1. 使用openssl生成证书,我使用的是kali自带的openssl模块
也可以从官网下载openssl —— https://www.openssl.org/source/
生成命令如下,其中:/C=CN(国家缩写)/ST=(省份)/L=(城市)/O=(组织名称):
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -subj "/C=CN/ST=ZheJiang/L=HangZhou/O=MJY" -keyout CA-private.key -out CA-certificate.crt -reqexts v3_req -extensions v3_ca openssl genrsa -out private.key 2048 openssl req -new -key private.key -subj "/C=CN/ST=ZheJiang/L=HangZhou/O=MJY/CN=127.0.0.1" -sha256 -out private.csr
#最后的 CN=IP地址或域名
生成ext文件:
#vim private.ext #复制如下内容到private.ext文件中 [ req ] default_bits = 1024 distinguished_name = req_distinguished_name req_extensions = san extensions = san [ req_distinguished_name ] countryName = CN stateOrProvinceName = Definesys localityName = Definesys organizationName = Definesys [SAN] authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = IP:127.0.0.1 #其中ip后内容,改成自己需要的ip地址(服务器ip或者域名)
#最后使用 :wq 保存退出
生成CA证书
openssl x509 -req -days 3650 -in private.csr -CA CA-certificate.crt -CAkey CA-private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions SAN
2. 复制证书至相应目录,并添加证书路径至Apache配置文件中,之后重启Apache服务
虚拟机中复制文件出来,如果使用的是virtual Box,需要点击安装增强功能,之后执行:sudo sh /media/cdrom0/VBoxLinuxAdditions.run
Listen 443 SSLStrictSNIVHostCheck off SSLCipherSuite AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL SSLProtocol all -SSLv2 -SSLv3 <VirtualHost *:443> DocumentRoot "D:\phpStudy\PHPTutorial\WWW" ServerName 127.0.0.1 ServerAlias 127.0.0.1 <Directory "D:\phpStudy\PHPTutorial\WWW"> Options -Indexes -FollowSymLinks +ExecCGI AllowOverride All Order allow,deny Allow from all Require all granted </Directory> SSLEngine on SSLCertificateFile "D:\phpStudy\PHPTutorial\Apache\conf\ssl\private.crt" SSLCertificateKeyFile "D:\phpStudy\PHPTutorial\Apache\conf\ssl\private.key" </VirtualHost>
如下两行表示证书文件路径
3. 将CA证书导入受信任的根目录中
4. 重启浏览器后查看,最终结果:
显示安全,nice
5. windows系统上命令行添加根证书
powershell:需要以管理员身份运行
certutil -addstore root D:\Desktop\ssl\CA-certificate.crt
cmd: 需要以管理员身份运行
powershell.exe certutil -addstore root D:\Desktop\ssl\CA-certificate.crt # 如果使用bat的话,需要使用证书的全路径
bat实现:
pushd %~dp0
set pwd=%cd%
powershell.exe certutil -addstore root %pwd%\CA-certificate.crt
pause
参考文档:
《解决https网站通过nginx+openssl自签名证书访问,在谷歌浏览器报不安全告警的问题》https://blog.csdn.net/u010425839/article/details/120755553
《Windows 通过命令行安装根证书》https://88250.b3log.org/articles/2018/05/03/1525333052172.html
