Update (Nov 2018): Do you needself-signed certs?

更新（2018 年 11 月）：您需要自签名证书吗？

Or would real certificates get the job done better? Have you considered any of these?

或者真正的证书会让工作做得更好？你考虑过这些吗？

• Let's Encrypt via Greenlock.js
• Let's Encrypt via https://greenlock.domains
• Localhost relay service such as https://telebit.cloud

• 让我们通过Greenlock.js加密
• 让我们通过https://greenlock.domains加密
• 本地主机中继服务，例如https://telebit.cloud

(Note: Let's Encrypt can also issue certificates to private networks)

（注：Let's Encrypt 也可以向私有网络颁发证书）

ScreenCast

投屏

https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/

https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/

Full, Working example

完整的工作示例

• creates certificates
• runs node.js server
• no warnings or errors in node.js client
• no warnings or errors in cURL

• 创建证书
• 运行 node.js 服务器
• node.js 客户端中没有警告或错误
• cURL 中没有警告或错误

https://github.com/coolaj86/nodejs-self-signed-certificate-example

https://github.com/coolaj86/nodejs-self-signed-certificate-example

Using localhost.greenlock.domainsas an example (it points to 127.0.0.1):

使用localhost.greenlock.domains作为一个例子（它指向127.0.0.1）：

server.js

服务器.js

'use strict';

var https = require('https')
  , port = process.argv[2] || 8043
  , fs = require('fs')
  , path = require('path')
  , server
  , options
  ;

require('ssl-root-cas')
  .inject()
  .addFile(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))
  ;

options = {
  // this is ONLY the PRIVATE KEY
  key: fs.readFileSync(path.join(__dirname, 'server', 'privkey.pem'))
  // You DO NOT specify `ca`, that's only for peer authentication
//, ca: [ fs.readFileSync(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))]
  // This should contain both cert.pem AND chain.pem (in that order) 
, cert: fs.readFileSync(path.join(__dirname, 'server', 'fullchain.pem'))
};


function app(req, res) {
  res.setHeader('Content-Type', 'text/plain');
  res.end('Hello, encrypted world!');
}

server = https.createServer(options, app).listen(port, function () {
  port = server.address().port;
  console.log('Listening on https://127.0.0.1:' + port);
  console.log('Listening on https://' + server.address().address + ':' + port);
  console.log('Listening on https://localhost.greenlock.domains:' + port);
});

client.js

客户端.js

'use strict';

var https = require('https')
  , fs = require('fs')
  , path = require('path')
  , ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.cert.pem'))
  , port = process.argv[2] || 8043
  , hostname = process.argv[3] || 'localhost.greenlock.domains'
  ;

var options = {
  host: hostname
, port: port
, path: '/'
, ca: ca
};
options.agent = new https.Agent(options);

https.request(options, function(res) {
  res.pipe(process.stdout);
}).end();

And the script that makes the certificate files:

以及制作证书文件的脚本：

make-certs.sh

make-certs.sh

#!/bin/bash
FQDN=

# make directories to work from
mkdir -p server/ client/ all/

# Create your very own Root Certificate Authority
openssl genrsa \
  -out all/my-private-root-ca.privkey.pem \
  2048

# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req \
  -x509 \
  -new \
  -nodes \
  -key all/my-private-root-ca.privkey.pem \
  -days 1024 \
  -out all/my-private-root-ca.cert.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa \
  -out all/privkey.pem \
  2048

# Create a request from your Device, which your Root CA will sign
openssl req -new \
  -key all/privkey.pem \
  -out all/csr.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

# Sign the request from Device with your Root CA
openssl x509 \
  -req -in all/csr.pem \
  -CA all/my-private-root-ca.cert.pem \
  -CAkey all/my-private-root-ca.privkey.pem \
  -CAcreateserial \
  -out all/cert.pem \
  -days 500

# Put things in their proper place
rsync -a all/{privkey,cert}.pem server/
cat all/cert.pem > server/fullchain.pem         # we have no intermediates in this case
rsync -a all/my-private-root-ca.cert.pem server/
rsync -a all/my-private-root-ca.cert.pem client/

# create DER format crt for iOS Mobile Safari, etc
openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt

For example:

例如：

bash make-certs.sh 'localhost.greenlock.domains'

Hopefully this puts the nail in the coffin on this one.

希望这能把钉子钉在棺材上。

And some more explanation: https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js

还有一些解释：https: //github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js

Install private cert on iOS Mobile Safari

在 iOS Mobile Safari 上安装私有证书

You need to create a copy of the root ca certificate a DER format with a .crt extension:

您需要创建一个带有 .crt 扩展名的 DER 格式的根 ca 证书的副本：

# create DER format crt for iOS Mobile Safari, etc
openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt

Then you can simply serve that file with your webserver. When you click the link you should be asked if you want to install the certificate.

然后您可以简单地使用您的网络服务器提供该文件。当您单击该链接时，系统会询问您是否要安装证书。

For an example of how this works you can try installing MIT's Certificate Authority: https://ca.mit.edu/mitca.crt

有关其工作原理的示例，您可以尝试安装 MIT 的证书颁发机构：https: //ca.mit.edu/mitca.crt

Related Examples

相关例子

• https://github.com/coolaj86/nodejs-ssl-example
• https://github.com/coolaj86/nodejs-ssl-trusted-peer-example
• https://github.com/coolaj86/node-ssl-root-cas
• https://github.com/coolaj86/nodejs-https-sni-vhost-example
  • (Multiple vhosts with SSL on the same server)
• https://telebit.cloud
  • (get REAL SSL certs you can use TODAY for testing on localhost)

• https://github.com/coolaj86/nodejs-ssl-example
• https://github.com/coolaj86/nodejs-ssl-trusted-peer-example
• https://github.com/coolaj86/node-ssl-root-cas
• https://github.com/coolaj86/nodejs-https-sni-vhost-example
  • （在同一台服务器上使用 SSL 的多个虚拟主机）
• https://telebit.cloud
  • （获取真正的 SSL 证书，您可以在今天使用它在本地主机上进行测试）

Try adding this to your request options

尝试将此添加到您的请求选项中

var options = {
  host: 'localhost',
  port: 8000,
  path: '/api/v1/test',
  // These next three lines
  rejectUnauthorized: false,
  requestCert: true,
  agent: false
};

Try adding

尝试添加

  agent: false,
  rejectUnauthorized: false

Your key generation looks okay. You shouldn't need a ca because you aren't rejecting unsigned requests.

您的密钥生成看起来不错。您不应该需要 ca，因为您不会拒绝未签名的请求。

Add .toString() to the end of your readFileSync methods so that you are actually passing a string, not a file object.

将 .toString() 添加到 readFileSync 方法的末尾，以便您实际上传递的是字符串，而不是文件对象。

This procedure allows you to create both a certificate authority & a certificate :

此过程允许您创建证书颁发机构和证书：

1. grab this ca.cnffile to use as a configuration shortcut :

   wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/ca.cnf

1. 获取此ca.cnf文件以用作配置快捷方式：

   wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/ca.cnf

1. create a new certificate authority using this configuration :

   openssl req -new -x509 -days 9999 -config ca.cnf -keyout ca-key.pem -out ca-cert.pem

2. 使用此配置创建一个新的证书颁发机构：

   openssl req -new -x509 -days 9999 -config ca.cnf -keyout ca-key.pem -out ca-cert.pem

1. now that we have our certificate authority in ca-key.pemand ca-cert.pem, let's generate a private key for the server :

   openssl genrsa -out key.pem 4096

3. 现在我们在ca-key.pemand 中拥有我们的证书颁发机构ca-cert.pem，让我们为服务器生成一个私钥：

   openssl genrsa -out key.pem 4096

1. grab this server.cnffile to use as a configuration shortcut :

   wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/server.cnf

4. 获取此server.cnf文件以用作配置快捷方式：

   wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/server.cnf

1. generate the certificate signing request using this configuration :

   openssl req -new -config server.cnf -key key.pem -out csr.pem

5. 使用此配置生成证书签名请求：

   openssl req -new -config server.cnf -key key.pem -out csr.pem

1. sign the request :

   openssl x509 -req -extfile server.cnf -days 999 -passin "pass:password" -in csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem

6. 签署请求：

   openssl x509 -req -extfile server.cnf -days 999 -passin "pass:password" -in csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem

I found this procedure here, along with more information on how to use these certificates.

我在这里找到了这个过程，以及关于如何使用这些证书的更多信息。