我正在为嵌入式Linux设备添加HTTPS支持。我已尝试使用以下步骤生成自签名证书:
openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
cat key.pem>>cert.pem
这是可行的,但我在Google Chrome上遇到了一些错误:
这可能不是你要找的网站!站点的安全证书不受信任!
我错过了什么吗?这是构建自签名证书的正确方法吗?
当前回答
这个非常简单的Python应用程序创建了一个自签名证书。代码:
from OpenSSL import crypto, SSL
from secrets import randbelow
print("Please know, if you make a mistake, you must restart the program.")
def cert_gen(
emailAddress=input("Enter Email Address: "),
commonName=input("Enter Common Name: "),
countryName=input("Enter Country Name (2 characters): "),
localityName=input("Enter Locality Name: "),
stateOrProvinceName=input("Enter State of Province Name: "),
organizationName=input("Enter Organization Name: "),
organizationUnitName=input("Enter Organization Unit Name: "),
serialNumber=randbelow(1000000),
validityStartInSeconds=0,
validityEndInSeconds=10*365*24*60*60,
KEY_FILE = "private.key",
CERT_FILE="selfsigned.crt"):
#can look at generated file using openssl:
#openssl x509 -inform pem -in selfsigned.crt -noout -text
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 4096)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = countryName
cert.get_subject().ST = stateOrProvinceName
cert.get_subject().L = localityName
cert.get_subject().O = organizationName
cert.get_subject().OU = organizationUnitName
cert.get_subject().CN = commonName
cert.get_subject().emailAddress = emailAddress
cert.set_serial_number(serialNumber)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(validityEndInSeconds)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha512')
with open(CERT_FILE, "wt") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8"))
with open(KEY_FILE, "wt") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8"))
print("GENERATED")
input("Press enter to close program.")
cert_gen()
但是,您仍然会收到“证书不受信任”错误。这是因为以下几个原因:
它是自签名/未验证的(验证的证书需要CA(证书颁发机构),如Let's Encrypt,以便在所有设备上都受信任)。您的计算机上不信任它。(此答案显示了如何使Windows信任您的证书)。
其他回答
现代浏览器现在如果缺少SAN(Subject Alternate Name),则会为格式良好的自签名证书抛出安全错误。OpenSSL没有提供命令行方式来指定这一点,因此许多开发人员的教程和书签突然过时了。
重新运行的最快方法是一个简短的独立conf文件:
创建OpenSSL配置文件(示例:req.cnf)[要求]distinguished_name=请求分类名称x509_extensions=v3_reqprompt=否[请求分配名称]C=我们ST=VAL=SomeCityO=我的公司OU=我的部门CN=www.company.com[v3_req]keyUsage=关键,数字签名,密钥协议extendedKeyUsage=服务器身份验证subjectAltName=@alt_names[备选名称]DNS.1=www.company.comDNS.2=公司网站DNS.3=公司网创建引用此配置文件的证书openssl req-x509-节点-天730-新密钥rsa:2048\-keyout cert.key-out cert.pem-config req.cnf-sha256
来自的配置示例https://support.citrix.com/article/CTX135602
2017年单线版:
CentOS:
openssl req -x509 -nodes -sha256 -newkey rsa:2048 \
-keyout localhost.key -out localhost.crt \
-days 3650 \
-subj "CN=localhost" \
-reqexts SAN -extensions SAN \
-config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=IP:127.0.0.1,DNS:localhost"))
Ubuntu:
openssl req -x509 -nodes -sha256 -newkey rsa:2048 \
-keyout localhost.key -out localhost.crt \
-days 3650 \
-subj "/CN=localhost" \
-reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=IP:127.0.0.1,DNS:localhost"))
编辑:为Ubuntu的“subj”选项添加了前缀Slash。
在经历了大量的尝试和各种解决方案之后,我仍然面临这样一个问题:为localhost颁发自签名证书会给我带来错误
错误证书无效
在扩展细节时,chrome表示:
您现在无法访问localhost,因为网站已发送加密凭据。。。
唯一难看的方式是键入(直接在这个屏幕上,没有看到文本的任何光标):
(在键盘上键入)这是安全的
这让我继续。
直到我找到extendedKeyUsage=serverAuth,clientAuth
TL;博士
openssl genrsa-out localhost.key 2048openssl req-key localhost.key-new-out localhost.csr(单击输入所有内容,然后用localhost或其他FQDN填写通用名称(CN)。将以下内容放入名为v3.ext的文件中(根据需要进行编辑):
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:localhost, DNS:localhost.localdomain
issuerAltName = issuer:copy
openssl x509-req-in localhost.csr-signkey localhost.key-out localhost.pem-days 3650-sha256-extfile v3.ext
瞧!您可以访问网站,展开“高级”,然后单击“转到本地主机(不安全)”。
一个内衬FTW。我喜欢保持简单。为什么不使用一个包含所有所需参数的命令?这就是我喜欢的方式-这将创建一个x509证书及其PEM密钥:
openssl req -x509 \
-nodes -days 365 -newkey rsa:4096 \
-keyout self.key.pem \
-out self-x509.crt \
-subj "/C=US/ST=WA/L=Seattle/CN=example.com/emailAddress=someEmail@gmail.com"
该命令包含通常为证书详细信息提供的所有答案。通过这种方式,您可以设置参数并运行命令,获取输出,然后喝咖啡。
>>更多信息请点击此处<<
这个非常简单的Python应用程序创建了一个自签名证书。代码:
from OpenSSL import crypto, SSL
from secrets import randbelow
print("Please know, if you make a mistake, you must restart the program.")
def cert_gen(
emailAddress=input("Enter Email Address: "),
commonName=input("Enter Common Name: "),
countryName=input("Enter Country Name (2 characters): "),
localityName=input("Enter Locality Name: "),
stateOrProvinceName=input("Enter State of Province Name: "),
organizationName=input("Enter Organization Name: "),
organizationUnitName=input("Enter Organization Unit Name: "),
serialNumber=randbelow(1000000),
validityStartInSeconds=0,
validityEndInSeconds=10*365*24*60*60,
KEY_FILE = "private.key",
CERT_FILE="selfsigned.crt"):
#can look at generated file using openssl:
#openssl x509 -inform pem -in selfsigned.crt -noout -text
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 4096)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = countryName
cert.get_subject().ST = stateOrProvinceName
cert.get_subject().L = localityName
cert.get_subject().O = organizationName
cert.get_subject().OU = organizationUnitName
cert.get_subject().CN = commonName
cert.get_subject().emailAddress = emailAddress
cert.set_serial_number(serialNumber)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(validityEndInSeconds)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha512')
with open(CERT_FILE, "wt") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8"))
with open(KEY_FILE, "wt") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8"))
print("GENERATED")
input("Press enter to close program.")
cert_gen()
但是,您仍然会收到“证书不受信任”错误。这是因为以下几个原因:
它是自签名/未验证的(验证的证书需要CA(证书颁发机构),如Let's Encrypt,以便在所有设备上都受信任)。您的计算机上不信任它。(此答案显示了如何使Windows信任您的证书)。
