问题
AFAIK, it was a common scenario to buy a production SSL certificate for mydomain.com, and use a self-signed certificate (eg using java's keytool) for CN localhost to use during development.
In the interests of security, it seems that very recent versions of Firefox (33) and Chrome (39) may forbid this approach.
Is that correct? If so, what is the new-fangled approach these browsers expect you to take during development?
回答1:
Yes, self-signed certificates are still supported by most mayor web browsers. However, it must be installed in the trust store of particular web browser (e.g. Firefox, Opera) or in the system certificate store (e.g. Internet Explorer, Chrome, Safari).
And currently there is no expectations to break this behavior, because many network-managed devices (routers, wireless AP, etc.) still use self-signed certificate to protect the traffic.
回答2:
You can always get a signed but free certificate from StartSSL.com. The free ones are valid for one year, the cons are:
- no free revocation process
- no free reissues
- only host.mydomain.com and mydomain.com will be listed in the certificate, no free certificates for dev.host.mydomain.com
来源:https://stackoverflow.com/questions/27125108/are-self-signed-certificates-still-supported-in-modern-browsers