Willow's blog

Chrome信任自签数字证书

Chrome信任自签数字证书

如何自签一个CA证书和一个子证书

  1. 创建CA配置文件

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    touch localhost_ca.cnf
    [ req ]
    distinguished_name = req_distinguished_name
    x509_extensions = root_ca
    [ req_distinguished_name ]
    # 以下内容可随意填写
    countryName = CN (2 letter code)
    countryName_min = 2
    countryName_max = 2
    stateOrProvinceName = ZheJiang
    localityName = HangZhou
    organizationName = Dxy
    organizationalUnitName = technology
    commonName = develop
    commonName_max = 64
    emailAddress = yangw@dxy.cn
    emailAddress_max = 64
    [ root_ca ]
    basicConstraints = critical, CA:true
  2. 创建扩展配置文件

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    touch localhost_ca.ext
    subjectAltName = @alt_names
    extendedKeyUsage = serverAuth
    [alt_names]
    # 域名,如有多个用DNS.2,DNS.3…来增加
    DNS.1 = a.domain.cn
    DNS.2 = b.domain.cn
    # IP地址
    IP.1 = 192.168.0.1
    IP.2 = 127.0.0.1
  3. 创建CA证书私钥及CA证书

    1
    openssl req -x509 -newkey rsa:2048 -out $CA_CER_NAME.cer -outform PEM -keyout $CA_KEY_NAME.pvk -days 10000 -verbose -config $CA_CNF_FILE -nodes -sha256 -subj "/CN=$CA_CER_NAME"
  4. 创建子证书私钥

    1
    openssl req -newkey rsa:2048 -keyout $KEY_NAME.pvk -out $CER_NAME.req -subj /CN=$CA_CER_NAME -sha256 -nodes
  5. 创建子证书

    1
    openssl x509 -req -CA $CA_CER_NAME.cer -CAkey $CA_KEY_NAME.pvk -in $CER_NAME.req -out $CER_NAME.cer -days 10000 -extfile $CA_EXT_FILE -sha256 -set_serial 0x1111

可以做成脚本以便复用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/zsh
CA_CER_NAME=localhost_ca
CA_KEY_NAME=localhost_ca
CA_CNF_FILE=./localhost_ca.cnf
CA_EXT_FILE=./localhost_ca.ext
CER_NAME=localhost
KEY_NAME=localhost
openssl req -x509 -newkey rsa:2048 -out $CA_CER_NAME.cer -outform PEM -keyout $CA_KEY_NAME.pvk -days 10000 -verbose -config $CA_CNF_FILE -nodes -sha256 -subj "/CN=$CA_CER_NAME"
openssl req -newkey rsa:2048 -keyout $KEY_NAME.pvk -out $CER_NAME.req -subj /CN=$CA_CER_NAME -sha256 -nodes
openssl x509 -req -CA $CA_CER_NAME.cer -CAkey $CA_KEY_NAME.pvk -in $CER_NAME.req -out $CER_NAME.cer -days 10000 -extfile $CA_EXT_FILE -sha256 -set_serial 0x1111

Chrome如何信任自签证书

  1. chrome://settings进入Chrome设置界面,搜索certificate,找到并点击Manage certificates将进入系统Keychain Access
  2. 将生成CA(.cer)证书导入
  3. 将导入后的CA证书设置成always trust

一些证书使用场景

pem格式转cer格式

1
openssl x509 -inform PEM -in cacert.pem -outform DER -out certificate.cer

查看jdk证书

1
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts"

jdk密钥库操作

修改密码

1
keytool -storepasswd -keystore "%JAVA_HOME%/jre/lib/security/cacerts"

导入证书

1
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>

删除证书

1
keytool -delete -alias <keyAlias> -keystore <keystore-name> -storepass <password>

cocos creator中打包原生android应用时,使用android studio中的证书

找到构建好的原生android项目,修改其中gradle.properties文件,添加:

1
2
systemProp.javax.net.ssl.trustStore={your-android-studio-directory}\\jre\\jre\\lib\\security\\cacerts
systemProp.javax.net.ssl.trustStorePassword=changeit

这将让cocos使用android studio的证书,然后在android studio中配置证书:Preference->Tools->Server Certification中添加证书

(EOF)
杨威
发布日期 :2018-09-30
自由转载-非商用-非衍生-保持署名(知识共享3.0许可证)
杨威 wechat
微信订阅号
写点什么 心里不慌