Fatal编程技术网
  • windows/
  • Windows 通过openssl创建根证书和服务器证书以在web服务器上启用https在Chrome浏览器上显示不安全–;所以HTTPS不起作用

Windows 通过openssl创建根证书和服务器证书以在web服务器上启用https在Chrome浏览器上显示不安全–;所以HTTPS不起作用

windows openssl

Windows 通过openssl创建根证书和服务器证书以在web服务器上启用https在Chrome浏览器上显示不安全–;所以HTTPS不起作用,windows,openssl,Windows,Openssl,我们有一个web服务应用程序,在其中我们执行以下过程来生成证书: 1.在文件夹中创建名为openssl.ini的文件,其中包含以下内容: # OpenSSL configuration file. #----Begin---- # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] se

我们有一个web服务应用程序,在其中我们执行以下过程来生成证书:

1.在文件夹中创建名为openssl.ini的文件,其中包含以下内容:

# OpenSSL configuration file.
#----Begin----
# Establish working directory.
dir                            = .

[ ca ]
default_ca                     = CA_default

[ CA_default ]
serial                         = $dir/serial
database                       = $dir/index.txt
new_certs_dir                  = $dir/newcerts
certificate                    = $dir/cacert.pem
private_key                    = $dir/private/cakey.pem
default_days                   = 3650
default_md                     = md5
preserve                       = no
email_in_dn                    = no
nameopt                        = default_ca
certopt                        = default_ca
policy                         = policy_match

[ policy_match ]
countryName                    = match
stateOrProvinceName            = match
organizationName               = match
organizationalUnitName         = optional
commonName                     = supplied
emailAddress                   = optional

[ req ]
default_bits                   = 1024 # Size of keys
default_keyfile                = key.pem # name of generated keys
default_md                     = md5 # message digest algorithm
string_mask                    = nombstr # permitted characters
distinguished_name             = req_distinguished_name

[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName             = Organization Name (company)
organizationalUnitName         = Organizational Unit Name (department, division)
emailAddress                   = Email Address
emailAddress_max               = 40
localityName                   = Locality Name (city, district)
stateOrProvinceName            = State or Province Name (full name)
countryName                    = Country Name (2 letter code)
countryName_min                = 2
countryName_max                = 2
commonName                     = Common Name (hostname, IP, or your name)
commonName_max                 = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default     = XYZ Corp
countryName_default            = US
stateOrProvinceName_default    = CA
localityName_default           = San Francisco
emailAddress_default           = support@xyz.com
organizationalUnitName_default = Business Division
commonName_default             = ServerSystem1

[ v3_ca ]
basicConstraints               = CA:TRUE
subjectKeyIdentifier           = hash
authorityKeyIdentifier         = keyid:always,issuer:always
keyUsage                       = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
#----End----
2.运行以下Openssl命令以生成RootCA和服务器证书

md ServerCert
cd ServerCert
md newcerts private
copy ..\openssl.ini ServerCert

echo 01 > serial
copy /y nul index.txt

openssl genrsa -out private/cakey.pem 1024
openssl req -new -x509 -extensions v3_ca -key private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.ini
openssl x509 -in cacert.pem -out ServerCA.crt

openssl req -new -nodes -out req.pem -extensions v3_req -config ./openssl.ini

openssl ca -out cert.pem -extensions v3_req -config ./openssl.ini -infiles req.pem

move cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem

openssl rsa -in key.pem -inform PEM -out ServerKey.der -outform DER
openssl x509 -in cert.pem -inform PEM -out ServerCert.der -outform DER
在流程结束时,后面使用的3个文件是:

  • ServerCA.crt->在Windows上用于信任Web服务器应用程序
  • ServerKey.der->Web服务器使用的密钥
  • ServerCert.der->Web服务器应用程序使用的证书
    • web服务器应用程序需要DER文件来发送证书。但在浏览器中,在运行web服务应用程序时,浏览器会显示“不安全”警告

    单击“不安全”警告后,将显示以下消息

    但是,单击证书并导航到选项卡“certification path”时,消息会显示“此证书正常”

    此消息与根证书和服务器证书相同。 如何更改生成证书或修改.ini文件的过程,以便浏览器信任web服务器应用程序

    问题更新:

    要在Windows信任存储中安装证书,我遵循以下步骤:

  • 在命令提示符下键入“mmc”(管理员)
  • 单击“文件””->“添加/删除管理单元…”
  • 单击“证书””->“添加””->“计算机帐户””->“下一步””->“完成”
  • 单击“证书””->“受信任的根证书颁发机构”“->“证书”
  • 右键单击“证书”
  • 单击“所有任务”“->”导入“”->“下一步”“->”浏览“”->选择CRT文件
    • 您是否在Windows信任存储中安装了证书?是。让我来更新问题中的程序。另外,你必须使用sha2作为摘要算法,chrome抱怨这是一个比较弱的算法algos@Pras我应该在哪个命令中进行此更改?在您的单位文件中,您似乎有md5,您可以将其更改为sha256