申请的证书,都需要验证DNS或验证网站。
本地测试无法验证了,https总是提示“证书错误”。
如何让浏览器认为本地站点是安全的,避免每次访问提示“没有加密”?
安装一个自签名证书。
1 下载openssl。
http://slproweb.com/products/Win32OpenSSL.html
到这里下载一个windows版本的(1.1.1d),有32/64位的,有正常几十M的,也有light版本3M左右的。
比如 Win64OpenSSL_Light-1_1_1d.exe 就是64位的 light 版,需要安装。
其实,apache 安装包(httpd-2.4.37-o102q-x64-vc14-r2.zip)解压,就有openssl(1.0.2q),但需要配置文件openssl.cnf支持。
2 制作并安装CA。
OpenSSL> genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes).+++++......+++++ e is 65537 (0x010001)
OpenSSL> req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanxi
Locality Name (eg, city) []:xian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CAmk
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:CA localhost
Email Address []:.
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:.
An optional company name []:.
OpenSSL> x509 -req -in ca.csr -signkey ca.key -days 36000 -out ca.crt
Signature ok
subject=C = CN, ST = Shanxi, L = xian, O = CAmk, CN = CA localhost
Getting Private key
OpenSSL>
3 签发服务器证书
OpenSSL> genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)..................+++++.............................................+++++e is 65537 (0x010001)
OpenSSL> req -new -key server.key -out server.csr//这里有个错误,退出重新启动openssl可以解决。
problem creating object tsa_policy1=1.2.3.4.1
11840:error:08064066:object identifier routines:OBJ_create:oid exists:crypto\objects\obj_dat.c:698:
error in req
OpenSSL> quit
c:\Program Files\OpenSSL-Win64\bin>openssl
OpenSSL> req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanxi
Locality Name (eg, city) []:xian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:qmgj
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:.
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:.
An optional company name []:.
OpenSSL> x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -days 36000 -in server.csr -out server.crt
Signature ok
subject=C = CN, ST = Shanxi, L = xian, O = qmgj, CN = localhost
Getting CA Private Key
OpenSSL>
4 安装CA到受信任的机构
找到ca.crt,双击安装,安装到“受信任的根证书颁发机构”
也可以打开certmgr.msc查看安装结果。
5 把服务器证书记录到apache
httpd.conf中以下注释放开:
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ahssl.conf
httpd-ahssl.conf中登记服务器证书
SSLCertificateFile "${SRVROOT}/conf/server.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/server.key"
复制服务器证书到上述指定位置
server.crt, server.key
6 重启apache服务,重启浏览器。
启动service.msc,重启服务。
一定要重启浏览器。虽然有的浏览器不用重启也可以。