Chrome信任自签数字证书

Posted on In Views: Views:

Chrome信任自签数字证书

如何自签一个CA证书和一个子证书

  1. 创建CA配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
touch localhost_ca.cnf

[ req ]
distinguished_name  = req_distinguished_name
x509_extensions     = root_ca

[ req_distinguished_name ]

# 以下内容可随意填写
countryName             = CN (2 letter code)
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = ZheJiang
localityName            = HangZhou
organizationName        = Dxy
organizationalUnitName  = technology
commonName              = develop
commonName_max          = 64
emailAddress            = yangw@dxy.cn
emailAddress_max        = 64

[ root_ca ]
basicConstraints        = critical, CA:true
  1. 创建扩展配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
touch localhost_ca.ext

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]

# 域名,如有多个用DNS.2,DNS.3…来增加
DNS.1 = a.domain.cn
DNS.2 = b.domain.cn
# IP地址
IP.1 = 192.168.0.1
IP.2 = 127.0.0.1
  1. 创建CA证书私钥及CA证书
1
openssl req -x509 -newkey rsa:2048 -out $CA_CER_NAME.cer -outform PEM -keyout $CA_KEY_NAME.pvk -days 10000 -verbose -config $CA_CNF_FILE -nodes -sha256 -subj "/CN=$CA_CER_NAME"
  1. 创建子证书私钥
1
openssl req -newkey rsa:2048 -keyout $KEY_NAME.pvk -out $CER_NAME.req -subj /CN=$CA_CER_NAME -sha256 -nodes
  1. 创建子证书
1
openssl x509 -req -CA $CA_CER_NAME.cer -CAkey $CA_KEY_NAME.pvk -in $CER_NAME.req -out $CER_NAME.cer -days 10000 -extfile $CA_EXT_FILE -sha256 -set_serial 0x1111

可以做成脚本以便复用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/zsh
CA_CER_NAME=localhost_ca
CA_KEY_NAME=localhost_ca
CA_CNF_FILE=./localhost_ca.cnf
CA_EXT_FILE=./localhost_ca.ext

CER_NAME=localhost
KEY_NAME=localhost

openssl req -x509 -newkey rsa:2048 -out $CA_CER_NAME.cer -outform PEM -keyout $CA_KEY_NAME.pvk -days 10000 -verbose -config $CA_CNF_FILE -nodes -sha256 -subj "/CN=$CA_CER_NAME"

openssl req -newkey rsa:2048 -keyout $KEY_NAME.pvk -out $CER_NAME.req -subj /CN=$CA_CER_NAME -sha256 -nodes

openssl x509 -req -CA $CA_CER_NAME.cer -CAkey $CA_KEY_NAME.pvk -in $CER_NAME.req -out $CER_NAME.cer -days 10000 -extfile $CA_EXT_FILE -sha256 -set_serial 0x1111

Chrome如何信任自签证书

  1. chrome://settings进入Chrome设置界面,搜索certificate,找到并点击Manage certificates将进入系统Keychain Access
  2. 将生成CA(.cer)证书导入
  3. 将导入后的CA证书设置成always trust

一些证书使用场景

pem格式转cer格式

1
openssl x509 -inform PEM -in cacert.pem -outform DER -out certificate.cer

查看jdk证书

1
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts"

jdk密钥库操作

修改密码

1
keytool -storepasswd -keystore "%JAVA_HOME%/jre/lib/security/cacerts"

导入证书

1
keytool -import -noprompt -trustcacerts -alias <AliasName> -file   <certificate> -keystore <KeystoreFile> -storepass <Password>

删除证书

1
keytool -delete -alias <keyAlias> -keystore <keystore-name> -storepass <password>

cocos creator中打包原生android应用时,使用android studio中的证书

找到构建好的原生android项目,修改其中gradle.properties文件,添加:

1
2
systemProp.javax.net.ssl.trustStore={your-android-studio-directory}\\jre\\jre\\lib\\security\\cacerts
systemProp.javax.net.ssl.trustStorePassword=changeit

这将让cocos使用android studio的证书,然后在android studio中配置证书:Preference->Tools->Server Certification中添加证书