一个自签名证书来统治他们? Chrome、Android 和 iOS
One self-signed cert to rule them all? Chrome, Android, and iOS
又一个自签名证书问题,但我已经尝试了几天以找到 best/correct 创建自签名证书的方法,该证书将在我的开发环境中用于最新版本的 Chrome、Android 和 iOS。
我在此处和其他地方找到的说明对于这些平台中的至少一个已过时。
这是我找到的最好的,但它只适用于 Chrome 和 Android。
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "/C=US/ST=Oklahoma/L=Stillwater/O=My Company/OU=Engineering" -keyout ca.key -out ca.crt
openssl genrsa -out "test.key" 2048
openssl req -new -key test.key -out test.csr -config openssl.cnf
openssl x509 -req -days 3650 -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -extfile openssl.cnf -out test.crt
openssl x509 -inform PEM -outform DER -in test.crt -out test.der.crt
openssl.cnf 的内容:
[req]
default_bits = 2048
encrypt_key = no # Change to encrypt the private key using des3 or similar
default_md = sha256
prompt = no
utf8 = yes
# Specify the DN here so we aren't prompted (along with prompt = no above).
distinguished_name = req_distinguished_name
# Extensions for SAN IP and SAN DNS
req_extensions = v3_req
# Be sure to update the subject to match your organization.
[req_distinguished_name]
C = US
ST = Oklahoma
L = Stillwater
O = My Company
OU = Engineering
CN = test.com
# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.
[v3_req]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.
[alt_names]
DNS.1 = test.com
在我的开发服务器上安装 test.crt 和 test.key 后,此方法对 Chrome 非常有效:刚刚将 test.crt 添加到我的 Mac's钥匙串并为其打开 "Always Trust"。
它也适用于 Android:通过电子邮件发送 test.der.crt 到设备并点击它进行安装。最重要的是:它出现在设置/加密和凭证/可信凭证下的 "USER" 选项卡中。这对于在我的 Android 应用程序中使用 networkSecurityConfig 至关重要。
不幸的是,它对 iOS 不起作用:
- 我通过将证书拖到 Xcode 模拟器中来安装它。
- 我必须同时安装 test.crt 和 ca.crt。如果我刚安装 test.crt,它仍然处于 "unverified" 状态,这是有道理的,因为 ca.crt 是根证书。
- 它没有出现在设置/关于/证书信任设置下,这是我打开它所必需的。
- 当我的应用程序尝试使用 NSMutableURLRequest 访问我的服务器时,它会得到一个包含 10 个键值对的 "TIC SSL Trust Error",包括:
- NSURLErrorFailingURLPeerTrustErrorKey=
- _kCFStreamErrorDomainKey=3
- _kCFStreamErrorCodeKey=-9813
- NSErrorPeerCertificateChainKey=1 元素,NSLocalizedDescription=此服务器的证书无效。您可能正在连接到一个伪装成“test.com”的服务器,这可能会使您的机密信息面临风险。
知道如何更改我所做的以便我可以在 "Certificate Trust Settings" 下为 iOS 启用它吗?
注意 1:由于对有关 -9813 错误代码的其他问题的其他答案表明可能缺少中间证书,因此我将 ca.crt 添加到我的 Apache 配置中的 SSLCaCertificateFile 设置。它在 Chrome 和 Android 上仍然工作正常,但在 iOS.
上有完全相同的错误
谢谢!
此答案已更新(并简化)以与 iOS 13 和 Android 8 兼容。信用现在转到 user:fixitnowyes 十月的 https://discussions.apple.com/thread/250666160 答案2019年6月
只需一个 openssl 命令即可创建适用于 Chrome、Android 和 iOS:
的自签名证书
openssl req -config openssl.cnf -new -x509 -days 825 -out ca.crt
这会同时输出 ca.crt 和 ca.key。注意825天是iOS13+允许的最大时长,必须在openssl命令中指定。 openssl.cnf 中的天数设置没有做任何我能告诉的事情。
检查有关证书的信息:
openssl x509 -in ca.crt -text -noout
openssl.cnf 的内容:
[ req ]
default_bits = 2048
default_keyfile = ca.key
default_md = sha256
default_days = 825
encrypt_key = no
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName = US
stateOrProvinceName = Oklahoma
localityName = Stillwater
organizationName = My Company
OU = Engineering
# Use a friendly name here because it's presented to the user. The server's DNS
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you
# must include the DNS name in the SAN too (otherwise, Chrome and others that
# strictly follow the CA/Browser Baseline Requirements will fail).
commonName = test.com
emailAddress = me@home.com
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
# You only need digitalSignature below. *If* you don't allow
# RSA Key transport (i.e., you use ephemeral cipher suites), then
# omit keyEncipherment because that's key transport.
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign
subjectAltName = DNS:test.com
extendedKeyUsage = serverAuth
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
extendedKeyUsage = TLS Web Server Authentication
# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:test.com
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
# [ alternate_names ]
# DNS.1 = example.com
# DNS.2 = www.example.com
# DNS.3 = mail.example.com
# DNS.4 = ftp.example.com
# Add these if you need them. But usually you don't want them or
# need them in production. You may need them for development.
# DNS.5 = localhost
# DNS.6 = localhost.localdomain
# DNS.7 = 127.0.0.1
# IPv6 localhost
# DNS.8 = ::1
创建证书后...
服务器安装:
- 在您的服务器中安装 ca.crt 和 ca.key。
- 重启服务器。
Chrome / Safari 安装:
- 在 系统 钥匙链(或 PC 等价物)中将 ca.crt 添加到您 Mac 的钥匙链访问。
- 将其设置为“始终信任”(在 Mac 中)以便它在 Chrome 和 Safari 中工作。
iOS安装:
- 拖ca.crt到模拟器。至少这在 Xcode 12 中有效。请注意,无法确认发生了什么。
- 无需前往设置/常规/关于/证书信任设置并启用它。它应该已经启用。
如果上述方法不起作用,您可以通过将 ca.crt 文件通过电子邮件发送给自己、登录到模拟器中的邮件应用程序,然后从那里打开它来找出原因。
Android安装:
- 发送电子邮件 ca.crt 到您的 Gmail 帐户,然后在您的帐户中登录 Gmail
Android 模拟器并点击安装它。
- 它应该出现在设置/锁定屏幕和安全/加密和凭据/可信凭据下的“用户”选项卡中。
又一个自签名证书问题,但我已经尝试了几天以找到 best/correct 创建自签名证书的方法,该证书将在我的开发环境中用于最新版本的 Chrome、Android 和 iOS。
我在此处和其他地方找到的说明对于这些平台中的至少一个已过时。
这是我找到的最好的,但它只适用于 Chrome 和 Android。
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "/C=US/ST=Oklahoma/L=Stillwater/O=My Company/OU=Engineering" -keyout ca.key -out ca.crt
openssl genrsa -out "test.key" 2048
openssl req -new -key test.key -out test.csr -config openssl.cnf
openssl x509 -req -days 3650 -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -extfile openssl.cnf -out test.crt
openssl x509 -inform PEM -outform DER -in test.crt -out test.der.crt
openssl.cnf 的内容:
[req]
default_bits = 2048
encrypt_key = no # Change to encrypt the private key using des3 or similar
default_md = sha256
prompt = no
utf8 = yes
# Specify the DN here so we aren't prompted (along with prompt = no above).
distinguished_name = req_distinguished_name
# Extensions for SAN IP and SAN DNS
req_extensions = v3_req
# Be sure to update the subject to match your organization.
[req_distinguished_name]
C = US
ST = Oklahoma
L = Stillwater
O = My Company
OU = Engineering
CN = test.com
# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.
[v3_req]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.
[alt_names]
DNS.1 = test.com
在我的开发服务器上安装 test.crt 和 test.key 后,此方法对 Chrome 非常有效:刚刚将 test.crt 添加到我的 Mac's钥匙串并为其打开 "Always Trust"。
它也适用于 Android:通过电子邮件发送 test.der.crt 到设备并点击它进行安装。最重要的是:它出现在设置/加密和凭证/可信凭证下的 "USER" 选项卡中。这对于在我的 Android 应用程序中使用 networkSecurityConfig 至关重要。
不幸的是,它对 iOS 不起作用:
- 我通过将证书拖到 Xcode 模拟器中来安装它。
- 我必须同时安装 test.crt 和 ca.crt。如果我刚安装 test.crt,它仍然处于 "unverified" 状态,这是有道理的,因为 ca.crt 是根证书。
- 它没有出现在设置/关于/证书信任设置下,这是我打开它所必需的。
- 当我的应用程序尝试使用 NSMutableURLRequest 访问我的服务器时,它会得到一个包含 10 个键值对的 "TIC SSL Trust Error",包括:
- NSURLErrorFailingURLPeerTrustErrorKey=
- _kCFStreamErrorDomainKey=3
- _kCFStreamErrorCodeKey=-9813
- NSErrorPeerCertificateChainKey=1 元素,NSLocalizedDescription=此服务器的证书无效。您可能正在连接到一个伪装成“test.com”的服务器,这可能会使您的机密信息面临风险。
知道如何更改我所做的以便我可以在 "Certificate Trust Settings" 下为 iOS 启用它吗?
注意 1:由于对有关 -9813 错误代码的其他问题的其他答案表明可能缺少中间证书,因此我将 ca.crt 添加到我的 Apache 配置中的 SSLCaCertificateFile 设置。它在 Chrome 和 Android 上仍然工作正常,但在 iOS.
上有完全相同的错误谢谢!
此答案已更新(并简化)以与 iOS 13 和 Android 8 兼容。信用现在转到 user:fixitnowyes 十月的 https://discussions.apple.com/thread/250666160 答案2019年6月
只需一个 openssl 命令即可创建适用于 Chrome、Android 和 iOS:
的自签名证书openssl req -config openssl.cnf -new -x509 -days 825 -out ca.crt
这会同时输出 ca.crt 和 ca.key。注意825天是iOS13+允许的最大时长,必须在openssl命令中指定。 openssl.cnf 中的天数设置没有做任何我能告诉的事情。
检查有关证书的信息:
openssl x509 -in ca.crt -text -noout
openssl.cnf 的内容:
[ req ]
default_bits = 2048
default_keyfile = ca.key
default_md = sha256
default_days = 825
encrypt_key = no
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName = US
stateOrProvinceName = Oklahoma
localityName = Stillwater
organizationName = My Company
OU = Engineering
# Use a friendly name here because it's presented to the user. The server's DNS
# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
# by both IETF and CA/Browser Forums. If you place a DNS name here, then you
# must include the DNS name in the SAN too (otherwise, Chrome and others that
# strictly follow the CA/Browser Baseline Requirements will fail).
commonName = test.com
emailAddress = me@home.com
# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
# You only need digitalSignature below. *If* you don't allow
# RSA Key transport (i.e., you use ephemeral cipher suites), then
# omit keyEncipherment because that's key transport.
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign
subjectAltName = DNS:test.com
extendedKeyUsage = serverAuth
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
extendedKeyUsage = TLS Web Server Authentication
# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:test.com
nsComment = "OpenSSL Generated Certificate"
# RFC 5280, Section 4.2.1.12 makes EKU optional
# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
# In either case, you probably only need serverAuth.
# extendedKeyUsage = serverAuth, clientAuth
# [ alternate_names ]
# DNS.1 = example.com
# DNS.2 = www.example.com
# DNS.3 = mail.example.com
# DNS.4 = ftp.example.com
# Add these if you need them. But usually you don't want them or
# need them in production. You may need them for development.
# DNS.5 = localhost
# DNS.6 = localhost.localdomain
# DNS.7 = 127.0.0.1
# IPv6 localhost
# DNS.8 = ::1
创建证书后...
服务器安装:
- 在您的服务器中安装 ca.crt 和 ca.key。
- 重启服务器。
Chrome / Safari 安装:
- 在 系统 钥匙链(或 PC 等价物)中将 ca.crt 添加到您 Mac 的钥匙链访问。
- 将其设置为“始终信任”(在 Mac 中)以便它在 Chrome 和 Safari 中工作。
iOS安装:
- 拖ca.crt到模拟器。至少这在 Xcode 12 中有效。请注意,无法确认发生了什么。
- 无需前往设置/常规/关于/证书信任设置并启用它。它应该已经启用。
如果上述方法不起作用,您可以通过将 ca.crt 文件通过电子邮件发送给自己、登录到模拟器中的邮件应用程序,然后从那里打开它来找出原因。
Android安装:
- 发送电子邮件 ca.crt 到您的 Gmail 帐户,然后在您的帐户中登录 Gmail Android 模拟器并点击安装它。
- 它应该出现在设置/锁定屏幕和安全/加密和凭据/可信凭据下的“用户”选项卡中。