关于apache:如何创建自签名SSL证书以在测试Web应用程序时使用

关于apache:如何创建自签名SSL证书以在测试Web应用程序时使用

How do I create a self signed SSL certificate to use while testing a web app

如何为Apache服务器创建自签名SSL证书以在测试Web应用程序时使用?


How do I create a self-signed SSL
Certificate for testing purposes?

来自http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert:

  • 确保已安装OpenSSL并在PATH中。

  • 运行以下命令,创建server.key和server.crt
    文件:

    1
    openssl req -new -x509 -nodes -out server.crt -keyout server.key

    这些可以在您的httpd.conf文件中按以下方式使用:

    1
    2
    SSLCertificateFile    /path/to/this/server.crt
    SSLCertificateKeyFile /path/to/this/server.key
  • 重要的是要知道此server.key没有任何密码短语。要将密码短语添加到密钥,您应该运行以下命令,并根据要求输入并验证密码短语。

    1
    2
    openssl rsa -des3 -in server.key -out server.key.new
    mv server.key.new server.key

    请备份server.key文件和您输入的密码,
    在安全的位置。


  • WARNING: This is totally useless for purposes other than local testing.

    将MYDOMAIN替换为您的本地域。也可以与localhost一起使用。

    在某些文件夹中创建MYDOMAIN.conf文件。向其中添加以下内容:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    [ req ]
    prompt              = no  
    default_bits        = 2048  
    default_keyfile     = MYDOMAIN.pem  
    distinguished_name  = subject  
    req_extensions      = req_ext  
    x509_extensions     = x509_ext  
    string_mask         = utf8only

    # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
    #   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
    [ subject ]
    countryName     = KE
    stateOrProvinceName = Nairobi
    localityName            = Nairobi
    organizationName         = Localhost


    # Use a friendly name here because its presented to the user. The server's DNS
    #   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
    #   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
    #   must include the DNS name in the SAN too (otherwise, Chrome and others that
    #   strictly follow the CA/Browser Baseline Requirements will fail).
    commonName          = Localhost dev cert  
    emailAddress            =edwin@gmail.com

    # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
    [ x509_ext ]

    subjectKeyIdentifier        = hash  
    authorityKeyIdentifier  = keyid,issuer

    # You only need digitalSignature below. *If* you don't allow
    #   RSA Key transport (i.e., you use ephemeral cipher suites), then
    #   omit keyEncipherment because that's key transport.
    basicConstraints        = CA:FALSE  
    keyUsage            = digitalSignature, keyEncipherment  
    subjectAltName      = @alternate_names  
    nsComment           ="OpenSSL Generated Certificate"

    # RFC 5280, Section 4.2.1.12 makes EKU optional
    #   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
    #   In either case, you probably only need serverAuth.
    # extendedKeyUsage  = serverAuth, clientAuth

    # Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
    [ req_ext ]

    subjectKeyIdentifier        = hash

    basicConstraints        = CA:FALSE  
    keyUsage            = digitalSignature, keyEncipherment  
    subjectAltName          = @alternate_names  
    nsComment           ="OpenSSL Generated Certificate"

    # RFC 5280, Section 4.2.1.12 makes EKU optional
    #   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
    #   In either case, you probably only need serverAuth.
    # extendedKeyUsage  = serverAuth, clientAuth

    [ alternate_names ]

    DNS.1       = MYDOMAIN

    # Add these if you need them. But usually you don't want them or
    #   need them in production. You may need them for development.
    # DNS.5       = localhost
    # DNS.6       = localhost.localdomain
    DNS.7       = 127.0.0.1

    # IPv6 localhost
    # DNS.8     = ::1

    生成证书文件:

    1
    2
    3
    $ sudo openssl req -config MYDOMAIN.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout MYDOMAIN.key -days 1024 -out MYDOMAIN.crt
    $ sudo openssl pkcs12 -export -out MYDOMAIN.pfx -inkey MYDOMAIN.key -in MYDOMAIN.crt
    $ sudo chown -R $USER *

    使您的本地计算机信任您的证书:

    1
    2
    3
    4
    5
    6
    7
    8
    # Install the cert utils
    $ sudo apt-get install libnss3-tools

    # Trust the certificate for SSL
    $ pk12util -d sql:$HOME/.pki/nssdb -i MYDOMAIN.pfx

    # Trust self-signed server certificate
    $ certutil -d sql:$HOME/.pki/nssdb -A -t"P,," -n 'dev cert' -i MYDOMAIN.crt

    编辑/etc/apache2/sites-available/default-ssl.conf并确保这两个指令指向您刚创建的文件.crt和.key(如果需要,请取消注释):

    1
    2
    SSLCertificateFile     /path/to/MYDOMAIN.crt
    SSLCertificateKeyFile  /path/to/MYDOMAIN.key

    应用配置并重新启动apache:

    1
    2
    3
    4
    5
    6
    # If you are not using the default configuration ( /etc/apache2/sites-available/default-ssl.conf ),
    # then replace"default-ssl" for whatever conf file name you've chosen
    # ( DO NOT include the .conf bit ).
    $ sudo a2ensite default-ssl

    $ sudo service apache2 restart

    在浏览器上访问https:// MYDOMAIN。 Firefox将警告您该证书是自签名的,因此,它是无效的。您将不得不添加一个例外。

    资源:

    • 我大部分都来自3dw1n_m0535;
    • 如果遇到麻烦,请阅读/usr/share/doc/apache2/README.Debian.gz上的自述文件

    存在各种可以生成SSL的工具。例如,尝试使用OpenSSL。另外,如果您使用的是Windows,则IIS 6资源工具包中有一个。


    使用OpenSSL(http://www.openssl.org/)

    这是一个教程:http://novosial.org/openssl/self-signed/

    这是一个很好的入门教程:SSH localhost。


    推荐阅读