共计 6558 个字符,预计需要花费 17 分钟才能阅读完成。
Preparation
Unfortunately, there is no official OpenSSL client for Windows. However, you could download it from WinOpenSSL.
Then you can use the OpenSSL utility to generate a Private Key, Certificate Signing Request (CSR) and Self-Signed Certificate.
Run the openssl.exe in Command Prompt or PowerShell, the executable will be located in folder C:\Program Files\OpenSSL-Win64\bin\ if you install the 64bit version.
First Step – Generate a Private Key
-
Enter the following command to create your RSA Private Key:
genrsa -des3 -out localhost.key 2048 -
After pressing Enter, you will be asked to enter a pass phrase for the localhost.key. You must type pass phrase in 4 to 1023 characters.
Generating RSA private key, 2048 bit long modulus (2 primes) ......................................................+++++ ..+++++ e is 65537 (0x010001) Enter pass phrase for localhost.key: - The localhost.key will be generated in the current folder, this is required later in the procedure.
Second Step – Generate a CSR (Certificate Signing Request)
In order for the self-signed SSL cert to work, you need to provide the Subject Alternative Name to the CSR. The easiest way to provide the subjectAltName is to use a config template when generating the CSR.
Example Configuration File
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
x509_extensions = x509_ext
[dn]
C = SG
ST = Singapore
L = Seletar
O = Rolls-Royce
OU = APAC
emailAddress = hiroshifuu@outlook.com
CN = localhost
[req_ext]
subjectAltName = @alternate_names
[x509_ext]
subjectAltName = @alternate_names
[alternate_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1The command to generate the CSR is as follows:
req -new -key localhost.key -sha256 -out localhost.csr -config san.cnfTo view the output of the generated CSR enter the following command at the prompt:
OpenSSL> req -in localhost.csr -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:b0:96:8b:c5:ab:88:0e:5e:9b:d6:7f:e7:25:
4d:8d:56:4b:9b:79:47:81:ee:28:53:38:68:e8:04:
88:0b:d0:ee:a7:60:14:36:59:5b:93:e8:ae:73:4a:
55:7d:88:f5:db:54:cd:2b:40:a8:f3:00:bc:67:c8:
ba:fd:73:60:2a:24:b1:07:09:eb:3a:d5:c3:d5:92:
e9:e6:1d:97:02:1d:b4:2c:b7:8f:e8:df:e2:49:9a:
4c:49:78:6a:c3:1f:4a:55:23:05:06:46:39:0e:75:
a5:45:f4:7f:32:bb:42:26:3a:b2:1c:3a:fa:b5:ce:
6f:97:05:0e:18:af:d6:32:32:33:61:18:75:b1:05:
ed:18:cc:0b:a9:a9:a0:46:46:3e:f8:20:42:21:9b:
01:23:9d:69:63:d8:c4:8d:5e:9d:cf:30:1d:e4:51:
5e:c7:35:dc:a0:07:97:57:1a:84:16:8f:40:9d:0e:
af:77:03:ee:8a:ee:b9:b1:c8:64:56:94:96:f7:f2:
1a:9a:dd:04:b2:ef:7c:8b:08:28:b0:58:7d:21:84:
ae:71:4e:64:ef:aa:0d:97:4a:4e:6b:ab:cc:bb:18:
f9:cf:c9:8e:70:b9:27:c5:f2:b5:d8:7f:92:2d:55:
2c:37:3d:1c:18:1c:d5:33:9f:4c:bb:4b:3a:ca:30:
0f:db
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:localhost, DNS:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
ad:85:70:51:27:73:c8:b0:8d:09:ae:69:3f:ee:fc:5a:3d:28:
40:20:4e:56:23:03:9c:4c:7a:46:e8:d4:09:db:28:7c:f1:ac:
10:66:60:9c:38:66:56:89:13:1a:59:b7:ab:59:e6:a7:38:83:
9b:89:77:12:0c:39:ef:60:c9:c0:a6:a2:99:70:0b:52:9b:dc:
c5:81:e2:45:48:32:86:1f:14:7e:92:c6:5b:c2:81:23:33:4d:
23:59:02:66:a5:03:5a:ba:4f:13:ca:d8:de:26:68:ee:bf:db:
6e:73:93:22:3d:a0:6e:c1:45:6a:9d:db:7d:14:ae:4c:2f:a2:
fb:28:5d:3e:d1:54:92:f6:a0:fb:04:1c:87:24:0d:7f:47:36:
7c:2d:26:3a:63:4f:40:03:0a:8e:0e:1e:f9:ea:27:d9:50:0a:
6e:83:ab:df:b0:f6:db:e8:12:0d:19:43:eb:31:cd:d7:f6:5e:
73:61:e9:65:2d:08:45:b8:50:0b:4e:54:a2:aa:d5:1d:24:00:
12:a3:58:a5:d3:39:fa:24:f9:fb:91:4d:2c:23:e6:0b:77:b2:
49:a2:77:d7:62:20:e6:fd:69:93:da:b2:8f:4d:7e:c3:fb:b1:
f7:4d:5b:f9:aa:99:50:9a:d2:e5:a3:a4:cc:df:0f:77:e4:b0:
98:7f:4e:37Third Step – Generating a Self-Signed Certificate
Then you will use the OpenSSL tool to generate a temporary certificate, if you provide the SAN correctly, it will no longer generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.
To generate a certificate which is good for 365 days, enter the following command:
x509 -req -days 365 -in localhost.csr -signkey localhost.key -sha256 -out localhost.crt -extfile san.cnf -extensionsTo view the output of the generated SSL Certificate enter the following command at the prompt:
OpenSSL> x509 -in localhost.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
52:ad:82:a1:20:c3:17:a6:7d:b2:76:ed:90:ab:4d:52:2a:47:14:5c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost
Validity
Not Before: Jun 13 02:58:15 2019 GMT
Not After : Jun 12 02:58:15 2020 GMT
Subject: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:b0:96:8b:c5:ab:88:0e:5e:9b:d6:7f:e7:25:
4d:8d:56:4b:9b:79:47:81:ee:28:53:38:68:e8:04:
88:0b:d0:ee:a7:60:14:36:59:5b:93:e8:ae:73:4a:
55:7d:88:f5:db:54:cd:2b:40:a8:f3:00:bc:67:c8:
ba:fd:73:60:2a:24:b1:07:09:eb:3a:d5:c3:d5:92:
e9:e6:1d:97:02:1d:b4:2c:b7:8f:e8:df:e2:49:9a:
4c:49:78:6a:c3:1f:4a:55:23:05:06:46:39:0e:75:
a5:45:f4:7f:32:bb:42:26:3a:b2:1c:3a:fa:b5:ce:
6f:97:05:0e:18:af:d6:32:32:33:61:18:75:b1:05:
ed:18:cc:0b:a9:a9:a0:46:46:3e:f8:20:42:21:9b:
01:23:9d:69:63:d8:c4:8d:5e:9d:cf:30:1d:e4:51:
5e:c7:35:dc:a0:07:97:57:1a:84:16:8f:40:9d:0e:
af:77:03:ee:8a:ee:b9:b1:c8:64:56:94:96:f7:f2:
1a:9a:dd:04:b2:ef:7c:8b:08:28:b0:58:7d:21:84:
ae:71:4e:64:ef:aa:0d:97:4a:4e:6b:ab:cc:bb:18:
f9:cf:c9:8e:70:b9:27:c5:f2:b5:d8:7f:92:2d:55:
2c:37:3d:1c:18:1c:d5:33:9f:4c:bb:4b:3a:ca:30:
0f:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost, DNS:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
a4:98:fe:3b:f3:2f:11:79:29:3a:60:25:ab:6f:e8:f2:c2:09:
5f:6c:5f:46:08:f2:39:04:bf:e5:bc:36:68:59:cc:48:60:ac:
69:a7:aa:ba:b3:0e:95:72:8c:84:53:aa:ae:b9:22:92:32:48:
2b:e7:e6:c8:73:5a:1f:72:9c:1f:35:52:c7:43:47:98:50:49:
2f:f9:ea:a9:94:fb:b9:1d:be:9a:45:90:17:a2:f2:d7:8d:b8:
66:23:72:f1:4e:f7:c2:07:ea:f3:f2:13:ba:16:cb:12:99:96:
0c:af:8a:f6:4f:cf:8f:b0:b7:44:34:09:7d:ba:59:ae:07:5d:
80:99:c6:b4:8b:96:cb:db:f7:31:e4:f1:b5:17:2e:c8:45:3a:
b9:00:03:0d:db:95:55:7e:bc:8e:a3:81:13:ad:3b:f0:6e:20:
c8:06:f4:05:7a:31:4e:ef:0c:2e:14:67:a1:37:79:92:ca:e6:
1f:cb:56:f9:21:3e:a5:14:cb:07:31:e0:dd:4c:a8:d2:f6:ab:
67:f3:07:63:02:0a:0e:71:1d:41:f1:72:a4:11:57:22:08:a4:
a9:14:40:2a:94:8d:fc:f9:0d:62:43:ff:21:92:18:eb:39:1b:
5e:8f:0f:13:da:27:fd:cd:04:f6:8c:1d:b7:85:79:eb:1a:13:
03:66:85:34Final Step – Importing Certificate
Hold down the Windows Key and Press R on your keyboard. The run dialog box will open. Type in mmc then press ENTER.
The Certificate Manager will open then import the localhost.csr into Trust Root Certification Authorities.
From now, your browser will not make complain anymore. (You may need to import the cert in Chrome as well).
