重点 (Top highlight)
Last week I started implementing an MQ Telemetry (MQTT) broker. MQTT is a lightweight publish-subscribe protocol used with Internet of Thing (IoT) solutions. This broker had to receive sensor data and resend it to other MQTT clients. Communication had to be secure.
上周,我开始实现MQ Telemetry(MQTT)代理。 MQTT是与物联网(IoT)解决方案一起使用的轻量级发布订阅协议。 该代理必须接收传感器数据并将其重新发送给其他MQTT客户端。 通讯必须安全。
Secure, in this case, meant using certificates.
在这种情况下,安全意味着使用证书。
OK, certificates, sigh, here we go again. I exhaled through my nose and gathered myself. I never liked working with certificates. I searched on the internet and found how to generate self-signed certificates. “I really should automate this,” I remember having this thought a couple of times before…
好了,证书,叹气,我们再来一次。 我通过鼻子呼气,聚集了自己。 我从不喜欢使用证书。 我在互联网上进行搜索,发现了如何生成自签名证书。 “我真的应该做到这一点,”我记得之前曾想过几次。
But somehow, I always end up creating the certificate by typing commands in a terminal. I then continue with the project and never look back.
但是无论如何,我总是最终通过在终端中键入命令来创建证书。 然后,我继续该项目,再也没有回头。
I always had a love-hate relationship with certificates. I never understand how they work but once in a while need them during development.
我一直与证书有爱恨交织的关系。 我从不了解它们是如何工作的,但是在开发过程中偶尔需要它们。
So, I ended up creating this article. It is a future reference for me. It contains just enough details to understand certificates from a developer’s perspective.
因此,我最终创建了这篇文章。 这对我来说是将来的参考。 它仅包含足够的详细信息以从开发人员的角度理解证书。
Besides this, I finally automated the creation of a locally trusted development certificate. See this GitHub repository.
除此之外,我终于自动创建了本地信任的开发证书。 请参阅此GitHub存储库 。
I hope you will find it useful.
希望您会发现它有用。
一点理论 (A Little Bit of Theory)
I promise, only a little bit.
我保证,只有一点点。
Do we need certificates?
我们需要证书吗?
Yes, we do. We need certificates for two main reasons.
是的,我们愿意。 我们需要证书有两个主要原因。
- Secure transmission of data. 安全传输数据。
- Identification of the sender or recipient. 发件人或收件人的标识。
安全传输数据 (Secure transmission of data)
You can use two types of encryption to transmit data securely, symmetric and asymmetric. Both have their pros and cons. Later, we will see that when a browser uses HTTPS to connect to a website, the browser uses both types of encryption.
您可以使用两种类型的加密来安全地传输数据,即对称和非对称。 两者都有其优点和缺点。 稍后,我们将看到当浏览器使用HTTPS连接到网站时,浏览器同时使用两种加密类型。
What is the difference between symmetric and asymmetric encryption?
对称加密和非对称加密有什么区别?
I find symmetric encryption the easiest to understand. Both the sender and recipient share a secret key. The sender uses this secret key to change the message to send. The recipient uses the same secret key to recover the original message.
我发现对称加密最容易理解。 发送者和接收者都共享一个密钥。 发件人使用此密钥来更改要发送的消息。 收件人使用相同的密钥来恢复原始消息。
Asymmetric encryption always feels a bit like magic to me. In this case, you create two keys that belong together. The first is the public key. You can share it with anyone that wants to send you a message. The second key is the secret key. Only you need to know it.
对于我来说, 非对称加密总是有点魔力。 在这种情况下,您将创建两个属于在一起的键。 第一个是公钥。 您可以与任何想向您发送消息的人共享它。 第二个密钥是秘密密钥。 只有您需要知道它。
If you encrypt a message using the public key, it can only be decrypted with the private key. Also, if you encrypt a message using the private key, it can only be decrypted using the public key. Pure magic.
如果使用公钥加密消息,则只能使用私钥解密。 同样,如果您使用私钥加密邮件,则只能使用公钥解密邮件。 纯魔术。
Both types of encryption are used when using SSL.
使用SSL时,会同时使用两种加密方式。
SSL通讯(简体) (SSL communication (simplified))
When a browser connects to a website that is using SSL, the browser performs the following steps.
当浏览器连接到使用SSL的网站时,浏览器将执行以下步骤。
- You instruct the browser to connect to a website via HTTPS. The browser requests that the webserver identify itself. 您指示浏览器通过HTTPS连接到网站。 浏览器请求Web服务器标识自己。
- The webserver sends a copy of its certificate back to the browser. 网络服务器将其证书的副本发送回浏览器。
- The browser validates the identity of the certificate. Does the name in the certificate match the domain name? Do I trust the certificate authority that signed the certificate? 浏览器将验证证书的身份。 证书中的名称与域名匹配吗? 我是否信任签署证书的证书颁发机构?
- The browser generates a password and encrypts it using the public key. It retrieved the public key from the certificate. This is asymmetric encryption. The browser sends the encrypted password to the webserver. 浏览器会生成一个密码,并使用公共密钥对其进行加密。 它从证书中检索了公钥。 这是非对称加密。 浏览器将加密的密码发送到Web服务器。
- The web server decrypts the password using the private key. Web服务器使用私钥解密密码。
- The browser sets up an encrypted connection. Both sides encrypt and decrypt data using the earlier generated password. This is symmetric encryption. 浏览器建立一个加密的连接。 双方都使用先前生成的密码来加密和解密数据。 这是对称加密。
The reason the browser only uses asymmetric encryption for transmission of the password has to do with the performance of asymmetric encryption. Asymmetric encryption is significantly slower than symmetric encryption.
浏览器仅使用非对称加密来传输密码的原因与非对称加密的性能有关。 非对称加密明显比对称加密慢。
发件人或收件人的标识 (Identification of the sender or recipient)
Certificates are also used for identification. This way, you can be sure that you are actually connecting to the correct website.
证书也用于识别。 这样,您可以确定您实际上是在连接到正确的网站。
The validation is two ways. First, the browser validates if the certificate that is returned by the webserver can be trusted. This is checked by making sure that the certificate is signed by a certificate authority (CA).
验证有两种方法。 首先,浏览器验证是否可以信任Web服务器返回的证书。 通过确保证书由证书颁发机构(CA)签名来进行检查。
The operating system of your device contains a list of certificates that are trusted.
设备的操作系统包含受信任的证书列表。
For example, see the screenshot below that shows the IdenTrust root certificate. The IdenTrust root certificate is one of the most used CA certificates. Mostly because Let’s Encrypt certificates are cross-signed by IdenTrust.
例如,请参阅下面的屏幕快照,其中显示了IdenTrust根证书。 IdenTrust根证书是最常用的CA证书之一。 主要是因为“ 让我们加密”证书是由IdenTrust交叉签名的。
The Keychain Access app on macOS shows trusted CA certificates macOS上的Keychain Access应用程序显示受信任的CA证书This list of trusted certificates is used by the browser to validate that the received certificate is signed by a CA in this list.
浏览器使用此受信任证书列表来验证接收到的证书是否已由此列表中的CA签名。
The second type of identification is to validate if the common name of the certificate corresponds with the domain that serves the certificate.
第二种标识类型是验证证书的公用名是否与提供证书的域相对应。
The certificate from www.google.com with common name *.google.com 来自www.google.com的通用名称* .google.com的证书证书文件格式 (Certificate file formats)
There are a lot of different formats for storing certificates. Sometimes, I see file formats used incorrectly. The following formats are used for certificates.
有很多不同的格式用于存储证书。 有时,我看到文件格式使用不正确。 以下格式用于证书。
PEM format
PEM格式
The Privacy Enhanced Mail (PEM) format is the most common format to store certificates of private keys. The content of the file is Base64 encoded ASCII.
增强隐私邮件(PEM)格式是存储私钥证书的最常见格式。 该文件的内容是Base64编码的ASCII。
The file can have the extensions .pem
, .crt
, .key
, or .ca-bundle
. To make sure that the file is actually a PEM file, open it and check to see that it starts with BEGIN CERTIFICATE
or BEGIN RSA PRIVATE KEY
.
该文件可以具有扩展名.pem
, .crt
, .key
或.ca-bundle
。 要确保该文件实际上是PEM文件,请打开该文件并检查其是否以BEGIN CERTIFICATE
或BEGIN RSA PRIVATE KEY
开头。
P7B format
P7B格式
A file with the P7B or PKCS#7 format is also stored in Base64 encoded ASCII.
P7B或PKCS#7格式的文件也以Base64编码的ASCII存储。
The file has the extension .p7b
or .p7c
. The P7B format can only be used to store certificates and not private keys. The file format is used on Windows and Java Tomcat.
该文件的扩展名为.p7b
或.p7c
。 P7B格式只能用于存储证书,不能用于存储私钥。 该文件格式用于Windows和Java Tomcat。
DER format
DER格式
The Distinguished Encoding Rules (DER) format stores certificates and private keys in a binary format. The file has the extension .der
or .cer
. The DER format is often used on Java platforms.
可分辨编码规则(DER)格式以二进制格式存储证书和私钥。 该文件的扩展名为.der
或.cer
。 DER格式通常在Java平台上使用。
PKCS#12 format
PKCS#12格式
The PKCS#12 or PFX format is stored in a binary file. The private key and certificate are stored in a single file.
PKCS#12或PFX格式存储在二进制文件中。 私钥和证书存储在单个文件中。
The file has the extension .pfx
or .p12
. The files are used on Windows and macOS to import and export certificates and private keys.
该文件的扩展名为.pfx
或.p12
。 这些文件在Windows和macOS上用于导入和导出证书和私钥。
生成一次性的自签名证书 (Generating One-Off Self-Signed Certificates)
A self-signed certificate can be generated on any computer. I use macOS with version 1.1.1 of OpenSSL. OpenSSL is a full-featured toolkit and cryptography library. For most operating systems there are ready-to-use OpenSSL binary packages.
可以在任何计算机上生成自签名证书。 我将macOS与OpenSSL版本1.1.1结合使用。 OpenSSL是功能齐全的工具箱和加密库。 对于大多数操作系统,都有现成的OpenSSL二进制软件包 。
The following steps are needed for generating a self-signed certificate
生成自签名证书需要执行以下步骤
- Generate a private key. 生成私钥。
- Create a certificate signing request. 创建一个证书签名请求。
- Generate the certificate. 生成证书。
1.生成私钥 (1. Generating a private key)
The first step is to create a private key by executing the following command.
第一步是通过执行以下命令来创建私钥。
openssl genpkey -algorithm RSA -des3 -out private-key.pem -pkeyopt rsa_keygen_bits:4096
genpkey
— The OpenSSL command to execute, in this case, generate a private key
genpkey
—要执行的OpenSSL命令,在这种情况下,生成私钥
algorithm RSA
— Which public-key algorithm to use. Other options are available such as RSA-PSS, EC, X25519, X448, ED25519, and ED448.
algorithm RSA
—使用哪种公钥算法。 其他选项也可用,例如RSA-PSS,EC,X25519,X448,ED25519和ED448。
-des3
— This option specified that OpenSSL must encrypt the private key using Triple-DES. Upon executing the command, it asks which password to use.
-des3
此选项指定OpenSSL必须使用Triple-DES加密私钥。 执行命令后,它询问要使用的密码。
out privateKey.pem
— OpenSSL should store the private key in a file called privateKey.pem
.
out privateKey.pem
— OpenSSL应该将私钥存储在名为privateKey.pem
的文件中。
pkeyopt rsa_keygen_bits:4096
— Specifies the number of bits that should be used by the generated key. I use 4096 bits.
pkeyopt rsa_keygen_bits:4096
—指定生成的密钥应使用的位数。 我使用4096位。
The format of the output file privateKey.pem
is by default a PEM file. With genpkey
, OpenSSL uses the PKCS #8 syntax to store the key in the file.
默认情况下,输出文件privateKey.pem
的格式是PEM文件。 通过genpkey
,OpenSSL使用PKCS#8语法将密钥存储在文件中。
I use genpkey
instead of genrsa
because it uses more sensible defaults.
我使用genpkey
而不是genrsa
因为它使用了更合理的默认值。
For example, the default number of bits of the generated key of genrsa
is 512 bits. Which according to ars TECHNICA in 2015, could be broken in four hours using a $75 Amazon EC2.
例如,生成的genrsa
密钥的默认位数为512位。 根据ars TECHNICA在2015年的数据,如果使用75美元的Amazon EC2,它可能会在四个小时内损坏。
2.创建证书签名请求(CSR) (2. Creating a Certificate Signing Request (CSR))
A CSR is like the order to create a certificate. If you need an official SSL certificate, you send it to an official certificate authority (CA). They use the CSR to generate an official certificate.
CSR类似于创建证书的命令。 如果需要正式的SSL证书,则将其发送给正式的证书颁发机构(CA)。 他们使用CSR生成正式证书。
We, however, will use this request to generate a certificate ourselves, a self-signed certificate.
但是,我们将使用此请求自己生成证书,即自签名证书。
Previously, I described the two main reasons to use a certificate, encryption, and identification. OpenSSL will ask a number of questions to know what information to put in the CSR.
之前,我描述了使用证书的两个主要原因,即加密和标识。 OpenSSL将询问许多问题,以了解要在CSR中放入哪些信息。
The question that asks for your Common Name
is important regarding identification. You should answer with the fully qualified domain name that you want to use the certificate for. This can also be an internal domain, localhost or an IP address.
询问您的Common Name
的问题对于身份识别很重要。 您应该使用要用于证书的完全限定域名回答。 这也可以是内部域,本地主机或IP地址。
openssl req -new -key private-key.pem -out csr.pem
req
— Create a certificate request in PKCS#10 format.
req
—创建PKCS#10格式的证书请求。
-new
— Generate a new certificate request. Ask the user for all the needed information.
-new
—生成新的证书请求。 向用户询问所有需要的信息。
-key
— The filename of the private key to use. The private key was generated in the previous step.
-key
要使用的私钥的文件名。 私钥是在上一步中生成的。
-out
— The filename of the created certificate request.
-out
创建的证书请求的文件名。
OpenSSL will ask the following questions:
OpenSSL将询问以下问题:
- Common name: The FQDN (fully-qualified domain name) you want to secure with the certificate. 公用名:您要使用证书保护的FQDN(完全限定的域名)。
- Organization: The full name of your organization. Only important for trusted certificates. 组织:您的组织的全名。 仅对于受信任的证书很重要。
- Organization Unit (OU): Your department. Only important for trusted certificates. 组织单位(OU):您的部门。 仅对于受信任的证书很重要。
- City or locality: The city where your organization is located. 城市或地区:您的组织所在的城市。
- State or province: The state or province where your organization is located. 州或省:您的组织所在的州或省。
- Country: The official two-letter country code where your organization is located. 国家:组织所在的官方的两个字母的国家(地区)代码。
3.创建自签名证书 (3. Creating the self-signed certificate)
With the private key from step one and the certificate request from step two, you can create a self-signed certificate. The following OpenSSL command creates the certificate.
使用步骤1的私钥和步骤2的证书请求,您可以创建自签名证书。 以下OpenSSL命令创建证书。
openssl x509 -in csr.pem -out certificate.pem -req -signkey private-key.pem -days 365
x509
— Perform a certificate command.
x509
—执行证书命令。
-in
— Indicates the certificate signing request (csr.pem
).
-in
—表示证书签名请求( csr.pem
)。
-out
— The filename to use to save the generated certificate. In this case, certificate.pem
.
-out
用于保存生成的证书的文件名。 在这种情况下,请使用certificate.pem
。
-req
— Indicate to OpenSSL that the input is a CSR.
-req
向OpenSSL指示输入是CSR。
-signkey
— Self-sign the certificate request using the given private-key.pem
file.
-signkey
使用给定的private-key.pem
文件自签名证书请求。
-days
— The number of days the generated certificate is valid. Normal values are 365, 730, and 1095 days, to specify a duration of one, two, or three years.
-days
—生成的证书有效的天数。 正常值为365、730和1095天,以指定为期一年,两年或三年。
You now have a certificate.pem
file that can be used for local development. Depending on your development environment, you may have to convert the certificate to another format.
现在,您具有一个可以用于本地开发的certificate.pem
文件。 根据您的开发环境,您可能必须将证书转换为另一种格式。
For Node.js development you can directly use the certificate.pem
file.
对于Node.js开发,您可以直接使用certificate.pem
文件。
创建多个自签名证书 (Creating Multiple Self-Signed Certificates)
Simply generating a self-signed certificate works great for a single one-man project. If you have multiple projects or work with a development team, it can become cumbersome to create all these self-signed certificates for each project and import them into the certificate store of each developer.
只需生成一个自签名证书,对于单个人项目就非常有用。 如果您有多个项目或与开发团队合作,那么为每个项目创建所有这些自签名证书并将其导入每个开发人员的证书存储中将变得很麻烦。
Sure, you can create scripts for generating them but I think creating a certificate authority (CA) yourself is a better solution.
当然,您可以创建用于生成脚本的脚本,但是我认为自己创建证书颁发机构(CA)是更好的解决方案。
You can become a CA by creating a CA certificate and use this certificate to sign your self-signed certificates. Your development team can trust the CA certificate and will automatically trust all the generated certificates that are signed with this CA certificate.
您可以通过创建CA证书并使用此证书对自签名证书进行签名来成为CA。 您的开发团队可以信任CA证书,并且将自动信任使用此CA证书签名的所有生成的证书。
To become a certificate authority and sign a self-signed certificate you have to perform the following steps:
要成为证书颁发机构并签署自签名证书,您必须执行以下步骤:
- Generate a private key for the CA. 为CA生成私钥。
- Generate a root certificate. 生成根证书。
- Create a private key for the certificate. 为证书创建一个私钥。
- Create a certificate signing request. 创建一个证书签名请求。
- Create a certificate and sign it with the CA private key 创建证书并使用CA私钥对其进行签名
1.为CA生成一个私钥 (1. Generate a private key for the CA)
The private key for the CA can be generated using the following command.
可以使用以下命令生成CA的私钥。
openssl genpkey -algorithm RSA -des3 -out private-key-ca.pem -pkeyopt rsa_keygen_bits:4096
This command is no different than the command for generating a private key for a self-signed certificate. The only difference is the filename private-key-ca.pem
.
该命令与为自签名证书生成私钥的命令没有什么不同。 唯一的区别是文件名private-key-ca.pem
。
This command generates the file private-key-ca.pem
in the current directory.
此命令在当前目录中生成文件private-key-ca.pem
。
2.生成根证书 (2. Generate a root certificate)
With the following command, we directly generate a root certificate based on the private key generated in the previous step.
使用以下命令,我们根据上一步中生成的私钥直接生成根证书。
openssl req -x509 -new -key private-key-ca.pem -sha256 -days 3650 -out ca-certificate.pem
OpenSSL again asks the passphrase of the private key and asks what information to put in the root certificate.
OpenSSL再次询问私钥的密码,并询问要在根证书中放入哪些信息。
In this case, the answers you provide are not really relevant. The only thing I recommend is to add information to one of the fields so that you can see that this is the root certificate.
在这种情况下,您提供的答案并不真正相关。 我建议的唯一一件事就是将信息添加到一个字段中,以便您可以看到这是根证书。
The command generates the file ca-certificate.pem
in the current directory.
该命令在当前目录中生成文件ca-certificate.pem
。
3.为证书创建私钥 (3. Create a private key for the certificate)
With the following command, which we used before, we generate a private key for this specific certificate.
使用之前使用的以下命令,我们为此特定证书生成一个私钥。
openssl genpkey -algorithm RSA -des3 -out private-key.pem -pkeyopt rsa_keygen_bits:4096
This command generates the file private-key.pem
in the current directory.
此命令在当前目录中生成文件private-key.pem
。
4.创建证书签名请求 (4. Create a certificate signing request)
With the following command, which we also used before, we generate the certificate signing request.
使用以下我们之前也使用过的命令,我们生成证书签名请求。
openssl req -new -key private-key.pem -out csr.pem
OpenSSL again will ask questions to put in the certificate signing request. The one question that is important is the Common Name. Set this to the domain name or IP address where you want to use the certificate.
OpenSSL再次会提出问题以放入证书签名请求。 一个重要的问题是通用名称 。 将此设置为您要使用证书的域名或IP地址。
Newer browsers use the Subject Alternative Name (SAN) to store DNS names or IP addresses. See the part about SAN later in the article.
较新的浏览器使用使用者备用名称(SAN)来存储DNS名称或IP地址。 请参阅本文后面的有关SAN的部分。
5.创建证书并使用CA私钥对其进行签名 (5. Create a certificate and sign it with the CA private key)
The following command creates the self-signed certificate and signs it with the private key of the CA.
以下命令创建自签名证书,并使用CA的私钥对其进行签名。
openssl x509 -req -in csr.pem -CA ca-certificate.pem -CAkey private-key-ca.pem -CAcreateserial -out certificate.crt -days 3650
x509
— Perform a certificate command.
x509
—执行证书命令。
-req
— The x509
command expects a certificate as input. With -req
you indicate that you will provide a certificate request as input.
-req
- x509
命令期望将证书作为输入。 使用-req
表示您将提供证书请求作为输入。
-in
— The certificate request (csr.pem
).
-in
—证书请求( csr.pem
)。
-CA
— The certificate of the CA to use to sign the created certificate. (ca-certificate.pem
)
-CA
—用于签署创建的证书的CA的证书。 ( ca-certificate.pem
)
-CAkey
— The private key of the CA to use to sign the created certificate. (private-key-ca.pem
)
-CAkey
用于签署创建的证书的CA的私钥。 ( private-key-ca.pem
)
-CAcreateserial
— Each certificate issued by a CA must contain a unique serial number. OpenSSL stores the used serial numbers in a file with the same name as the certificate with the .srl
extension. In this case, there will be a ca-certificate.srl
in your local directory.
-CAcreateserial
-CA颁发的每个证书必须包含唯一的序列号。 OpenSSL将使用的序列号存储在与扩展名为.srl
的证书同名的文件中。 在这种情况下,您的本地目录中将存在一个ca-certificate.srl
。
-out
— The filename of the certificate to generate (certificate.crt
).
-out
—要生成的证书的文件名( certificate.crt
)。
-days
— The number of days the generated certificate is valid (3650
).
-days
—生成的证书有效的天数( 3650
)。
自动创建本地CA和证书 (Automating the Creation of the Local CA and Certificates)
Photo by Museums Victoria on Unsplash 维多利亚博物馆在 Unsplash上的 照片In the previous paragraphs, I showed you the OpenSSL commands that are necessary to create the local CA and the certificates.
在前面的段落中,我向您展示了创建本地CA和证书所必需的OpenSSL命令。
I wouldn’t be a good developer if I also didn’t try to automate it.
如果我也没有尝试自动化它,我将不是一个好的开发人员。
使用脚本 (Using scripts)
I created two separate scripts. One for generating the local CA and another for generating the certificate signed by the local CA. Both can be found in this GitHub repository.
我创建了两个单独的脚本。 一个用于生成本地CA,另一个用于生成由本地CA签名的证书。 两者都可以在此GitHub存储库中找到。
There are separate scripts for Windows and macOS. One difference with the commands of the previous paragraphs is that the scripts use config files to answer the questions.
Windows和macOS有单独的脚本。 与前几段命令的不同之处在于,脚本使用配置文件来回答问题。
For example, the following config file is used when generating the CA certificate. It specifies the answers to the various questions from OpenSSL. You can change the answers to your liking. The same type of config is also available for the generation of the self-signed certificate.
例如,生成CA证书时使用以下配置文件。 它指定了来自OpenSSL的各种问题的答案。 您可以根据自己的喜好更改答案。 相同类型的配置也可用于生成自签名证书。
[req]
prompt = no
distinguished_name = req_distinguished_name
[req_distinguished_name]
C = US
ST = CA State
L = CA Country
O = CA Company
OU = CA Org Unit
emailAddress = [email protected]
CN = Local Certificate Authority
Subject Alternative Name
使用者替代名称
Previously, I described using the Common Name to store the fully qualified domain name. As of version 58, Chrome no longer supports Common Name checking. It will ignore the field.
之前,我描述了使用公用名来存储完全限定的域名。 从58版开始,Chrome不再支持通用名称检查。 它将忽略该字段。
Instead, the SAN (Subject Alternative Name) field is the correct place to specify your domain. In the GitHub repository, there is a config file called certificate-ext.conf
that contains the domains and IP addresses that are put into the SAN.
相反,SAN(主题备用名称)字段是指定您的域的正确位置。 在GitHub存储库中,有一个名为certificate-ext.conf
的配置文件,其中包含放置在SAN中的域和IP地址。
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = local.dev
# DNS.3 = another dev domain
IP.1 = 127.0.0.1
# IP.2 = Another ip address
You can change this configuration file to add the domain names and IP addresses that you need.
您可以更改此配置文件以添加所需的域名和IP地址。
After you generate the certificate using the ./generate-cert.sh
command, the generated certificate will have the SAN correctly filled.
使用./generate-cert.sh
命令生成证书后,将正确填充SAN。
使用mkcert (Using mkcert)
If you cannot use the previous script or want a more extensive solution, you can use mkcert. Mkcert is created by Filippo Valsorda, and he is part of the Google Go team.
如果您不能使用以前的脚本或想要更广泛的解决方案,则可以使用mkcert 。 Mkcert由Filippo Valsorda创建,他是Google Go团队的成员。
Mkcert is a simple tool for making locally-trusted development certificates. It is implemented in Go and requires no configuration. It works on Linux, Windows, and macOS.
Mkcert是制作本地信任的开发证书的简单工具。 它在Go中实现,不需要任何配置。 它适用于Linux,Windows和macOS。
You can install mkcert using brew on macOS by executing the following command:
您可以通过执行以下命令在MacOS上使用brew安装mkcert:
brew install mkcert
After installation, we can use the tool to create our own CA with the following command:
安装后,我们可以使用该工具通过以下命令创建自己的CA:
mkcert -install
The tool creates a new CA and directly installs it in the root store of your operating system. The name of the certificate starts with mkcert
and contains the name of the computer you used to execute mkcert.
该工具将创建一个新的CA,并将其直接安装在操作系统的根存储中。 证书的名称以mkcert
开头,并包含用于执行mkcert的计算机的名称。
The private CA key and certificate are also stored on the file system. You can get the location by executing the following command:
专用CA密钥和证书也存储在文件系统上。 您可以通过执行以下命令来获取位置:
mkcert -CAROOT
After installing the new CA. You can use mkcert
to generate certificates that are automatically signed by the CA. For example, the following command:
安装新的CA之后。 您可以使用mkcert
生成由CA自动签名的证书。 例如,以下命令:
mkcert dev.com *.dev.com localhost 127.0.0.1
Creates a certificate that is valid for the given names. Mkcert stores the given DNS names and IP address in the Subject Alternative Name (SAN) part of the certificate.
创建对给定名称有效的证书。 Mkcert将给定的DNS名称和IP地址存储在证书的主题备用名称(SAN)部分中。
The generated private key and certificate are available in the directory where you ran the command.
生成的私钥和证书在您运行命令的目录中可用。
我仍然与SSL证书有爱恨交织的关系吗? (Do I Still Have a Love-Hate Relationship With SSL Certificates?)
After creating the automation scripts and writing this article, I appreciate them more. I still don’t like them but see them as a necessity for solid security.
在创建自动化脚本并撰写本文之后,我将更加欣赏它们。 我仍然不喜欢它们,但是将它们视为实现可靠安全性的必要条件。
Thank you for reading.
感谢您的阅读。
翻译自: https://medium.com/better-programming/how-to-create-ssl-certificates-for-development-861237235933