensions san_env \
-extfile openssl-san.cnf
else
openssl x509 \
-sha256 \
-req -in $CERT_DIR/${FILENAME}.csr \
-CA $CERT_DIR/$ROOT_CERT \
-CAkey $CERT_DIR/$ROOT_CERT_KEY \
-CAcreateserial \
-out $CERT_DIR/${FILENAME}.crt \
-days 500
fi
}
METHOD=$1
ARGS=${*:2}
echo "Called with $METHOD and $ARGS"
if [ -z "${METHOD}" ]; then
echo "Usage ./sslcerts.sh [create_root_cert|create_domain_cert] <args>"
echo "Below are the environment variabls you can use:"
echo "CERT_COMPANY_NAME=Company Name"
echo "CERT_COUNTRY=Country"
echo "CERT_STATE=State"
echo "CERT_CITY=City"
echo "CERT_DIR=Directory where certificate needs to be genereated"
echo "ROOT_CERT=Name of the root cert"
echo "ROOT_CERT_KEY=Name of root certificate key"
else
${METHOD} ${ARGS}
fi
您可以更改TOP上的环境变量,并使用下面的
生成自签名证书$ SAN=DNS.1:*.tarunlalwani.com,DNS.2:tarunlalwani.com ./sslcerts.sh create_domain_cert '*.tarunlalwani.com'
修改1
早期的浏览器使用依赖于FQDN,但现在其中一些已经开始使用SAN,这是&#34;主题替代名称&#34;。通常openssl没有配置v3扩展。 SAN是v3扩展的一部分。因此,当您生成自签名证书时,它具有正确的FQDN(完全限定的域名),但不具有SAN。 Chrome会显示这些证书的错误,但您会看到Firefox正常运行。
PS:取自文章http://tarunlalwani.com/post/self-signed-certificates-trusting-them/