javascript 本地主机的自签名 SSL 证书,如何使可信
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27608922/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Self-signed SSL cert for localhost, how to make trusted
提问by Lars335
I have an Owin self-host C# app that provides Web API services over 127.0.0.1:5555 (it only listens on localhost, no external connections).
我有一个 Owin 自托管 C# 应用程序,它通过 127.0.0.1:5555 提供 Web API 服务(它只侦听本地主机,没有外部连接)。
These Web API services are called using Ajax from an AngularJS app. As an aside: the reason for the Owin app is that certain interaction with the hardware is needed, which is not possible from within a browser. Also, the AngularJS app is for internal use, so I have control over the browsers used.
这些 Web API 服务是通过 AngularJS 应用程序使用 Ajax 调用的。顺便说一句:Owin 应用程序的原因是需要与硬件进行某些交互,而这在浏览器中是不可能的。此外,AngularJS 应用程序供内部使用,因此我可以控制所使用的浏览器。
The above works very well over HTTP, but the Angular JS app needs to use SSL, which does not work unless the Owin app also uses SSL (otherwise you get "Mixed content" errors).
以上在 HTTP 上工作得很好,但 Angular JS 应用程序需要使用 SSL,除非 Owin 应用程序也使用 SSL(否则你会收到“混合内容”错误),否则它不起作用。
I have bought an official cert for the AngularJS app, and I am using self-signed certs for the Owin localhost stuff.
我已经为 AngularJS 应用程序购买了官方证书,并且我正在为 Owin localhost 的东西使用自签名证书。
The problem is that I get "NET::ERR_CERT_AUTHORITY_INVALID" (when testin from Chrome) and "net::ERR_INSECURE_RESPONSE" from the AngularJS app when talking to the Owin Web API.
问题是我在与 Owin Web API 交谈时从 AngularJS 应用程序中得到“NET::ERR_CERT_AUTHORITY_INVALID”(当从 Chrome 测试时)和“net::ERR_INSECURE_RESPONSE”。
Here is what I have done, in broad strokes:
这是我所做的,大致如下:
I used a CentOS box to generate the cert for localhost and exported it to pkcs12 / pfx format. I also generated a CA cert and exported it the same way.
我使用 CentOS 框为 localhost 生成证书并将其导出为 pkcs12 / pfx 格式。我还生成了一个 CA 证书并以相同的方式导出。
Using MMC I imported the localhost cert on the Windows 7 machine running the Angular & Owin app into Certificates (Local Computer) > Personal > Certificates.
使用 MMC,我将运行 Angular & Owin 应用程序的 Windows 7 机器上的本地主机证书导入到证书(本地计算机)> 个人 > 证书中。
I also imported the CA cert on the Windows 7 machine into Certificates (Local Computer) > Trusted Root Certification Auhorities > Certificates
我还将 Windows 7 机器上的 CA 证书导入到 Certificates (Local Computer) > Trusted Root Certification Auhorities > Certificates
Looking at the localhost cert, it says "Issued to: localhost", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"
查看本地主机证书,它说“颁发给:本地主机”,颁发者:“ca.acme.com”,“您有一个与此证书对应的私钥”,(在证书路径下)“此证书没问题”
The CA cert says "Issued to: ca.acme.com", Issued by: "ca.acme.com", "You have a private key that correpsonds to this certificate", (under Certification Path) "This certificate is Ok"
CA 证书说“颁发给:ca.acme.com”,颁发者:“ca.acme.com”,“您有一个与此证书对应的私钥”,(在认证路径下)“此证书没问题”
netsh http show sslcert
IP:port : 127.0.0.1:5555
Certificate Hash : 1234555555555555555555511155555555555555
Application ID : {1234a123-1234-1234-1234-123412341234}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
What am I missing? How can I make Chrome, etc. trust the SSL cert for localhost?
我错过了什么?如何让 Chrome 等信任本地主机的 SSL 证书?
回答by Lars335
I got this working (sufficiently for my current needs, at least).
我得到了这个工作(至少足以满足我目前的需求)。
I copied the localhost cert from "Certificates (Local Computer) > Personal > Certificates" to "Certificates (Current User) > Personal > Certificates". This got rid of the red cross-out of https in Chrome (and the "NET::ERR_CERT_AUTHORITY_INVALID" message) as well as the "net::ERR_INSECURE_RESPONSE" error in AngularJS.
我将本地主机证书从“证书(本地计算机)> 个人 > 证书”复制到“证书(当前用户)> 个人 > 证书”。这消除了 Chrome 中 https 的红色划线(以及“NET::ERR_CERT_AUTHORITY_INVALID”消息)以及 AngularJS 中的“net::ERR_INSECURE_RESPONSE”错误。
Note that in my case, the localhost cert had to be in both the Local Computer store and in the Current User Store, otherwise the netsh command for binding it to port 5555 (for the Owin app) would fail:
请注意,在我的情况下,本地主机证书必须同时位于本地计算机存储和当前用户存储中,否则将其绑定到端口 5555(对于 Owin 应用程序)的 netsh 命令将失败:
netsh http add sslcert ipport=127.0.0.1:5555 certhash=1234555555555555555555511155555555555555 appid={1234a123-1234-1234-1234-123412341234}
SSL Certificate add failed, Error: 1312, A specified logon session does not exist. It may already have been terminated.
There is still no nice green padlock in Chrome (it now has a yellow little triangle on the pad lock, "The identity of this website has been verified by ca.acme.com but does not have public audit records"), but this does not seem to interfere with the Web API communication, so it should be fine.
Chrome中仍然没有漂亮的绿色挂锁(现在挂锁上有一个黄色的小三角形,“该网站的身份已通过ca.acme.com验证但没有公开审核记录”),但这确实似乎不会干扰 Web API 通信,所以应该没问题。
If anybody knows of an easy way to make it all green and nice with no warnings, I am still interested, but it is not critical.
如果有人知道一种简单的方法可以使它全部绿色且美观且没有警告,我仍然很感兴趣,但这并不重要。
回答by Mike Mitterer
On Linux I had to apt-gt install libnss3-tools
在 Linux 上我不得不 apt-gt install libnss3-tools
With libnss3-tools you get certutil
使用 libnss3-tools,您可以获得 certutil
Now the key-command:
现在的关键命令:
certutil -d sql:$HOME/.pki/nssdb -A -t "CP,CP," -n <your alias> -i <your crt-file to import>
This solve all my problems with Chrome on Raspberry / Linux
这解决了我在 Raspberry / Linux 上使用 Chrome 的所有问题
回答by duskwuff -inactive-
No; you will not be able to get a certificate for "localhost" professionally signed by any reputable SSL provider, because "localhost" is not under a domain name that belongs to you. (Indeed, it is not precisely under a domain name at all; it's a bare hostname.)
不; 您将无法获得由任何知名 SSL 提供商专业签名的“localhost”证书,因为“localhost”不在属于您的域名下。(事实上,这是不正是下一个域名在所有的,它是一个裸露的主机名。)
You might be able to create a real domain name (e.g, localhost.example.com) that resolves to 127.0.0.1 and get a certificate for that signed, but that's rather questionable. Some SSL providers might not sign it anyway. It's worth a try, though!
您也许能够创建一个解析为 127.0.0.1 的真实域名(例如 localhost.example.com)并获得该签名的证书,但这很值得怀疑。一些 SSL 提供商可能不会签署它。不过值得一试!
