Chrome信任自签数字证书
如何自签一个CA证书和一个子证书
创建CA配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23touch localhost_ca.cnf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
以下内容可随意填写
countryName = CN (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = ZheJiang
localityName = HangZhou
organizationName = Dxy
organizationalUnitName = technology
commonName = develop
commonName_max = 64
emailAddress = yangw@dxy.cn
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true创建扩展配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13touch localhost_ca.ext
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
域名,如有多个用DNS.2,DNS.3…来增加
DNS.1 = a.domain.cn
DNS.2 = b.domain.cn
IP地址
IP.1 = 192.168.0.1
IP.2 = 127.0.0.1创建CA证书私钥及CA证书
1
openssl req -x509 -newkey rsa:2048 -out $CA_CER_NAME.cer -outform PEM -keyout $CA_KEY_NAME.pvk -days 10000 -verbose -config $CA_CNF_FILE -nodes -sha256 -subj "/CN=$CA_CER_NAME"
创建子证书私钥
1
openssl req -newkey rsa:2048 -keyout $KEY_NAME.pvk -out $CER_NAME.req -subj /CN=$CA_CER_NAME -sha256 -nodes
创建子证书
1
openssl x509 -req -CA $CA_CER_NAME.cer -CAkey $CA_KEY_NAME.pvk -in $CER_NAME.req -out $CER_NAME.cer -days 10000 -extfile $CA_EXT_FILE -sha256 -set_serial 0x1111
可以做成脚本以便复用
1 | !/bin/zsh |
Chrome如何信任自签证书
- chrome://settings进入Chrome设置界面,搜索certificate,找到并点击Manage certificates将进入系统Keychain Access
- 将生成CA(.cer)证书导入
- 将导入后的CA证书设置成always trust
一些证书使用场景
pem格式转cer格式
1 | openssl x509 -inform PEM -in cacert.pem -outform DER -out certificate.cer |
查看jdk证书
1 | keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" |
jdk密钥库操作
修改密码
1 | keytool -storepasswd -keystore "%JAVA_HOME%/jre/lib/security/cacerts" |
导入证书
1 | keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password> |
删除证书
1 | keytool -delete -alias <keyAlias> -keystore <keystore-name> -storepass <password> |
cocos creator中打包原生android应用时,使用android studio中的证书
找到构建好的原生android项目,修改其中gradle.properties文件,添加:
1 | systemProp.javax.net.ssl.trustStore={your-android-studio-directory}\\jre\\jre\\lib\\security\\cacerts |
这将让cocos使用android studio的证书,然后在android studio中配置证书:Preference->Tools->Server Certification中添加证书
(EOF)杨威发布日期 :2018-09-30自由转载-非商用-非衍生-保持署名(知识共享3.0许可证)