OpenSSL自簽發CA證書chrome瀏覽器安全訪問
阿新 • • 發佈:2022-05-24
前言
接到這樣一個需求:內網通過IP地址訪問某系統,需要使用 https,而且不能有不安全的提示,如下圖:
不允許這樣的情況存在,這就需要使用 openssl 進行自籤解決。
OpenSSL 自簽證書
安裝 openssl
yum install openssl openssl-devel -y
mkdir -pv /etc/ssl/private
使用openssl 生成 SSL key 和 CSR
cd /etc/ssl/private/ openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.104.csr -keyout 192.168.199.104.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.104" openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out super_com.crt
配置nginx支援 ssl
nginx -t
nginx -s reload
chrome 新增信任證書
將上面生成的 192.168.199.104.crt 拷貝到 windows 並匯入 chrome
chrome -> 設定 -> 隱私設定和安全性 -> 管理證書 -> 匯入
chrome 瀏覽器匯入證書訪問:
火狐 瀏覽器匯入證書訪問:
因此,這裡對 chrome 瀏覽器需要做特殊的操作:
首先刪除之前匯入的證書
新增附加用途
解決Chrome不能識別證書通用名稱NET::ERR_CERT_COMMON_NAME_INVALID錯誤
[root@nginx(192.168.199.104) ~]#cd /etc/ssl/private/ [root@nginx(192.168.199.104) /etc/ssl/private]#ls 192.168.199.104.crt 192.168.199.104.csr 192.168.199.104.key [root@nginx(192.168.199.104) /etc/ssl/private]#rm -rf * //新增如下檔案 [root@nginx(192.168.199.104) /etc/ssl/private]#vim http.ext keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] IP.1=127.0.0.1 IP.2=192.168.199.104 # 內網訪問的IP地址 [root@nginx(192.168.199.104) /etc/ssl/private]#openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.104.csr -keyout 192.168.199.104.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.104" [root@nginx(192.168.199.104) /etc/ssl/private]#openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out 192.168.199.104.crt -extfile http.ext
然後再次將 192.168.199.104.crt 下載到 window 匯入 chrome 。
注意:這裡需要重新載入下 nginx,清空下 chrome 的快取,再次啟動。
這樣就解決了,chrome 自籤ssl證書不安全連結的問題。
總結
(1)chrome 需要新增附屬檔案
IP地址訪問:
[root@nginx(192.168.199.104) /etc/ssl/private]#cat http.ext keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName [ SubjectAlternativeName ] IP.1=127.0.0.1 IP.2=192.168.199.104
域名訪問:
[root@nginx(192.168.199.104) /etc/ssl/private]#cat http.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
DNS.1=super.com
DNS.2=www.super.com
(2)兩條命令生成證書
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.104.csr -keyout 192.168.199.104.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.104"
openssl x509 -req -days 365 -in 192.168.199.104.csr -signkey 192.168.199.104.key -out 192.168.199.104.crt -extfile http.ext
(3)將 192.168.199.104.crt 匯入到 chrome 受信任的根證書頒發機構
(4)過載 nginx 並清除 chrome 快取訪問。