更新(2018年11月):您是否需要自签名证书?
或者真正的证书是否更好地完成了工作?您考虑过这些吗?
(注意:Let's Encrypt也可以向私有网络颁发证书)
屏幕录制
https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/
完整、可行的示例
- 创建证书
- 运行Node.js服务器
- Node.js客户端无警告或错误
- cURL无警告或错误
https://github.com/coolaj86/nodejs-self-signed-certificate-example
以localhost.greenlock.domains
为例(它指向127.0.0.1):
server.js
'use strict';
var https = require('https')
, port = process.argv[2] || 8043
, fs = require('fs')
, path = require('path')
, server
, options
;
require('ssl-root-cas')
.inject()
.addFile(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))
;
options = {
key: fs.readFileSync(path.join(__dirname, 'server', 'privkey.pem'))
, cert: fs.readFileSync(path.join(__dirname, 'server', 'fullchain.pem'))
};
function app(req, res) {
res.setHeader('Content-Type', 'text/plain');
res.end('Hello, encrypted world!');
}
server = https.createServer(options, app).listen(port, function () {
port = server.address().port;
console.log('Listening on https://127.0.0.1:' + port);
console.log('Listening on https://' + server.address().address + ':' + port);
console.log('Listening on https://localhost.greenlock.domains:' + port);
});
客户端.js
'use strict';
var https = require('https')
, fs = require('fs')
, path = require('path')
, ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.cert.pem'))
, port = process.argv[2] || 8043
, hostname = process.argv[3] || 'localhost.greenlock.domains'
;
var options = {
host: hostname
, port: port
, path: '/'
, ca: ca
};
options.agent = new https.Agent(options);
https.request(options, function(res) {
res.pipe(process.stdout);
}).end();
制作证书文件的脚本:
make-certs.sh
#!/bin/bash
FQDN=$1
mkdir -p server/ client/ all/
openssl genrsa \
-out all/my-private-root-ca.privkey.pem \
2048
openssl req \
-x509 \
-new \
-nodes \
-key all/my-private-root-ca.privkey.pem \
-days 1024 \
-out all/my-private-root-ca.cert.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
openssl genrsa \
-out all/privkey.pem \
2048
openssl req -new \
-key all/privkey.pem \
-out all/csr.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"
openssl x509 \
-req -in all/csr.pem \
-CA all/my-private-root-ca.cert.pem \
-CAkey all/my-private-root-ca.privkey.pem \
-CAcreateserial \
-out all/cert.pem \
-days 500
rsync -a all/{privkey,cert}.pem server/
cat all/cert.pem > server/fullchain.pem
rsync -a all/my-private-root-ca.cert.pem server/
rsync -a all/my-private-root-ca.cert.pem client/
openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt
例如:
bash make-certs.sh 'localhost.greenlock.domains'
希望这能彻底解决这个问题。并附上更多说明:
https://github.com/coolaj86/node-ssl-root-cas/wiki/Painless-Self-Signed-Certificates-in-node.js
在iOS移动版Safari上安装私有证书
您需要创建一个根CA证书的DER格式副本,并将其扩展名更改为.crt。
# create DER format crt for iOS Mobile Safari, etc
openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt
然后您可以使用Web服务器简单地提供该文件。当您单击链接时,应该会询问您是否要安装证书。
为了演示这个过程,您可以尝试安装MIT的证书颁发机构:https://ca.mit.edu/mitca.crt
相关示例
openssl s_client -showcerts -connect www.example.com:443 </dev/null
。 - John Culviner