如何使用 OpenSSL 创建和信任证书?
How to create and trust certificate Using OpenSSL?
如何使用 OpenSSL 创建有效证书以在 IIS 中使用 HTTPS 绑定??
It must work in Firefox and all other browsers as well
I am using IIS 10 server.
And Firefox v70, Firefox Dev edition v72b5, Chrome v79, Edge v44. I want the HTTPS binding to work in all of these browsers.
好的。我想,我找到了答案,
必须创建证书颁发机构才能使用 HTTPS 绑定,因此我们所有的证书都将由它签署。为此,请从此处下载合适的 OpenSSL 版本:Win32/Win64 OpenSSL Installer for Windows 并安装它。然后,为了快速和更容易地工作,可以制作一些脚本文件,
In the folder (in which the script is running) add a folder named #. All the certicate files will be stored there.
用于创建根证书 RootCA.bat,
openssl genrsa -des3 -out #/RootCA.key 4096
openssl req -x509 -new -nodes -sha256 -days 730 -key #/RootCA.key -out #/RootCA.crt -config rootca.csr
openssl pkcs12 -export -out #/RootCA.p12 -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pem -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pfx -inkey #/RootCA.key -in #/RootCA.crt
并且,对于 RootCA 的详细信息,创建 RootCa.csr、
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=CodeSigner
CN=*.codesigning.in
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.codesigning.in
When you Run RootCA.bat it will create a certificate using RootCa.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a RootCA.csr and 'RootCA.key' is also created).
现在,为服务器证书创建 server.bat、
openssl req -new -sha256 -nodes -out #/server.csr -newkey rsa:2048 -keyout #/server.key -config server.csr
openssl x509 -req -in #/server.csr -CA #/RootCA.crt -CAkey #/RootCA.key -CAcreateserial -out #/server.crt -days 365 -sha256 -extfile v3.ext
openssl pkcs12 -export -out #/server.p12 -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pem -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pfx -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
并且,当然,为了详细信息,请创建一个 server.csr 文件,
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=Test & Learn
CN=*.localhost.in
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.localhost.in
并且,另一个名为 v3.ext 的文件(我不太了解),
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.localhost.in
Again When you Run server.bat it will create a certificate using server.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a server.csr and server.key is also created).
Note: You will have to modify the server.csr for your custom domains (default by, its gonna create for dev.localhost.in domain).
!!! Warning: You Have to remember the passwords you enter. And You might modify the RootCA.csr and RootCA.bat as your need. (to increase expiration, modify deatails etc.)
添加到 Windows,
当我使用 windows 时,我只知道导入到 windows。要添加 windows 只需单击 RootCA.p12 文件并导入它。请记住,您必须信任 Trusted Root Certification Authority 和 Intermediate Certification Authority 中的 RootCA。
除 firefox 之外的所有浏览器都会信任该站点。工作完成(部分)!!
您可以在运行中使用mmc查看。然后使用 Ctrl + M.
管理单元证书
添加到 FireFox,
因为 FireFox 使用它自己的证书管理器并且不理会系统证书。因此,您将不得不手动导入 RootCA.crt 以获得信任并且所有继承证书都将被信任。如下,
现在,导入证书并简单地添加与证书的 HTTPS 绑定并使用任何服务器(甚至是 IIS 等)托管网站。
如何使用 OpenSSL 创建有效证书以在 IIS 中使用 HTTPS 绑定??
It must work in Firefox and all other browsers as well I am using IIS 10 server.
And Firefox v70, Firefox Dev edition v72b5, Chrome v79, Edge v44. I want the HTTPS binding to work in all of these browsers.
好的。我想,我找到了答案,
必须创建证书颁发机构才能使用 HTTPS 绑定,因此我们所有的证书都将由它签署。为此,请从此处下载合适的 OpenSSL 版本:Win32/Win64 OpenSSL Installer for Windows 并安装它。然后,为了快速和更容易地工作,可以制作一些脚本文件,
In the folder (in which the script is running) add a folder named
#. All the certicate files will be stored there.
用于创建根证书 RootCA.bat,
openssl genrsa -des3 -out #/RootCA.key 4096
openssl req -x509 -new -nodes -sha256 -days 730 -key #/RootCA.key -out #/RootCA.crt -config rootca.csr
openssl pkcs12 -export -out #/RootCA.p12 -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pem -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pfx -inkey #/RootCA.key -in #/RootCA.crt
并且,对于 RootCA 的详细信息,创建 RootCa.csr、
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=CodeSigner
CN=*.codesigning.in
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.codesigning.in
When you Run
RootCA.batit will create a certificate usingRootCa.csr's details and Export a.pem,.pfxand.p12along with certificate file (aRootCA.csrand 'RootCA.key' is also created).
现在,为服务器证书创建 server.bat、
openssl req -new -sha256 -nodes -out #/server.csr -newkey rsa:2048 -keyout #/server.key -config server.csr
openssl x509 -req -in #/server.csr -CA #/RootCA.crt -CAkey #/RootCA.key -CAcreateserial -out #/server.crt -days 365 -sha256 -extfile v3.ext
openssl pkcs12 -export -out #/server.p12 -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pem -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pfx -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
并且,当然,为了详细信息,请创建一个 server.csr 文件,
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=Test & Learn
CN=*.localhost.in
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.localhost.in
并且,另一个名为 v3.ext 的文件(我不太了解),
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.localhost.in
Again When you Run
server.batit will create a certificate usingserver.csr's details and Export a.pem,.pfxand.p12along with certificate file (aserver.csrandserver.keyis also created).Note: You will have to modify the
server.csrfor your custom domains (default by, its gonna create fordev.localhost.indomain).!!! Warning: You Have to remember the passwords you enter. And You might modify the
RootCA.csrandRootCA.batas your need. (to increase expiration, modify deatails etc.)
添加到 Windows,
当我使用 windows 时,我只知道导入到 windows。要添加 windows 只需单击 RootCA.p12 文件并导入它。请记住,您必须信任 Trusted Root Certification Authority 和 Intermediate Certification Authority 中的 RootCA。
除 firefox 之外的所有浏览器都会信任该站点。工作完成(部分)!!
您可以在运行中使用mmc查看。然后使用 Ctrl + M.
添加到 FireFox,
因为 FireFox 使用它自己的证书管理器并且不理会系统证书。因此,您将不得不手动导入 RootCA.crt 以获得信任并且所有继承证书都将被信任。如下,