在Mac上,您可以通过执行以下操作来创建Chrome和Safari在系统级别上完全信任的证书:
# create a root authority cert
./create_root_cert_and_key.sh
# create a wildcard cert for mysite.com
./create_certificate_for_domain.sh mysite.com
# or create a cert for www.mysite.com, no wildcards
./create_certificate_for_domain.sh www.mysite.com www.mysite.com
如果要创建一个新的自签名证书,该证书将使用您自己的根权限进行完全信任,则可以使用以下脚本来进行此操作。
create_root_cert_and_key.sh
#!/usr/bin/env bash
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
create_certificate_for_domain.sh
#!/usr/bin/env bash
if [ -z "$1" ]
then
echo "Please supply a subdomain to create a certificate for";
echo "e.g. www.mysite.com"
exit;
fi
if [ ! -f rootCA.pem ]; then
echo 'Please run "create_root_cert_and_key.sh" first, and try again!'
exit;
fi
if [ ! -f v3.ext ]; then
echo 'Please download the "v3.ext" file and try again!'
exit;
fi
# Create a new private key if one doesnt exist, or use the xeisting one if it does
if [ -f device.key ]; then
KEY_OPT="-key"
else
KEY_OPT="-keyout"
fi
DOMAIN=$1
COMMON_NAME=${2:-*.$1}
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
NUM_OF_DAYS=825
openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
cat v3.ext | sed s/%%DOMAIN%%/"$COMMON_NAME"/g > /tmp/__v3.ext
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext
# move output files to final filenames
mv device.csr "$DOMAIN.csr"
cp device.crt "$DOMAIN.crt"
# remove temp file
rm -f device.crt;
echo
echo "###########################################################################"
echo Done!
echo "###########################################################################"
echo "To use these files on your server, simply copy both $DOMAIN.csr and"
echo "device.key to your webserver, and use like so (if Apache, for example)"
echo
echo " SSLCertificateFile /path_to_your_files/$DOMAIN.crt"
echo " SSLCertificateKeyFile /path_to_your_files/device.key"
v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = %%DOMAIN%%
进一步的步骤-如何使自签名证书在Chrome / Safari中得到完全信任
要使自签名证书在Chrome和Safari中受到完全信任,您需要将新的证书颁发机构导入Mac。为此,请遵循以下说明,或在mitmproxy网站上对该一般过程进行更详细的说明:
您可以使用以下命令在命令行中通过以下两种方式之一进行操作,该命令将提示您输入密码:
$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem
或使用Keychain Access应用程序:
- 开放式钥匙串访问
- 在“钥匙串”列表中选择“系统”
- 在“类别”列表中选择“证书”
- 选择“文件|导入项目...”
- 浏览到上面创建的文件“ rootCA.pem”,选择它,然后单击“打开”
- 在“证书”列表中选择新导入的证书。
- 单击“ i”按钮,或右键单击您的证书,然后选择“获取信息”
- 展开“信任”选项
- 将“使用此证书时”更改为“始终信任”
- 关闭对话框,系统将提示您输入密码。
- 关闭并重新打开使用目标域的所有选项卡,它将安全地加载!
另外,如果需要Java客户端信任证书,则可以通过将证书导入到Java密钥库中来实现。请注意,如果证书已经存在,它将从密钥库中删除该证书,因为它需要在发生更改时进行更新。当然,仅对要导入的证书执行此操作。
import_certs_in_current_folder_into_java_keystore.sh
KEYSTORE="$(/usr/libexec/java_home)/jre/lib/security/cacerts";
function running_as_root()
{
if [ "$EUID" -ne 0 ]
then echo "NO"
exit
fi
echo "YES"
}
function import_certs_to_java_keystore
{
for crt in *.crt; do
echo prepping $crt
keytool -delete -storepass changeit -alias alias__${crt} -keystore $KEYSTORE;
keytool -import -file $crt -storepass changeit -noprompt --alias alias__${crt} -keystore $KEYSTORE
echo
done
}
if [ "$(running_as_root)" == "YES" ]
then
import_certs_to_java_keystore
else
echo "This script needs to be run as root!"
fi
