关于apache：如何创建自签名SSL证书以在测试Web应用程序时使用

How do I create a self signed SSL certificate to use while testing a web app

如何为Apache服务器创建自签名SSL证书以在测试Web应用程序时使用？

How do I create a self-signed SSL
Certificate for testing purposes?

来自http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert：

确保已安装OpenSSL并在PATH中。

运行以下命令，创建server.key和server.crt
文件：

1	openssl req -new -x509 -nodes -out server.crt -keyout server.key

这些可以在您的httpd.conf文件中按以下方式使用：

1 2	SSLCertificateFile /path/to/this/server.crt SSLCertificateKeyFile /path/to/this/server.key

重要的是要知道此server.key没有任何密码短语。要将密码短语添加到密钥，您应该运行以下命令，并根据要求输入并验证密码短语。

1 2	openssl rsa -des3 -in server.key -out server.key.new mv server.key.new server.key

请备份server.key文件和您输入的密码，
在安全的位置。

WARNING: This is totally useless for purposes other than local testing.

将MYDOMAIN替换为您的本地域。也可以与localhost一起使用。

在某些文件夹中创建MYDOMAIN.conf文件。向其中添加以下内容：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

[ req ]
prompt = no
default_bits = 2048
default_keyfile = MYDOMAIN.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName = KE
stateOrProvinceName = Nairobi
localityName = Nairobi
organizationName = Localhost

# Use a friendly name here because its presented to the user. The server's DNS
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you
# must include the DNS name in the SAN too (otherwise, Chrome and others that
# strictly follow the CA/Browser Baseline Requirements will fail).
commonName = Localhost dev cert
emailAddress =edwin@gmail.com

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

# You only need digitalSignature below. *If* you don't allow
# RSA Key transport (i.e., you use ephemeral cipher suites), then
# omit keyEncipherment because that's key transport.
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment ="OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment ="OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth

[ alternate_names ]

DNS.1 = MYDOMAIN

# Add these if you need them. But usually you don't want them or
# need them in production. You may need them for development.
# DNS.5 = localhost
# DNS.6 = localhost.localdomain
DNS.7 = 127.0.0.1

# IPv6 localhost
# DNS.8 = ::1

生成证书文件：

1
2
3

$ sudo openssl req -config MYDOMAIN.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout MYDOMAIN.key -days 1024 -out MYDOMAIN.crt
$ sudo openssl pkcs12 -export -out MYDOMAIN.pfx -inkey MYDOMAIN.key -in MYDOMAIN.crt
$ sudo chown -R $USER *

使您的本地计算机信任您的证书：

1
2
3
4
5
6
7
8

# Install the cert utils
$ sudo apt-get install libnss3-tools

# Trust the certificate for SSL
$ pk12util -d sql:$HOME/.pki/nssdb -i MYDOMAIN.pfx

# Trust self-signed server certificate
$ certutil -d sql:$HOME/.pki/nssdb -A -t"P,," -n 'dev cert' -i MYDOMAIN.crt

编辑/etc/apache2/sites-available/default-ssl.conf并确保这两个指令指向您刚创建的文件.crt和.key(如果需要，请取消注释)：

1 2	SSLCertificateFile /path/to/MYDOMAIN.crt SSLCertificateKeyFile /path/to/MYDOMAIN.key

应用配置并重新启动apache：

1
2
3
4
5
6

# If you are not using the default configuration ( /etc/apache2/sites-available/default-ssl.conf ),
# then replace"default-ssl" for whatever conf file name you've chosen
# ( DO NOT include the .conf bit ).
$ sudo a2ensite default-ssl

$ sudo service apache2 restart

在浏览器上访问https：// MYDOMAIN。 Firefox将警告您该证书是自签名的，因此，它是无效的。您将不得不添加一个例外。

资源：