xianglijiaxing
Mkcert
https://github.com/FiloSottile/mkcert
https://www.npmjs.com/package/mkcert
mkcert -install
Install the local CA in the system trust store. 生成的公私钥如下所示:
附:一些基本命令
Openssl
组成:
libcryto 这是一个具有通用功能的加密库;
libssl 是实现SSL机制的安全通信加密库,实现TLS/SSL功能;
openssl:多用途的命令行工具
Openssl无windows下的官方安装包的解决办法:
http://slproweb.com/products/Win32OpenSSL.html
https://oomake.com/download/openssl
使用choco 安装源与上述相同;
基本命令:
https://blog.csdn.net/boss666666/article/details/10284649
步骤:
1.修改配置文件openssl.cnf ;
创建如下文件及文件夹:
2.生成ca 自签名证书
对应配置: private_key = $dir/private/cakey.pem# The private key
openssl genrsa -out D:\temp\crypto\private/cakey.pem 4096 -idea -aes256 -camellia256
生成CA 自签名证书:
openssl req -new -x509 -key D:\temp\crypto\private\cakey.pem -out D:\temp\crypto\cacert.pem -days 7 20 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:SHANXI Locality Name (eg, city) []:XLJX Organization Name (eg, company) [Internet Widgits Pty Ltd]:XLJX Organizational Unit Name (eg, section) []:XLJX Common Name (e.g. server FQDN or YOUR name) []:XiangliJiaxing Email Address []:xianglijx@gmail.com
3.颁发证书:
第一步:在需要使用证书的主机上生成私钥,这个私钥文件的位置可以随意定
openssl genrsa -out D:\temp\crypto\_req_/httpd.key 4096
第二步:生成证书签署请求
openssl req -new -key D:\temp\crypto\_req_\httpd.key -out D:\temp\crypto\_req_\httpd.csr -day s 720 Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:SHANXI Locality Name (eg, city) []:XLJX Organization Name (eg, company) [Internet Widgits Pty Ltd]:XLJX Organizational Unit Name (eg, section) []:XLJX Common Name (e.g. server FQDN or YOUR name) []:XiangliJiaxing Email Address []:xianglijx@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:ws,485212 An optional company name []:
第三步:将请求通过可靠方式发送给 CA 主机
openssl ca -in D:\temp\crypto\_req_\httpd.csr -out D:\temp\crypto\_req_\httpd.crt -days 720 Using configuration from C:\Program Files\OpenSSL-Win64\bin\openssl.cfg Check that the request matches the signature Signature ok The countryName field is different between CA certificate (CN) and the request (BJ)
λ openssl ca -in D:\temp\crypto\_req_\httpd.csr -out D:\temp\crypto\_req_\httpd.crt -days 720 Using configuration from C:\Program Files\OpenSSL-Win64\bin\openssl.cfg Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 11 15:08:19 2020 GMT Not After : Jun 1 15:08:19 2022 GMT Subject: countryName = CN stateOrProvinceName = SHANXI organizationName = XLJX organizationalUnitName = XLJX commonName = XiangliJiaxing emailAddress = xianglijx@gmail.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: E2:7C:95:97:D4:13:34:94:AD:0B:8A:00:ED:68:C3:9B:44:7E:4E:3D X509v3 Authority Key Identifier: keyid:C1:8D:3C:88:C1:A6:8D:2B:34:72:CE:CB:9F:75:ED:28:C0:43:65:9F Certificate is to be certified until Jun 1 15:08:19 2022 GMT (720 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
4.查看
openssl x509 -in D:\temp\crypto\_req_\httpd.crt -noout -serial -subject serial=01 subject=C = CN, ST = SHANXI, O = XLJX, OU = XLJX, CN = XiangliJiaxing, emailAddress = xianglijx@gmail.com
5.吊销证书
吊销证书的步骤也是在CA服务器上执行的,以刚才新建的 httpd.crt 证书为例,吊销步骤如下:
第一步:在客户机上获取要吊销证书的 serial 和 subject 信息
第二步:根据客户机提交的 serial 和 subject 信息,对比其余本机数据库 index.txt 中存储的是否一致
第三步:执行吊销操作
第四步:生成吊销证书的吊销编号 (第一次吊销证书时执行)
]# echo 01 > /etc/pki/CA/crlnumber
第五步:更新证书吊销列表
]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
查看 crl 文件命令:
]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
本地开发实战部署
以Vue-CLI 为例,vue.config.js 中配置如下:
module.exports = {
devServer: {
/* 设置为0.0.0.0则所有的地址均能访问 */
host: "0.0.0.0",
port: 8066,
// http2: true,
https: {
key: fs.readFileSync("C:/Users/XiangliJiaxing/AppData/Local/mkcert/rootCA-key.pem"),
cert: fs.readFileSync("C:/Users/XiangliJiaxing/AppData/Local/mkcert/rootCA.pem"),
},
// public: "https://localhost:8080/",
}
}https://webpack.js.org/configuration/dev-server/#devserverhttps
https://webpack.js.org/configuration/dev-server/#devserverpfx
https网站解决block:mixed-content问题
页面的head中加入:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
意思是自动将http的不安全请求升级为https
https 双向认证配置
https://www.cnblogs.com/nhdlb/p/11578263.html
使用SLB部署HTTPS业务(双向认证)https://help.aliyun.com/document_detail/85954.html
ngnix 双向认证 ???
---------------------------------------------------------------------------------------------------------------------------------------------------------
https://stackoverflow.com/questions/45807049/how-to-run-vue-js-dev-serve-with-https
- https://github.com/zp1112/blog/issues/4
是针对vue-cli项目如何加入本地https,但是vue-cli是老版的,使用的还是dev-server.js。 - http://blog.fens.me/nodejs-https-server/
讲的是用Nodejs创建HTTPS服务器,关键是openssl生成证书文件,如果本地没有证书,要先生成证书。 - https://blog.csdn.net/kitok/article/details/72957185
关于如何安装openssl。可以通过openssl version -a指令确认下本机是否已安装openssl,没有的话就直接下载对应环境的exe安装包安装一下。 - https://webpack.docschina.org/configuration/dev-server/#devserver-https
关于webpack的devServer配置
微信支付https 配置指南:
https://pay.weixin.qq.com/wiki/doc/api/H5.php?chapter=10_4
没有帐号? 立即注册