在 Windows 中讓 Chrome 信任自簽憑證

近期有需求,讓 Chrome 信任 httpd 中的使用自簽憑證,Google 找到最順利的解決方法:

ssl - Getting Chrome to accept self-signed localhost certificate

步驟如下:

OpenSSL


自建 CA

建立 Private Key (如果不想設密碼就把 -des3 拿掉)

openssl genrsa -des3 -out myCA.key 2048

以剛剛建立的 myCA.key 建立 Root Certficate

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

以 Root Certficate 簽署憑證

先設個環境變數儲存 Domain Name 方便之後使用

NAME=localhost

建立 Private Key

openssl genrsa -out $NAME.key 2048

建立 CSR (Certficate-Signing Request)

openssl req -new -key $NAME.key -out $NAME.csr

設定 OpenSSL config (把建立憑證要填的設定寫成檔案比較快)

>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF

產生憑證

openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

Web Server


把剛剛建好的 $NAME.crt$NAME.key 裝到你的 Web Server 後重啟即可

<VirtualHost *:80>
    ServerName localhost.com
    DocumentRoot /var/www/html
    CustomLog /var/log/httpd/access.log common
    ErrorLog /var/log/httpd/error.log
</VirtualHost>

<VirtualHost *:443>
    ServerName localhost.com
    DocumentRoot /var/www/html
    SSLEngine on

    # ========== 安裝自簽憑證 ==========
    SSLCertificateFile /root/self-sign/localhost.com.crt
    SSLCertificateKeyFile /root/self-sign/localhost.com.key
    # ==================================

    CustomLog /var/log/httpd/ssl.access.log common
    ErrorLog /var/log/httpd/ssl.error.log

    Header always set Strict-Transport-Security "max-age=15768000"

</VirtualHost>
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY130
5:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA
384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

重新啟動 httpd

systemctl restart httpd

Windows


## 安裝 CA 1. 把 OpenSSL 章節產生的 `myCA.pem` 裝到 Windows 中 2. 重新啟動 Chrome 就完成了

chrome  ssl  httpd  apache2 

See also