apache 如何创建自签名 SSL 证书以在测试 Web 应用程序时使用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18034/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I create a self signed SSL certificate to use while testing a web app
提问by ScArcher2
How do I create a self signed SSL certificate for an Apache Server to use while testing a web app?
如何为 Apache 服务器创建自签名 SSL 证书以在测试 Web 应用程序时使用?
回答by Christian Hagelid
How do I create a self-signed SSL Certificate for testing purposes?
如何创建用于测试目的的自签名 SSL 证书?
from http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert:
来自http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert:
Make sure OpenSSL is installed and in your PATH.
Run the following command, to create server.key and server.crt files:
openssl req -new -x509 -nodes -out server.crt -keyout server.keyThese can be used as follows in your httpd.conf file:
SSLCertificateFile /path/to/this/server.crt SSLCertificateKeyFile /path/to/this/server.keyIt is important that you are aware that this server.key does not have any passphrase. To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.
openssl rsa -des3 -in server.key -out server.key.new mv server.key.new server.keyPlease backup the server.key file, and the passphrase you entered, in a secure location.
确保已安装 OpenSSL 并在您的 PATH 中。
运行以下命令,以创建 server.key 和 server.crt 文件:
openssl req -new -x509 -nodes -out server.crt -keyout server.key这些可以在您的 httpd.conf 文件中按如下方式使用:
SSLCertificateFile /path/to/this/server.crt SSLCertificateKeyFile /path/to/this/server.key请注意,此 server.key 没有任何密码短语,这一点很重要。要将密码短语添加到密钥,您应该运行以下命令,并根据要求输入并验证密码短语。
openssl rsa -des3 -in server.key -out server.key.new mv server.key.new server.key请在安全位置备份 server.key 文件和您输入的密码。
回答by Francisco Luz
WARNING:This is totally useless for purposes other than local testing.
警告:这对于本地测试以外的目的完全没有用。
Replace MYDOMAIN with your local domain. Works with localhost too.
将 MYDOMAIN 替换为您的本地域。也适用于本地主机。
In some folder create MYDOMAIN.conf file. Add the following content into it:
在某些文件夹中创建 MYDOMAIN.conf 文件。将以下内容加入其中:
[ req ]
prompt = no
default_bits = 2048
default_keyfile = MYDOMAIN.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName = KE
stateOrProvinceName = Nairobi
localityName = Nairobi
organizationName = Localhost
# Use a friendly name here because its presented to the user. The server's DNS
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you
# must include the DNS name in the SAN too (otherwise, Chrome and others that
# strictly follow the CA/Browser Baseline Requirements will fail).
commonName = Localhost dev cert
emailAddress [email protected]
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
# You only need digitalSignature below. *If* you don't allow
# RSA Key transport (i.e., you use ephemeral cipher suites), then
# omit keyEncipherment because that's key transport.
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
[ alternate_names ]
DNS.1 = MYDOMAIN
# Add these if you need them. But usually you don't want them or
# need them in production. You may need them for development.
# DNS.5 = localhost
# DNS.6 = localhost.localdomain
DNS.7 = 127.0.0.1
# IPv6 localhost
# DNS.8 = ::1
Generate the certificate files:
生成证书文件:
$ sudo openssl req -config MYDOMAIN.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout MYDOMAIN.key -days 1024 -out MYDOMAIN.crt
$ sudo openssl pkcs12 -export -out MYDOMAIN.pfx -inkey MYDOMAIN.key -in MYDOMAIN.crt
$ sudo chown -R $USER *
Make your local machine trust your certificate:
让您的本地机器信任您的证书:
# Install the cert utils
$ sudo apt-get install libnss3-tools
# Trust the certificate for SSL
$ pk12util -d sql:$HOME/.pki/nssdb -i MYDOMAIN.pfx
# Trust self-signed server certificate
$ certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n 'dev cert' -i MYDOMAIN.crt
Edit /etc/apache2/sites-available/default-ssl.confand make sure these two directives are pointing to the files .crt and .key you have just created ( un-comment it if needed ):
编辑/etc/apache2/sites-available/default-ssl.conf并确保这两个指令指向您刚刚创建的文件 .crt 和 .key(如果需要,取消注释):
SSLCertificateFile /path/to/MYDOMAIN.crt
SSLCertificateKeyFile /path/to/MYDOMAIN.key
Apply configuration and re-start apache:
应用配置并重新启动 apache:
# If you are not using the default configuration ( /etc/apache2/sites-available/default-ssl.conf ),
# then replace "default-ssl" for whatever conf file name you've chosen
# ( DO NOT include the .conf bit ).
$ sudo a2ensite default-ssl
$ sudo service apache2 restart
Visit https://MYDOMAINon your browser. Firefox will warn you that the certificate is self-signed and, therefore, say it is invalid. You will have to add an exception.
在浏览器上访问https://MYDOMAIN。Firefox 会警告您证书是自签名的,因此会说它无效。您将不得不添加一个例外。
Source:
来源:
- Most of it I got from 3dw1n_m0535;
- If you run into trouble, read the README file at
/usr/share/doc/apache2/README.Debian.gz
- 大部分是我从3dw1n_m0535得到的;
- 如果遇到问题,请阅读 README 文件,网址为
/usr/share/doc/apache2/README.Debian.gz
回答by alexmcchessers
Various tools exist that can generate SSLs. Try OpenSSLfor example. Alternatively, there's one in the IIS 6 resource kit, if you're on Windows.
存在可以生成 SSL 的各种工具。以OpenSSL为例。或者,如果您使用的是 Windows,IIS 6 资源工具包中有一个。
回答by tgmdbm
Use OpenSSL (http://www.openssl.org/)
使用 OpenSSL ( http://www.openssl.org/)
Here's a tutorial: http://novosial.org/openssl/self-signed/
这是一个教程:http: //novosial.org/openssl/self-signed/
Here is the good tutorial to start with: SSH localhost.
这是一个很好的教程:SSH localhost。
