Getting Chrome to accept self-signed localhost certificate

后端 未结 30 2947
小蘑菇
小蘑菇 2020-11-21 11:30

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however

相关标签:
30条回答
  • 2020-11-21 12:03

    As someone has noted, you need to restart ALL of Chrome, not just the browser windows. The fastest way to do this is to open a tab to...

    chrome://restart

    0 讨论(0)
  • 2020-11-21 12:03

    When clicking the little crossed out lock icon next to the URL, you'll get a box looking like this:

    enter image description here

    After clicking the Certificate information link, you'll see the following dialog:

    enter image description here

    It tells you which certificate store is the correct one, it's the Trusted Root Certification Authorities store.

    You can either use one of the methods outlined in the other answers to add the certificate to that store or use:

    certutil -addstore -user "ROOT" cert.pem
    
    • ROOT is the internal name of the certificate store mentioned earlier.
    • cert.pem is the name of your self-signed certificate.
    0 讨论(0)
  • 2020-11-21 12:03

    To create a self signed certificate in Windows that Chrome v58 and later will trust, launch Powershell with elevated privileges and type:

    New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "fruity.local" -DnsName "fruity.local", "*.fruity.local" -FriendlyName "FruityCert" -NotAfter (Get-Date).AddYears(10)
    #notes: 
    #    -subject "*.fruity.local" = Sets the string subject name to the wildcard *.fruity.local
    #    -DnsName "fruity.local", "*.fruity.local"
    #         ^ Sets the subject alternative name to fruity.local, *.fruity.local. (Required by Chrome v58 and later)
    #    -NotAfter (Get-Date).AddYears(10) = make the certificate last 10 years. Note: only works from Windows Server 2016 / Windows 10 onwards!!
    

    Once you do this, the certificate will be saved to the Local Computer certificates under the Personal\Certificates store.

    You want to copy this certificate to the Trusted Root Certification Authorities\Certificates store.

    One way to do this: click the Windows start button, and type certlm.msc. Then drag and drop the newly created certificate to the Trusted Root Certification Authorities\Certificates store per the below screenshot.

    0 讨论(0)
  • 2020-11-21 12:04

    On the Mac, you can use the Keychain Access utility to add the self-signed certificate to the System keychain, and Chrome will then accept it. I found the step-by-step instructions here:

    Google Chrome, Mac OS X and Self-Signed SSL Certificates

    Basically:

    1. double-click the lock icon with an X and drag-and-drop the certificate icon to the desktop,
    2. open this file (ending with a .cer extension); this opens the keychain application which allows you to approve the certificate.
    0 讨论(0)
  • 2020-11-21 12:05

    This post is already flooded with responses, but I created a bash script based on some of the other answers to make it easier to generate a self-signed TLS certificate valid in Chrome (Tested in Chrome 65.x). Hope it's useful to others.

    self-signed-tls bash script

    After you install (and trust) the certificate, don't forget to restart Chrome (chrome://restart)


    Another tool worth checking out is CloudFlare's cfssl toolkit:

    cfssl

    0 讨论(0)
  • 2020-11-21 12:06

    On the Mac, you can create a certificate that's fully trusted by Chrome and Safari at the system level by doing the following:

        # create a root authority cert
        ./create_root_cert_and_key.sh
        
        # create a wildcard cert for mysite.com
        ./create_certificate_for_domain.sh mysite.com
        
        # or create a cert for www.mysite.com, no wildcards
        ./create_certificate_for_domain.sh www.mysite.com www.mysite.com
    

    The above uses the following scripts, and a supporting file v3.ext, to avoid subject alternative name missing errors

    If you want to create a new self signed cert that's fully trusted using your own root authority, you can do it using these scripts.

    create_root_cert_and_key.sh

        #!/usr/bin/env bash
        openssl genrsa -out rootCA.key 2048
        openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
    

    create_certificate_for_domain.sh

        #!/usr/bin/env bash
        
        if [ -z "$1" ]
        then
          echo "Please supply a subdomain to create a certificate for";
          echo "e.g. www.mysite.com"
          exit;
        fi
        
        if [ ! -f rootCA.pem ]; then
          echo 'Please run "create_root_cert_and_key.sh" first, and try again!'
          exit;
        fi
        if [ ! -f v3.ext ]; then
          echo 'Please download the "v3.ext" file and try again!'
          exit;
        fi
        
        # Create a new private key if one doesnt exist, or use the xeisting one if it does
        if [ -f device.key ]; then
          KEY_OPT="-key"
        else
          KEY_OPT="-keyout"
        fi
        
        DOMAIN=$1
        COMMON_NAME=${2:-*.$1}
        SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
        NUM_OF_DAYS=825
        openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
        cat v3.ext | sed s/%%DOMAIN%%/"$COMMON_NAME"/g > /tmp/__v3.ext
        openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext 
        
        # move output files to final filenames
        mv device.csr "$DOMAIN.csr"
        cp device.crt "$DOMAIN.crt"
        
        # remove temp file
        rm -f device.crt;
        
        echo 
        echo "###########################################################################"
        echo Done! 
        echo "###########################################################################"
        echo "To use these files on your server, simply copy both $DOMAIN.csr and"
        echo "device.key to your webserver, and use like so (if Apache, for example)"
        echo 
        echo "    SSLCertificateFile    /path_to_your_files/$DOMAIN.crt"
        echo "    SSLCertificateKeyFile /path_to_your_files/device.key"
    

    v3.ext

        authorityKeyIdentifier=keyid,issuer
        basicConstraints=CA:FALSE
        keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
        subjectAltName = @alt_names
        
        [alt_names]
        DNS.1 = %%DOMAIN%%
    

    One more step - How to make the self signed certs fully trusted in Chrome/Safari

    To allow the self signed certificates to be FULLY trusted in Chrome and Safari, you need to import a new certificate authority into your Mac. To do so follow these instructions, or the more detailed instructions on this general process on the mitmproxy website:

    You can do this one of 2 ways, at the command line, using this command which will prompt you for your password:

    $ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem
    

    or by using the Keychain Access app:

    1. Open Keychain Access
    2. Choose "System" in the "Keychains" list
    3. Choose "Certificates" in the "Category" list
    4. Choose "File | Import Items..."
    5. Browse to the file created above, "rootCA.pem", select it, and click "Open"
    6. Select your newly imported certificate in the "Certificates" list.
    7. Click the "i" button, or right click on your certificate, and choose "Get Info"
    8. Expand the "Trust" option
    9. Change "When using this certificate" to "Always Trust"
    10. Close the dialog, and you'll be prompted for your password.
    11. Close and reopen any tabs that are using your target domain, and it'll be loaded securely!

    and as a bonus, if you need java clients to trust the certificates, you can do so by importing your certs into the java keystore. Note this will remove the cert from the keystore if it already exists, as it needs to update it in case things change. It of course only does this for the certs being imported.

    import_certs_in_current_folder_into_java_keystore.sh

    KEYSTORE="$(/usr/libexec/java_home)/jre/lib/security/cacerts";
    
    function running_as_root()
    {
      if [ "$EUID" -ne 0 ]
        then echo "NO"
        exit
      fi
    
      echo "YES"
    }
    
    function import_certs_to_java_keystore
    {
      for crt in *.crt; do 
        echo prepping $crt 
        keytool -delete -storepass changeit -alias alias__${crt} -keystore $KEYSTORE;
        keytool -import -file $crt -storepass changeit -noprompt --alias alias__${crt} -keystore $KEYSTORE
        echo 
      done
    }
    
    if [ "$(running_as_root)" == "YES" ]
    then
      import_certs_to_java_keystore
    else
      echo "This script needs to be run as root!"
    fi
    
    0 讨论(0)
提交回复
热议问题