Windows 通过openssl创建根证书和服务器证书以在web服务器上启用https在Chrome浏览器上显示不安全–;所以HTTPS不起作用
我们有一个web服务应用程序,在其中我们执行以下过程来生成证书: 1.在文件夹中创建名为openssl.ini的文件,其中包含以下内容:Windows 通过openssl创建根证书和服务器证书以在web服务器上启用https在Chrome浏览器上显示不安全–;所以HTTPS不起作用,windows,openssl,Windows,Openssl,我们有一个web服务应用程序,在其中我们执行以下过程来生成证书: 1.在文件夹中创建名为openssl.ini的文件,其中包含以下内容: # OpenSSL configuration file. #----Begin---- # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] se
# OpenSSL configuration file.
#----Begin----
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = XYZ Corp
countryName_default = US
stateOrProvinceName_default = CA
localityName_default = San Francisco
emailAddress_default = support@xyz.com
organizationalUnitName_default = Business Division
commonName_default = ServerSystem1
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
#----End----
2.运行以下Openssl命令以生成RootCA和服务器证书
md ServerCert
cd ServerCert
md newcerts private
copy ..\openssl.ini ServerCert
echo 01 > serial
copy /y nul index.txt
openssl genrsa -out private/cakey.pem 1024
openssl req -new -x509 -extensions v3_ca -key private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.ini
openssl x509 -in cacert.pem -out ServerCA.crt
openssl req -new -nodes -out req.pem -extensions v3_req -config ./openssl.ini
openssl ca -out cert.pem -extensions v3_req -config ./openssl.ini -infiles req.pem
move cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem
openssl rsa -in key.pem -inform PEM -out ServerKey.der -outform DER
openssl x509 -in cert.pem -inform PEM -out ServerCert.der -outform DER
在流程结束时,后面使用的3个文件是:
您是否在Windows信任存储中安装了证书?是。让我来更新问题中的程序。另外,你必须使用sha2作为摘要算法,chrome抱怨这是一个比较弱的算法algos@Pras我应该在哪个命令中进行此更改?在您的单位文件中,您似乎有md5,您可以将其更改为sha256