https代理服务器(三)实践
| python | spring boot | proxy | |||
| non ca | openssl, keytool | / | no 1 | 无需,proxy动态签发证书,必须有CA根证书顶在前面 | |
| ca | mkcert | 通过 2 | 通过 3 | mac显示ca,与charles证书一样 | |
|
mkcert改host 或用另一个域名指向127.0.0.1 |
预期 2 | 预期 3 | / | 确定二级证书是否跟域名有关 | |
| KeyStore explorer | 4 | 5 | 看看是否mac显示ca | ||
| openssl | / | * | 看看是否mac显示ca |
*https://www.jianshu.com/p/ea5bc56211ee/
spring boot non ca:
keytool -genkey -keysize 2048 -validity 365 -keyalg RSA -dname "CN=myhost.com" -keypass hsc123 -storepass hsc123 -keystore local.jks
keytool -importkeystore -srckeystore local.jks -destkeystore local0.jks -deststoretype pkcs12
keytool -export -keystore local.jks -file local-publickey.cer
2
brew install mkcertmkcert -install
sudo vi /etc/hosts
mkcert myhost.comimport BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile='./myhost.com.pem', keyfile='./myhost.com-key.pem', server_side=True, ssl_version=ssl.PROTOCOL_TLSv1_2)
httpd.serve_forever()
python xxx.py访问https://myhost.com
可以看到起控制作用的是SAN,不是Common Name (CN)
2.5
访问https://myhost1.com
3
(mkcert -pkcs12 myhost.com 这样也可,一步到位,不用pem,默认密码changeit)
openssl pkcs12 -export -in myhost.com.pem -inkey myhost.com-key.pem -out myhost.com.p12
Enter Export Password:
Verifying - Enter Export Password:
放入spring boot
访问https://myhost.com:8080/
done
3.5
4
https://www.jianshu.com/p/37c8762d0b84
https://blog.csdn.net/halberd6/article/details/120252041
建根ca密码对
导出证书,导入操作系统
建server密码对 CN和SAN为myhostjdk.com
从server导出cert和key,key需要pem格式,p12不行,有密码时python会提示输入
cert headonly就行
chrome通过
safari不行
5
mac@macdeMacBook Downloads % java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
装java11,在/Library/Java/JavaVirtualMachines/里现在有两套java了
仍然用1.8编译,单用11运行
safari仍然不行
此外,用Keystore Explorer的证书keytool除了spring boot启动也需要用jdk11的
